Cryptography at the core of sound IT security

Whitfield Diffie, chief security officer at Sun Microsystems Inc., likes to dole out his first tenet of IT security – one no one should forget.

“Whenever you have a secret, you have a vulnerability.”

The tenet, given during the keynote at the Infosecurity Canada conference in Toronto Wednesday, points to one of cryptography’s – and IT security’s, for that matter – basic pillars: if you have something you want to control you have a problem.

Diffie, who is best known for his discovery of public key cryptography more than a quarter century ago, spoke via satellite to a packed room of IT experts, all of whom are trying to come to grips with their growing difficulties controlling corporate information.

“The problem has diversified out around the solutions,” he said, noting that increased use of cell phones, pagers and mobile computing devices has made an already difficult situation worse. Regardless, there is too much business value passing through these devices for the security issues to be ignored, he added.

Part of the larger problem is that there is no one effective way to channel cryptographic needs since there are so many different protocols, he said.

Diffie traced the entire security issue back to the origins of cryptography hundreds of years ago, but he keyed in on radio as the first example of a new technology which made the dissemination of information easy but the control proportionally more difficult.

It was a great way to communicate but everyone else had access to your data, he explained.

Diffie asserted that companies are going to have to get a lot better at protecting their proprietary data if they don’t want to find themselves in the position of the dress designer who hands a pattern to a dress maker only to find knock-off copies being produced days later.

The solution may lie in the use of the new advanced encryption standard (AES) Rijndael, Diffie offered, but he added a caveat: “If AES is a strong as it appears,” he said.

“Assuming we are correct and the system is sound” we are looking at tens of thousands of years before it could be cracked, he explained.

This assertion seems open for debate. In a Bruce Schneier CryptoGram newsletter late last year, Schneier brought up the possibility that AES could be cracked by techniques faster than brute force. However, even Schneier – himself a world renown cryptographer – said there is no need to panic yet, as the discussion around AES’ vulnerability is entirely theoretical.

Diffie added that even with the advent of quantum computing in the near future, AES “traffic is not going to be read in the foreseeable future.”