When Cryptographers Disagree

From Apple to algorithms, here’s what concerns the top cyber experts.


Six of the world’s leading cryptography experts sat down this week to explore the most pressing issues in security. They took up topics ranging from whether Apple should facilitate the FBI’s access to a known terrorist’s iPhone, to what will become the next important cryptography algorithm.

Among them: Ronald Rivest, an Institute Professor at MIT; Adi Shamir, co-inventor of the RSA algorithm, along with Rivest and Leonard Adleman, and a faculty member of Israel’s Weizmann Institute of Science; Whitfield Diffie and Martin Hellman, who invented public key cryptography; Moxie Marlinspike, a public pseudonym for a computer security researcher at the non-profit Open Whisper Systems; and Paul Kocher, president and chief scientist for Rambus‘ Cryptography Research Division, who chaired this discussion at the RSA Conference this week.

Despite much confusion, the issue here is not whether the FBI can or should break into Syed Farook’s phone. It’s whether Apple can be compelled to disable the anti-tamper feature that turns the phone into a brick after multiple bad attempts to hack the phone. The FBI has the ability and the tools to use brute force decryption to break into that phone—many processors trying every possible combination—but odds are very high that will not happen within the allowed number of attempts.

“The question is where to put the line,” said Rivest. “The FBI is asking Apple to do something very specific. It has nothing to do with back doors. It’s the case of a single phone. It falls squarely on helping the FBI on a specific case which is something Apple is capable of doing.”

Rivest argued that Apple should have waited for a better legal test case because the company has a history of cooperating with the government in the past. “The legal decision will be that Apple will comply.”

Marlinspike characterized this as a fishing expedition against Apple, and one that could set a dangerous precedent. “Chances are, there is nothing on the device. It’s a work phone. The FBI already got the call logs and the iPhone back-up. They need this because they might be missing something.”

Rivest disagreed. “Think about the police confiscating a big safe that could contain information about a crime, and you know where to drill [to open the safe]. They’re not asking the company to put a back door on the safe.”

Shamir agreed, saying the FBI can ask any third party to do anything not prohibited by law. “The precedent is not just a phone. Any third party can be asked to do what they don’t ordinarily do. These are legal questions, but they are inappropriate for the courts. The issue belongs in Congress.”

And Martin Hellman added some perspective, saying one of the real challenges is getting people on both sides to talk. “Law enforcement is interested not just in the phone, but in getting at crime,” said Hellman. “We need to have discussion about what’s right here.”

Kocher noted there has always been a relationship between the intelligence community and academia, but he said the technology industry has shown it would prefer to be left alone.

But Hellman said that’s the wrong approach. “We need to work with the FBI and the NSA,” Hellman said. “It is possible for old enmity to grow into friendship. They don’t have to agree, but they do need to reach solutions.”

Which algorithm?
There are bigger and broader shifts underway behind the scenes, as well. “We are moving into an era where people interact with machines,” said Diffie. “Who controls the machines will be the one who owns the world.”

That makes cybersecurity all the more pressing, and at the moment there is a fair amount of confusion among cryptographers about exactly what is the next best approach. The U.S. National Security Agency and the National Institute of Standards (NIST) generally work together to establish the next unbreakable algorithm, which becomes a standard for the next two to three decades. But whether that should be the Secure Hash Algorithm SHA-3, which was released by NIST last August, or some other approach is in question.

SHA-3 is a follow-on to SHA-1, which has been around since 1993 and contains a 160-bit message digest. SHA-3 uses a sponge type approach and a 1,600-bit encryption system. But even with this kind of encryption, there is debate among cryptographers about whether prevention can ever be complete, or whether that should be the only approach.

“There is a move away from prevention to detection in security, where you find the breach and recover,” said Shamir. “In cryptography, we have not responded adequately to that. We don’t explore enough in terms of what to do if something is violated. But things are broken all the time.”

The NSA has been exploring a number of options in the wake of some very public breaches. “It will be interesting to see which algorithm they advocate, because none is ready for prime time,” said Rivest, noting that this algorithmic choice will likely be in place for the next 30 years.

On a positive note, Marlinspike observed there is progress being made on overlay services for telecommunications. “The key to those will be data encryption,” he said.

The NSA continues to back quantum-resistant algorithms. The agency issued a public statement last August advising its partners and vendors of the change in focus and recommending that a transition is coming, and is adhering to that roadmap despite some confusion about exactly when those changes will be made.

Related stories
Lightweight Cryptography For The IoE
DNA For Cryptography Chips
Cryptography For ULP Devices
Quantum Cryptography: A Magic Bullet For the IoT?