Skip Links

Are we now living in a post-crypto world?

Cryptologist's comments at RSA draw mixed reaction from security community

By John P. Mello Jr., CSO
March 01, 2013 12:45 PM ET

CSO - You may have heard that we're living in a post-modern world, where the past makes less sense in our post-history era and computer makers gnash their teeth in post-PC times. Now, brace yourself for the post-crypto world.

The phrase appears to have been born during a cryptography panel discussion (see YouTube video) at the RSA conference in San Francisco this week.

 
Bullet Hottest products at RSA Conference 2013
Bullet Do enterprise security teams want "Big Data Security"?
Bullet Juniper's "device fingerprinting" security technology gets mixed reviews
Bullet HP unveils 'Big Data Security' strategy
Bullet Weatherford outlines 'cyber 9-1-1' plan

"It's very hard to use cryptography effectively if you assume an APT [Advanced Persistent Threat] is watching everything on a system," Adi Shamir, considered to be one of the founding fathers of public-key cryptology, said during the forum.

"We need to think about security in a post-cryptography world," he said.

[See also: New cryptographic hash function not needed, Schneier says]

The declaration of the post-crypto era puzzled some cryptologists. "I think it's pretty bizarre to see that group of cryptographers proposing the idea of a post-crypto world," said Matthew Green, a professor specializing in cryptography in the computer science department of Johns Hopkins University.

Along with Shamir on the panel were Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie from ICANN and Ari Juels of RSA Labs.

The panelists make an important point about cryptology today, Green noted.

"We know how to do crypto well," he said. "The problem is that in order to use cryptography, you have to implement it on a computer with software, and we're very, very bad at writing secure software.

"If someone can own your computer and see everything you're doing, it doesn't matter that the data is encrypted," he continued. "If you can't trust the computer you're running crypto on, it doesn't matter how good the crypto is."

Unlike the post-PC era, where personal computers are supposed to become irrelevant, that's not the case in the post-crypto era, according to Les Hazlewood, CTO of Stormpath in San Mateo, Calif., which offers identity management services for developers.

"In a post-cryptography world, you're going to have to do other things in addition to cryptography to protect your data," he said. "It's not that cryptography isn't important any more. It's just not the whole thing any more."

In addition, cryptographic algorithms that may have been adequate to protect data in the past, don't cut it anymore, he said. "The amount of computing power available to attackers is huge now," Hazlewood said.

Nevertheless, a phrase like post-crypto world can be easily misinterpreted, said Bit9 Senor Researcher Dan Brown.

Crypto has been important to information security for years, he explained, but has often been elevated beyond its intended level.

"Cryptography is an important tool in today's information security regime, but has contexts where it applies and contexts where it doesn't," he said via email.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News