Advertisement

Blog

8 Views of Security from RSA

SAN FRANCISCO — The Internet of Things, along with everything else, is insecure. The U.S. government wants to help with that and other security problems — if you still trust them.

Those were two of several messages from the annual RSA Conference here.

“We have a long way to go in IoT security just to bring designs up to the not-yet-adequate state of PC security,” Steve Hanna, co-chair of the IoT committee at the Trusted Computing Group (TCG), an industry alliance setting security standards for nearly a decade.

Hana was one of a handful of experts who gave a half-day seminar showing at RSA. They demoed ways cost-constrained embedded systems could adapt the group’s approach to providing a hardware-backed root of trust, something well established in x86-based PCs and servers.

“Without hardware security, IoT devices are as vulnerable as PCs were 15-20 years ago, perhaps more so because they only use software security and it’s rarely updated, so it’s pretty easy to attack and control a device,” said Stacy Cannady, the other IoT committee co-chair and a security expert at Cisco Systems.

Other experts such as Adi Shamir, the ‘A’ in the RSA algorithm, agreed. He noted the recent phenomenon of ransom-ware in which remote hackers lock up someone’s device and demand a ransom to fix it.

“Think about your smart TV being ‘ransomwared’ and you have to pay someone in Moldovia to get your service back,” Shamir said. “We failed in a particularly miserable way because there is no good security program to protect from ransomware…and it’s a very serious problem. Police in Maine had to pay $300 to get police computers released from scam artists,” he added.

Shamir’s lab at the Weizmann Institute of Science in Israel is conducting experiments to find security flaws in IoT devices. For example, it found a WiFi router gives a home LED lighting system its password in an unencrypted form. “Anyone who listened in gets the password,” said Shamir in the cryptographer’s panel, an annual highlight of the event.

What’s more Shamir’s group was able to write an app to break in and control the LED lighting system remotely. “It lets us rapidly change the amount of light even inside a secure perimeter, so we can leak information by flickering the lights and anyone sitting outside will get the information — I hope the NSA will not install these lights,” he joked, in a reference to the U.S. National Security Agency.

Another member of the cryptographer’s panel, Ed Giorgio spent 30 years working for the NSA helping it find ways to make and break codes. Some of his projects involved IoT-like designs.

“We tried to build constrained devices of about 100 flip-flops and 10 or so adders that ran cryptographic codes,” he said in a Q&A after the panel. “They found ways to break them, so we revised the designs until they got too big,” he recalled.

To help lock down commercial IoT devices, the TCG is writing profiles of its specs for specific classes of IoT devices. It already released a profile for car engine controllers. TCG’s embedded and mobile working groups are expected to publish profiles of their own later this year.

The group released at RSA a technical white paper on securing IoT devices. It is working on another paper aimed at managers, aimed at convincing them to spend the time and money (less than a dollar per node) to add a root of trust.

The U.S. Department of Homeland Security will open a satellite office in Silicon Valley, said Secretary of Homeland Security Jeh C. Johnson in a keynote at RSA.

“We want to strengthen critical relationships in Silicon Valley and make sure government and the private sector both benefit from each other,” Johnson told the crowd of several thousand that spilled into several overflow rooms. “We also want to convince some Silicon Valley security experts to come to Washington…I hope some of you listening will consider a tour of service for your country,” he said.

The agency has been talking about the move for some time but only started making concrete plans recently, one insider, who asked not to be named, told EE Times. Ideally, the office will be a hub for work on cybersecurity and big data as well as a liaison for new and existing partners, the source told us, speculating it could take time to get the formula right.

“Now that the secretary has said it publically, I’m sure [the Silicon Valley office] will become a reality,” the source added.

Security experts shared mixed feelings about the government’s role in advancing security in the aftermath of Edward Snowden’s leaks about the extent of government surveillance of U.S. citizens.

Shamir pointed to a recent incident at Gemalto in which the NSA confiscated SIM cards and their keys. This is an example of excessive force with too much collateral damage,” he said.

“Snowden showed we have a problem with mass surveillance, the question is how to do we address it,” said Ronald Rivest, an MIT professor, the ‘R’ in RSA and another member of the cryptographer’s panel.

The notion of a government collecting all data “sounds like an addict,” Rivest said. “We need to think about what we really need and how to balance that with the needs of a democratic society,” he added.

Government intelligence “sources and methods have to be kept secret,” countered former NSA cryptographer Giorgio. “We will have a price to pay on information sharing because of Snowden,” he said, noting government agencies will put up more internal walls “to keep [the number of people who] need to know very, very small.”

The discussions are leading some companies to consider multiple layers of encryption to protect data, argued Whitfield Diffie (below), another veteran cryptographer on the panel.

Whitfield Diffie made the argument against letting government hold crypto keys.

Whitfield Diffie made the argument against letting government hold crypto keys.

“Everyone wants to manage your system [but] you have to transfer a lot of trust to them in ways you cannot audit — companies want you to be secure but not against them,” said Diffie. “Key escrow for government is another form the same thing…This looks like a can of sausages,” he said.

Secretary Johnson made the government’s case in his keynote.

    The current course toward deeper encryption in response to the market demands presents real challenges in law enforcement and national security. I understand what encryption brings to privacy, but our inability to access encrypted information poses public safety challenges…We need your help to find a solution. Homeland security is a balance between security and freedom. I can build a perfectly safe city on a hill, but it will constitute a prison.

Johnson pointed to government efforts to create programs that provide a clearinghouse for near real-time information about security threats. One such effort identified 265 instances of the heartbleed virus and in three weeks helped reduced it to just two, he said.

“Later this year, we will accept cyber-threat indicators from the private sector in automated near real-time format… Cybersecurity is all about speed,” he said.

Looking beyond the U.S., Johnson said he was in Beijing two weeks ago meeting with his counterparts.

    Though we have sharp differences, especially on theft of commercial information, we recognize the need to make progress. As the largest economies in the world the U.S. and China have a vested interest to work together. We plan more discussions on cybercrime and other shared threats.

We have the tools but choose not to use them, Richard Clarke said.

We have the tools but choose not to use them, Richard Clarke said.

Two of the security experts given awards at the annual RSA event used the attention to send pointed messages to the community.

Richard A. Clarke received a lifetime achievement award for his work which included spearheading in the wake of 9/11 the first U.S. national strategy for cyber-security. “If we had done what Dick wanted, we would have been better off,” James Andrew Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C., said in giving the award.

Clarke’s brief comments were humble but pointed:

    I haven’t achieved that much, but neither has the government or the cyber security industry. We are not convincing the CEOs and boards [to take action] because we are in too much competition with each other.

Rivest gave two researchers awards for their work in cryptographic hash functions. One of the researchers, Hugo Krawczyk, took the opportunity to rally developers to work on computing with encrypted data.

    I was very lucky to be born at time of the Internet. There are so many opportunities for cryptographers. We have increasingly practical tools.

    My favorite theme is search using encrypted data. You never share your keys with the server yet you still retrieve answers. It works efficiently enough for many apps. You can compute on active, functional data without giving up its privacy.

Hugo Krawczyk sees a future where we compute with encrypted data.

Hugo Krawczyk sees a future where we compute with encrypted data.

We have the tools but choose not to use them, Richard Clarke said.

We have the tools but choose not to use them, Richard Clarke said.

Two of the security experts given awards at the annual RSA event used the attention to send pointed messages to the community.

Richard A. Clarke received a lifetime achievement award for his work which included spearheading in the wake of 9/11 the first U.S. national strategy for cyber-security. “If we had done what Dick wanted, we would have been better off,” James Andrew Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C., said in giving the award.

Clarke’s brief comments were humble but pointed:

    I haven’t achieved that much, but neither has the government or the cyber security industry. We are not convincing the CEOs and boards [to take action] because we are in too much competition with each other.

Rivest gave two researchers awards for their work in cryptographic hash functions. One of the researchers, Hugo Krawczyk, took the opportunity to rally developers to work on computing with encrypted data.

    I was very lucky to be born at time of the Internet. There are so many opportunities for cryptographers. We have increasingly practical tools.

    My favorite theme is search using encrypted data. You never share your keys with the server yet you still retrieve answers. It works efficiently enough for many apps. You can compute on active, functional data without giving up its privacy.

Hugo Krawczyk sees a future where we compute with encrypted data.

Hugo Krawczyk sees a future where we compute with encrypted data.

To read the rest of this article, visit EBN sister site EETimes.

0 comments on “8 Views of Security from RSA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.