‘Fully Secure Systems Don’t Exist’

SAN FRANCISCO–The more things change, the more they stay the same.

Thirty years ago, Adi Shamir, one of the inventors of the RSA algorithm, was asked to do a keynote speech at a conference and spoke about his laws of computer security. They were a set of principles that he developed over the years relating to cryptography and system security. On Tuesday during the RSA Conference here, Shamir reiterated several of the tenets and said he was unsurprised that they still held true.

First among the laws was this: Fully secure systems don’t exist now and won’t exist in the future.

That statement may seem obvious for most security professionals today, but in the 1980s there still was optimism that computers and networks could actually be secured. Cryptography was seen in some circles as a potential savior, but as the years have gone by that optimism has waned and virtually disappeared. System and network security now is seen mainly as a battle of wits, and one that defenders are often on the losing side of.

Shamir’s second principle of security was that cryptography won’t be broken, it will be bypassed.

This has proven to be just as true as the first statement. Decades of cryptanalysis and research on the commonly used algorithms have turned up plenty of issues, but for the most part the way that attackers deal with encryption is by finding ways around it, not attacking the cryptosystems themselves. Going after cryptosystems is an arduous task and almost always a losing proposition, even for the most advanced and well-funded attackers.

Take the NSA, for example. As the Edward Snowden documents have shown, that agency, which probably employs more cryptographers than any other organization in the world, has used its influence and brain power to try to subvert cryptographic standards and find ways to bypass things such as SSL. Rather than attacking the cryptosystems, the NSA is going after other pieces of the puzzle.

Finally, Shamir said that as he looked at the security landscape 30 years ago he saw the futility of trying to eliminate every single vulnerability in a given piece of software.

“If you’re trying to find the last bug or stop the most sophisticated, NSA-type attacker, you have to spend totally unreasonable money,” he said.

That maxim has remained true for all these years, as well. Vulnerability hunting and fixing is an important part of the security discipline, but it’s a never-ending task. Software is buggy. It has always been that way and will always be that way.

Security is unpredictable, but Shamir couldn’t have been more accurate in his predictions 30 years ago.

Suggested articles