U.S. Attorney General Jeff Sessions’ call for a way to “overcome” cryptography met with scorn from a panel of elite cryptographers speaking at this week’s RSA Conference 2017 in San Francisco.
“Any one of my students will be capable of writing good crypto code,” says Adi Shamir, the ‘S’ in RSA and a professor at the Weizmann Institute in Israel.
Sessions’ use of the term “overcome” during his confirmation hearings actually means installing backdoors, says Ronald Rivest, the ‘R’ in RSA and a professor at MIT. He cited a joint Congressional study that concluded that weakening encryption works against the national interest, and that encryption is global anyway -- so the U.S. can’t call all the shots.
Shamir noted that the current, most respected encryption algorithm was devised by Belgians, and noted that other major crypto advances were made by Japanese, Israelis and others. “It’s not uniquely American,” he says. Forcing backdoors in American crypto products would be shooting U.S. interests in the foot, he says. “Other countries would be happy to step in with un-backdoored cryptography,” he says.
Susan Landau, another panelist and professor at Worcester Polytechnic Institute, says there are other ways to get around cryptography than backdoors, so the call for them is overblown. These include court-authorized, legal hacking of end devices.
Landau notes that in the Apple v. FBI case last year, the problems of decrypting a terrorist’s iPhone were overblown by the FBI, which said it could only get in with Apple’s help. Later, the FBI hired a private firm to do the work, and a researcher demonstrated how to do it with about $150 worth of off-the-shelf gear.
Shamir says that the Israeli company that purportedly helped the FBI was later hacked and its methods publicly disclosed by the attackers. “You need to be careful about helping the FBI,” he says with a smile.
AI and quantum computing’s impact on cryptography
The group was asked about the impact artificial intelligence will have on security and seemed unimpressed.
Shamir says AI will be good for security defense because it can find anomalous behaviors and make associations quickly that humans would take longer to make or not make at all. But as an offensive weapon to devise zero-day attacks, AI is lacking. “That requires ingenuity and originality,” something only humans can contribute, he says.
The group seemed unafraid of the advent of quantum computing and the threat it might pose to cryptography, but said that work is needed to create cryptography that can withstand quantum-backed cracking.
Shamir says if RSA were to be broken, it’s more likely to be broken by advances in math that will make it possible to crack keys much faster than current brute-force techniques.
Sign up for CIO Asia eNewsletters.