Crypto is key to data control

Whitfield Diffie, chief security officer at Sun Microsystems Inc., likes to dole out his first tenet of IT security, and it’s one that one no one should forget.

“Whenever you have a secret, you have a vulnerability.”

The tenet, given during the keynote at the Infosecurity Canada conference in Toronto earlier this month, points to one of cryptography’s, and IT security’s, basic pillars: if you have something you want to control, you have a problem.

Diffie, who is best known for his discovery of the concept of public key cryptography more than a quarter century ago, spoke via satellite to a packed room of IT experts, all of whom are trying to come to grips with their growing difficulties controlling corporate information.

“The problem has diversified out around the solutions,” he said, noting that the increasing use of cell phones, pagers and mobile computing devices has made an already difficult situation worse. Regardless, there is too much business value passing through these devices for the security issues to be ignored, he added.

Part of problem is that there is no one effective way to channel all of the cryptographic needs since there are so many different protocols, he said.

Diffie traced the entire security issue back to the origins of cryptography hundreds of years ago, but he keyed in on radio as the first example of a new technology which made the dissemination of information easy but the control proportionally more difficult.

It was a great way to communicate, but everyone else had access to your data, he explained.

Diffie asserted that companies are going to have to get a lot better at protecting their proprietary data if they don’t want to find themselves in the position of the dress designer who hands a pattern to a dress maker only to find knock-off copies being produced days later.

The solution may lie in the use of the new advanced encryption standard (AES) Rijndael, Diffie explained. “If AES is a strong as it appears.”

“Assuming we are correct and the system is sound,” we are looking at tens of thousands of years before it could be cracked, he explained.

This assertion, however, is open for debate. In a Bruce Schneier CryptoGram newsletter late last year, Schneier brought up the possibility that AES could be cracked by techniques faster than brute force. Though even Schneier, himself a world-renowned cryptographer, said there is no need to panic yet since the discussion around AES’s vulnerability is entirely theoretical.

Diffie added that even with the advent of quantum computing in the near future, AES “traffic is not going to be read in the foreseeable future.”