Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography and Security: The Narrow Road from Theory to Practice Burt Kaliski, RSA Security ISPEC 2006, Hangzhou, China April 13, 2006.

Published byElisha Colburn Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography and Security: The Narrow Road from Theory to Practice Burt Kaliski, RSA Security ISPEC 2006, Hangzhou, China April 13, 2006."— Presentation transcript:

1 Cryptography and Security: The Narrow Road from Theory to Practice Burt Kaliski, RSA Security ISPEC 2006, Hangzhou, China April 13, 2006

2 Introduction Many research results in cryptography over the past 30 years Few have made it from theory into practice What’s worked well? What hasn’t? Why not, and what researchers can do about it

3 From Theory to Practice Not every idea will make it into practice, of course “Innovation funnel” suggests that only a few ideas survive the necessary testing Thomas A. Edison: Genius is one per cent inspiration and ninety-nine per cent perspiration. Goal: Increase likelihood that a good idea in cryptography will actually be applied

4 Some Observations Examples from “Practice & Experience” What’s worked well and What hasn’t NB: “Worked well” doesn’t mean it was brought into practice perfectly, and “hasn’t” doesn’t mean it wasn’t brought into practice at all. But some good ideas have found their way into practice much more easily than others.

5 What’s Worked Well Basic public-key cryptography —PKCS #1 v1.5 RSA —discrete log. systems (Diffie-Hellman, DSA) —elliptic curve cryptography

6 What Hasn’t Public-key enhancements and variations —RSA-OAEP, -PSS, -KEM —Cramer-Shoup schemes provable security in standard model, but … —various zero-knowledge versions —other public-key families, e.g., NTRU

7 What’s Worked Well Basic digital signatures —sign + verify

8 What Hasn’t Special digital signatures —blind, group, designated confirmer … Direct Anonymous Attestation is a potential exception

9 What’s Worked Well Advanced Encryption Standard and Triple-DES —culminating many years of research on DES replacements

10 What Hasn’t Stream ciphers —other than RC4 … Modes of operation —other than basic four (or five)

11 What’s Worked Well HMAC message authentication —Hash (K 1 || Hash (K 2 || M))

12 What Hasn’t Many other “fast” MACs Incremental message authentication

13 What’s Worked Well Shamir secret sharing —k of n for root keys

14 What Hasn’t Secret sharing with other access structures Distributed cryptography Secure multi-party computation

15 What’s Worked Well Password hashing —Hash (password + salt)

16 What Hasn’t Password-authenticated key establishment —aka “zero-knowledge” password protocols

17 What’s Worked Well SSL-protected e-commerce —server PKI —session key establishment —session encryption

18 What Hasn’t Digital cash Secure auctions Electronic voting

19 What’s Worked Well Montgomery multiplication —AR n * BR n  ABR n

20 What Hasn’t Karatsuba-Ofman multiplication —A H B H, A L B L, (A H +A L )(B H +B L ), recursively

21 What’s Worked Well Side-channel implementation countermeasures —protection for basic RSA, ECC, AES, etc.

22 What Hasn’t Intrusion-resilient cryptography —alternatives to RSA, ECC, AES, etc. that are less vulnerable by design

23 What’s Worked Well Software codebreaking —distributed key search and integer factorization

24 What Hasn’t Hardware codebreaking —e.g., factoring circuits —“Deep Crack” for DES is a notable exception

25 Why Not? 1. “Not secure enough” 2. “Too many choices” 3. “No clear advantage” 4. “Too complicated” 5. “Not practical”

26 “Not Secure Enough” New ideas in cryptography often need a long period of testing before others are confident to adopt them In many cases not enough people are even looking at the idea Expectations keep increasing based on experience with previous ideas Example: NTRU based on a new problem, and also held to a much higher standard than, say, RSA Tight reductions from known problems against broad adversaries gives the most confidence —But ideas based on new problems are also needed!

27 “Too Many Choices” Research in an area can often result in a multiplicity of choices, none of which has enough support to move ahead of the rest Results build on one another, and it may not be clear when a result is finally “stable” Example: New modes of operation for block ciphers are numerous, though gradually being standardized Competitions can help bring a research area to conclusion and enable a few good choices to advance

28 “No Clear Advantage” New ideas, though good, may not be enough better than methods that are already available to justify the cost of making the change —Long-term assurances not as appreciated in the short term Cost of introducing a new technology can be very significant, especially when it depends on industry standards Example: RSA-PSS, -KEM provide long-term assurances, but require upgrades to existing systems Transition planning can help phase in a new idea while still supporting available methods New applications generally a better target than existing ones

29 “Too Complicated” Some new ideas are just too “different” for designers to work with, especially in terms of business models and use cases Example: distributed cryptography requires a non-hierarchical “workflow” that’s not usually found in applications Reference implementations that enable new applications and hide the technical details can facilitate adoption —e.g., RSAREF and PGP for public-key cryptography

30 “Not Practical” And for some ideas, the time has not yet come — other technologies may need to advance or be developed Example: general secure multiparty computation is still computationally burdensome —Even public-key crypto was challenged in its early days! Patience may be called for, and there’s plenty of time to improve the theory and speculate on future applications in the meantime

31 Conclusions Researchers whose goal is to have the results of their research applied need to think about technology transfer Results are still important even if not applied directly, since they advance the science in general But better security depends on good research being put into practice Hopefully these experiences will help more good ideas move through that narrow road

32 Contact Information Burt Kaliski Chief Scientist, RSA Laboratories Vice President of Research, RSA Security bkaliski@rsasecurity.com http://www.rsasecurity.com/rsalabs bkaliski@rsasecurity.com http://www.rsasecurity.com/rsalabs

Download ppt "Cryptography and Security: The Narrow Road from Theory to Practice Burt Kaliski, RSA Security ISPEC 2006, Hangzhou, China April 13, 2006."

Similar presentations

Key Management Nick Feamster CS 6262 Spring 2009.

Key Management Nick Feamster CS 6262 Spring 2009.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.

Cryptography and Data Security: Long-Term Challenges Burt Kaliski, RSA Security Northeastern University CCIS Mini Symposium on Information Security November.
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.

Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Part 4  Software 1 Conclusion Part 4  Software 2 Course Summary  Crypto o Basics, symmetric key, public key, hash functions and other topics, cryptanalysis.

Part 4  Software 1 Conclusion Part 4  Software 2 Course Summary  Crypto o Basics, symmetric key, public key, hash functions and other topics, cryptanalysis.
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography Basic (cont)

Cryptography Basic (cont)
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google