Tuesday, March 24, 2009

The great cryptographic demolition derby

Tonight ISSA-BE was hosting a talk by Bruce Schneier.

The talk was in two parts. The first part was about cryptography and actually about a thing called the great cryptographic demolition derby. NIST has organised a first crypto contest and the winner was AES. Bruce was a participant with the blowfish algorithm.

Currently there is another contest for hash algorithms to replace SHA2. At the start there were 64 algorithms and this summer 16 will go through to the next round. Next year the top 5 will be anounced and in 2011 the winner will be announced and be called SHA3.

The big advantage of such contests is that the top minds in the industry participate and everybody in the world can enter and try to crack algorithms.

One thing that I thought was interesting is that according to Bruce most cryptographic research happens in Europe and in some Asian countries. He thinks that the reason why in the US is not so overwhelming represented is that the funding in the US is dependent of the DoD and the National Science Foundation and there not so happy that we could make things the goverment is not able to read.

The second part of the talk was about security in general. Security is a trade off. The trade off can is not always about money. It can be time, ease of use, ...

A very clear example to illustrate this was about a bulletproof vest. They are very efficient in stopping bullets and there are many bullets in this world but nobody at the talk wore a bulletproof vest. Why? Simply because the risk of being shot at the talk was acceptable to those who attended it.

Security is always a trade off between benefits and costs and that is the only economic perspective according to Schneier. To illustrate this he made an example of the way we pick out a restaurant. If you are in a town and don't know any good restaurant you pick one based on unclear biased criteria that make sense to you. The same goes for security, we make decisions based on what we know but actually there is no way for us to proof that the decision is correct.

All we want is adequate security at a reasonable cost. It seems that somewhere in security the trade off is more difficult that in real life (see the restaurant example)

There is a theoretical 'right' answer to the question "what is adequate security and a reasonable cost?" but things like cultural differences, regulatory environment and the amount of data we have about the risk influence the right answer and so it will be different each time.

Bruce also talked about the mandatory breach disclosure law in some US states. I think this would be a good idea to have this all over the world. At least we would know what happens. I am aware of the fact that this could do serious image damage to a company but comming clean is to me the first step in repairing the damage the company caused. I asked if there is a list on which we could check which companies suffered from which attacks, but Bruce wasn't aware of an existing list.

Another point that came up was the European data protection act. One of the illusions we have is that we own our private data but if you actually if you think about it your data is owned by your governement and companies. In Europe we have some protection due to this act but in most places on this planet this is not the case.

The reason why we have e-crime is simply because there is money to be made. Actually it is simple, if you can make a profitable business model for something people will do it. The same idea goes for e-crime and so it is clear that we haven't seen the end of it. One thing is very clear, there is no specific law that can protect you since the Internet has no nation bouderies and laws are bound to territorial boundries.

No comments: