Are we now living in a post-crypto world?

Cryptologist's comments at RSA draw mixed reaction from security community

You may have heard that we're living in a post-modern world, where the past makes less sense in our post-history era and computer makers gnash their teeth in post-PC times. Now, brace yourself for the post-crypto world.

The phrase appears to have been born during a cryptography panel discussion (see YouTube video) at the RSA conference in San Francisco this week.

"It's very hard to use cryptography effectively if you assume an APT [Advanced Persistent Threat] is watching everything on a system," Adi Shamir, considered to be one of the founding fathers of public-key cryptology, said during the forum.

"We need to think about security in a post-cryptography world," he said.

[See also: New cryptographic hash function not needed, Schneier says]

The declaration of the post-crypto era puzzled some cryptologists. "I think it's pretty bizarre to see that group of cryptographers proposing the idea of a post-crypto world," said Matthew Green, a professor specializing in cryptography in the computer science department of Johns Hopkins University.

Along with Shamir on the panel were Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie from ICANN and Ari Juels of RSA Labs.

The panelists make an important point about cryptology today, Green noted.

"We know how to do crypto well," he said. "The problem is that in order to use cryptography, you have to implement it on a computer with software, and we're very, very bad at writing secure software.

"If someone can own your computer and see everything you're doing, it doesn't matter that the data is encrypted," he continued. "If you can't trust the computer you're running crypto on, it doesn't matter how good the crypto is."

Unlike the post-PC era, where personal computers are supposed to become irrelevant, that's not the case in the post-crypto era, according to Les Hazlewood, CTO of Stormpath in San Mateo, Calif., which offers identity management services for developers.

"In a post-cryptography world, you're going to have to do other things in addition to cryptography to protect your data," he said. "It's not that cryptography isn't important any more. It's just not the whole thing any more."

In addition, cryptographic algorithms that may have been adequate to protect data in the past, don't cut it anymore, he said. "The amount of computing power available to attackers is huge now," Hazlewood said.

Nevertheless, a phrase like post-crypto world can be easily misinterpreted, said Bit9 Senor Researcher Dan Brown.

Crypto has been important to information security for years, he explained, but has often been elevated beyond its intended level.

"Cryptography is an important tool in today's information security regime, but has contexts where it applies and contexts where it doesn't," he said via email.

Brown said that a principal problem with computer security in general is that the most commonly used computing platform globally today was not designed from scratch to be secure.

"Securing a systemically insecure OS can't be done with cryptography, and probably can't be done comprehensively in any way," he said. "I doubt that anyone would argue that post-crypto world is intended to mean that cryptography is actually going away any time soon.

"Rather, I think that it's intended to force an argument that makes us rethink the role of cryptography, and the weaknesses in information security encountered at the interfaces of the crypto and plaintext domains."

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.