One of the biggest talks at this year’s Black Hat Briefings was a presentation on the structural problem with digital certificate authorities by Moxie Marlinspike. The subsequent hack of Dutch certificate authority DigiNotar and a damning report on that attack only weeks later, and more recent reports of exploitable holes in both TLS and SSL only underscore the problems facing the entire PKI-based system for ensuring online identities.
With the future of the current system for ensuring the validity of online identities hanging in the balance, Threatpost couldn’t resist the opportunity to use the inauguration of Massachusetts’s new Cyber Security Center to button-hole cryptography expert, RSA algorithm co-creator and Turing Prize winner Ron Rivest. A co-founder of RSA Security, Rivest weighed in on the challenges facing SSL and online identity verification, the prospects for security start ups in the current economy and his work on secure voting.
Threatpost: The company you started, RSA Security, was the victim of an advanced attack earlier this year. Were you surprised to learn of that?
Ron Rivest: I was surprised by the sophistication of the attack, but I can’t really talk about the details of the attack.
Threatpost: There’s a pattern here of multi stage attacks in which the early stage is to go after the security infrastructure used to secure the system you’re trying to secure. Is there always going to be that back and forth or is there a away to leap frog ahead of that dynamic?
Ron Rivest: I think we’re going to continue to go back and forth. I gave a keynote at the Crypto 2011 Conference this Summer where I talked about trying to model some of that. (PDF of Ron’s slides available here.) There’s a little game we used to have in college called Flipit. You never know when the other guy moves. So you can take control and reassert control. You play it by putting in the right formulations.
Threatpost: There seem to be two themes among the discussions here at the Cyber Security Center. One is that we need better secure application development – training computer programmers to write applications more securely. The other is that we need more research and development to discover the next generation of security technologies — that we’re limping along with 10 an 15 year old solutions. Where do you stand?
Ron Rivest: I like the idea of new technology and new applications – trying to figure out what new technology is capable of. But I’m also a fan of low tech solutions when they work. I’ve spent a lot of time working on voting system security – the three ballot system. I think paper ballots are a good choice for voting systems. The question is what’s the best choice for a specific situation in the end. As a designer you ask ‘What’s possible?’ When it comes to implementing (security) you ask “What’s the best choice?”
Threatpost: Is there a way for organizations to achieve greater security with less technology. Is there, for example, a paper ballot equivalent for IT?
Ron Rivest: There are probably lots of simple answers like that. I’m reminded of the discovery that if doctors just washed their hands more that hospitals would be better, safer places. They’ve learned that lesson, which is simple and low tech. Its not a new product, its just a better practice.
Threatpost: That’s a great analogy. So, what would be the equivalent in the IT security realm of ‘washing your hands?’ I suppose using secure passwords might be one?
Ron Rivest: Perhaps. Yeah. There are various practices. Be careful about what email you open is one.
Threatpost: OK. So we’re talking hygiene? A public health approach?
Ron Rivest: It can be hard to think of a good metaphor. The public health metaphor for security is a good one, but its not the only one that applies when you’re under adversarial attack.
Threatpost: Recently we’ve seen the attacks on the underlying security infrastructure. There are the breaches at DigiNotar and Comodo – attacks on SSL and the underlying security infrastructure of the Web. We’ve all been encouraging people to use secure HTTP and not to browse on insecure Web connections, but now…?
Ron Rivest: Right. So we need to go back and rethink that and ask whether there are better primitives and a better foundation for that. And its going to take a while to figure out what the right primitives are. And that’s a tough one because you have to bind together names and certificates and people and biometrics and populations.
Threatpost: And if you were to venture a guess about what a replacement might be for the current system of certificate authorities…?
Ron Rivest: Ask me in two years.
Threatpost: (Laughs) Will you have an answer then?
Ron Rivest: Its something I’m thinking about.
Threatpost: What’s a good fix in the meantime?
Ron Rivest: It would be nice not to have all the root keys for these various sloppy certificate vendors baked into every browser. So, some process for cleaning that up.
Threatpost: OK. So decouple the certificates from the browser software? That would allow the community to respond to breaches more quickly.
Ron Rivest: Yes, but that’s a difficult process. It doesn’t work very well because of the way certificates are issued.
Threatpost: Is there a public sector or government role to go in and say: ‘We have these sloppy CAs, but we can set standards and do audits and force them to clean up their acts”?
Ron Rivest: If this were a national-level thing, maybe. You can regulate prescription drugs because they’re sold in this country. But to do quality control for certificate delivery is more difficult because its international in character.
Threatpost: Were you surprised to see certificate authorities become the target of attack?
Ron Rivest: No. That’s the most logical place to attack.
Threatpost: We’re here talking about information sharing and private public partnerships – moving from R&D to products. You’re a great example of someone who took technology that was developed in the academic realm and turned it into a successful product and company. What were the greatest impediments that you experienced taking a great technology and turning it into a successful company then, and what do you see as the biggest impediments today?
Ron Rivest: It was a slow process. We started RSA before the Web was invented. So we had to market it. We had problems that you don’t see now, such as government resistance.
Threatpost: Yes. Back then, the U.S. Government blocked your efforts to export your cryptography technology because of national security concerns, right?
Ron Rivest: Yes. So the government is more helpful now than a hindrance. And the market was young then. The market is certainly much bigger now. So those were the two big impediments at the time. Plus being a small company…but I think things are ripe for good progress to be made.
Threatpost: One of the points that Chris Wysopal (of Veracode) brought up was that often in security the return on investment for venture capitalists isn’t big enough. A big security company may be a $50 million or $100 million company and they’re looking for the next Staples or Facebook or something – multi billion dollar opportunities.
Ron Rivest: Yes. That’s definitely an issue. I see that in the voting industry, which is not large enough by many standards, besides other issues.
Threatpost: OK. So…?
Ron Rivest: So I don’t know. I don’t have a ready answer to that. There’s kind of this pathway that we see where you start a company and see it get acquired, that’s probably a path that we need to see a lot more of. You just need to make sure the wheels are greased to make sure that path is attractive to people. Make sure you have more angel investors and VC folks.
Threatpost: What is the biggest impediment to turning great ideas or theoretical approaches into practical technologies at the DOD or DOS might use to protect their digital assets?
Ron Rivest: Technology transfer is what you’re talking about. You’ve just gotta grease the wheels and make sure there’s a common path with people prepared to help along the way.
Threatpost: You mean grease the bureaucratic wheels? The venture capital and funding wheels?
Ron Rivest: Everything. Providing talent. Making connections. Anything that might be an impediment from someone taking an idea in their head and using it to create a startup.
Threatpost: What are the biggest changes you’ve seen in the security market since starting RSA?
Ron Rivest: Probably the change in platforms. Everything is mobile now. And that’s going to continue. Desktops will disappear and you’ll be using your phone for everything.
Threatpost: Creating more problems potentially…?
Ron Rivest: Yes. Perhaps. Or maybe just the same problems.