Superconductor

There's an interesting paper available on the IACR's eprint server: "Ron was wrong, Whit is right," by Adi Shamir and others. Here's the abstract of this paper:

We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for "multiple-secrets" cryptosystems such as RSA is significantly riskier than for "single-secret" ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.

A closer look at the data in the paper, however, suggests a simple explanation for what was observed: at some point (perhaps even continuing through the present day), some implementation of RSA had a bug in it, and that this bug managed to affect the 0.2% of the keys that the paper describes as being weak.

We'll probably find out one day which buggy implementation ended up creating these weak keys,  and we'll also almost certainly find out that this implementation of RSA hadn't been validated by a third party.

That's what certifications like FIPS 140-2 give you. They test to make sure that the implementation of their cryptographic algorithms work like they're supposed to, and that was definitely not the case with the weak keys that this paper describes. So maybe that's the best lesson to be learned from this: don't trust that an implementation of ANY security feature is done correctly, and to rely on third-party validations that security features are indeed correct.

But if it turns out that the buggy implementation was indeed validated, well, that's when things could start to get interesting.

After watching more of the presentations from the recent Is Cryptographic Theory Practically Relevant? workshop, I've come to two conclusions. First, there's definitely a serious disconnection between academic and commercial cryptographers. Next, it certainly looks like the commercial guys have a fairly good understanding of what the academic guys do, but the academic guys don't seem to have as much as understanding of what the commercial guys do.

I'm basing this on some of the comments that the academic guys made at this workshop about the differences between the two environments. I'd say that this misperception may be due to the fact that the people who thought of themselves as being "commercial" instead of "academic" tended to work for very large companies, where the interests of the R&D groups probably aren't that different from the interests of more academic organizations. If this workshop had included people from smaller companies (which it actually didn't seem to do), I'd guess that the discussion would have been a bit different. 

Videos of most of the talks from the recent Is Cryptographic Theory Relevant? workshop that was held at Cambridge University from January 31 through February 2 are now available here.

 I haven't had a chance to watch all of the talks yet, but I've been fairly impressed with the ones that I have watched. The bottom line seems to be that theoretical and practical cryptographers still have lots of work to do. But with events like this workshop, people seem to be realizing what needs to be done. And if even a few of them start doing it, this workshop will definitely have been worth the time and effort that it took to organize it.

I recently mentioned that I had looked at the "Security Threat Report 2012" from Sophos, but I should also mention that this report has all sorts of useful information in it and that you should definitely take the time to download and read it. Of particular interest might be their "What's new in 2012: 10 trends" prediction. Here's their list, which I happen to agree with 100 percent:

1. Social media and the web

We expect cybercriminals to continue their effective mass generation of malware, increasing the number of attacks using new social media platforms and integrated apps.

2. Security means more than Microsoft

Over the past 18 months the bad guys have increased attacks on platforms like Mac OS X and Adobe. We’ll continue to see more targeted attacks on non-Windows platforms in 2012 and 2013.

3. Mobile devices in the spotlight

In 2011 we saw a greater volume of malicious attacks on key platforms such as Android. IT security professionals will need to deal with rapidly evolving mobile platforms, each with a unique set of risks.

4. New web and network technologies force us to learn some lessons

Web technologies are undergoing interesting changes, from HTML5 to IPv6.These new technologies introduce some impressive new capabilities, but they also introduce new attack vectors.

5. Casual consumerization causes backsliding

A casual shift to use of consumer devices without appropriate controls will cause backsliding in security capabilities. IT will once again struggle to deploy reliable security measures for the environment.

6. More hacktivism and targeted attacks

With rising awareness of cybercrime as a means of data theft, intelligence gathering, and political dirty tricks, it’s likely we’ll see more targeted attacks in 2012.These attacks will continue to be a priority issue for certain businesses and organizations.

7. Data regulations proliferate and penalties grow

New regulations and tougher penalties for data breaches will be major concerns for organizations. Proposed laws like the U.S.Stop Online Piracy Act (SOPA), and the European Union’s Data Protection Directive, will have a major impact on data protection and privacy for businesses and private citizens alike.

8. Mobile payment technology may be new target

We’re eagerly waiting for the widespread availability of convenient payment technologies like near field communication (NFC) in mobile devices. We expect cybercriminals are just as eager to target these integrated platforms that hold your life and your money.

9. Cloud services are back in vogue

Some companies were slow to adopt cloud services because of perceived insecurity. But many organizations are now starting to use these services. That means more focus on encrypting data wherever it flows, rather than just protecting the device or the network.

10. The basics still go wrong

Security basics like patching and password management will remain a significant challenge to IT security.

Keeping your devices healthy by identifying missing patches in areas commonly targeted by the bad guys will help significantly. Technologies like file and folder encryption will smooth the adoption of cloud services and new devices.

The recent "Security Threat Report 2012" from Sophos has all sorts of interesting information in it. I found the data about the fraction of PCs that experienced a malware attack over a three-month period interesting. Here's the data from Sophos' report that describes this:

But if we use the number of on-line users in each country as an estimate of the total number of infected PCs in each country, the graph looks much different:

China's definitely a big problem, isn't it?

I've always been irritated by those vague citiations to analyst reports that you see in sales and marketing presentations. Things like "This market is projected to grow by 1,000,000 percent by 2015 (Forrester)."

I always assume that this really means "This market is projected to grow by 1,000,000 percent by 2015 (but we know you really won't check this outlandish claim)." That's why I so pleased to see how the most recent version of "Imperva's Web Application Attack Report" (PDF) actually included references to analyst estimates that they cited.

There are lots of other reasons to read this report aside from the fact that Imperva did a good job with their references. There's lots of interesting data about how the hacker threat is continuing to evolve. Here's how they summarize what's contined in this report:

• Hackers continue to increase the scale of their attacks: In our last report, we explained that websites are probed about once every two minutes, or 27 times per hour. Over the past six months, the number of probes has dropped to 18. Though a drop, this change does not mean hackers are any less persistent. In fact, when applications are attacked, hacker firepower actually saw a 30% increase. In July, we reported that applications experience about 25,000 attacks per hour. In the last six months, this has increased to nearly 38,000 attacks – or ten per second.

• Hackers exploit five common application vulnerabilities: We have identified and investigated malicious traffic containing the following technical attacks: Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS) and Directory Traversal (DT). Cross Site Scripting and Directory Traversal are the most prevalent classical attack types.

• Hackers are relying on business logic attacks due to their ability to evade detection: We also investigated two types of Business Logic attacks: Email Extraction and Comment Spamming (EmExt and ComSpm, respectively, in following Figures and Tables). Comment Spamming injects malicious links into comment fields to defraud consumers and alter search engine results. Email Extraction simply catalogs email addresses for building spam lists. These Business Logic attacks accounted for 14% of the analyzed malicious traffic. Email Extraction traffic was more prevalent than Comment Spamming. A full anatomy of BLAs is described in this report.

• The geographic origin of Business Logic attacks were:
  • Email extraction was dominated by hosts based in African countries.
  • An unusual portion of the Comment-spamming activity was observed from eastern-European countries.

It looks like there's actually an international conference dedicated to having fun with algorithms. This is the Fun with Algorithms conference, and it has been held every three years since 1998.

Implementing the Tate pairing can be fun. Maybe I'll submit a paper on that when this conference is held in 2013. Maybe I'll talk about implementing it in Lisp, like I did on one of Voltage's Jack Bauer Days a few months ago.

I just came across a story on the Science Daily web site that seems to be little more than a slightly-disguised marketing message for quantum cryptography (also known as quantum key distribution). Here's what the story claims when it describes a successful year-and-a-half pilot of QDK technology:

Scientists and engineers have proven the worth of quantum cryptography in telecommunication networks by demonstrating its long-term effectiveness in a real-time network.

This story goes on to say this:

For QKD to become more widespread in the commercial world, its reliability needed to be thoroughly tested as these networks run constantly all year round.

I don't think that that's quite right.

Instead, for QKD to become more widespread in the commercial world there needs be a compelling need for it. That's what it takes to get people to pay for technology. And because existing cryptography works just fine, I don't think that we'll be seeing the widespread use of QKD any time soon. Perhaps ever.

But if you want to read more about the actual pilot, you can find the paper that describes it here.

I just came across an interesting bit of information in Kaspersky Lab's June 17, 2011 Global IT Security Survey (PDF) report. Most other surveys that I've read about say that people in IT security are more worried about regulatory compliance than about actual strong and useful security. The Kaspersky report, on the other hand, says the exact opposite. Of the 11 areas that they asked people to prioritize, "Preventing IT security breaches" was deemed to be the most important and "Complying with industry regulations and standards" was deemed to be the least important. This varies so much that I'm left wondering how this puzzlinng result could be explained.

My first thought was that the Kaspersky survey might have polled a different type of person than the other surveys did. Here's how the Kaspersky report describes their methodology:

More than 1300 senior IT professionals from 11 countries took part in the survey. All respondents had an influence on IT security policy, and a good knowledge of both IT security issues of general business matters (finance, HR, ,etc.) Geographically, the survey was conducted in 11 countries, including both those with developing and mature economies.

Other surveys, like the CSI Computer Crime and Security Survey and Ernst & Young's Global Information Security Survey give a fairly detailed breakdown of the roles of the people that responded to the survey. That's something that's missing in the Kaspersky report, so it might be the case that people like CSOs tend to reply to the CSI and E&Y surveys while people responsible for getting the work done tend to reply to the Kaspersky survey. That difference might explain the different focus on what's the most important. Or it might not. In any case, I'll definitely be looking at future reports to see whether what Kaspersky found also appears in other reports.

I just came across an interesting article ("Why Most Published Research Findings Are False", by John Ioannidis) that talks about how lots of research that seems to find statistically-significant results ends up being wrong. Here's the article's summary that describes what it covers. Note that this only applies to cases where a conclusion is based on a statistical analysis of data. It doesn't apply to research in areas like math where everything has a proof.

There is increasing concern that most current published research findings are false. The probability that a research claim is true may depend on study power and bias, the number of other studies on the same question, and, importantly, the ratio of true to no relationships among the relationships probed in each scientific field. In this framework, a research finding is less likely to be true when the studies conducted in a field are smaller; when effect sizes are smaller; when there is a greater number and lesser preselection of tested relationships; where there is greater flexibility in designs, definitions, outcomes, and analytical modes; when there is greater financial and other interest and prejudice; and when more teams are involved in a scientific field in chase of statistical significance. Simulations show that for most study designs and settings, it is more likely for a research claim to be false than true. Moreover, for many current scientific fields, claimed research findings may often be simply accurate measures of the prevailing bias. In this essay, I discuss the implications of these problems for the conduct and interpretation of research.

In addition to explaining why most claimed research findings are false, this article lists five corollaries to its main claim. These aren't quite a rigorously supported as the main claim, but they're interesting because they seem to explain some of the less-accurate-than-we'd-like-it-to-be data that we often see in the field of information security.  

1. The smaller the studies conducted in a scientific field, the less likely the research findings are to be true.
2. The smaller the effect sizes in a scientific field, the less likely the research findings are to be true.
3. The greater the number and the lesser the selection of tested relationships in a scientific field, the less likely the research findings are to be true.
4.  The greater the flexibility in designs, definitions, outcomes, and analytical modes in a scientific field, the less likely the research findings are to be true.
5. The greater the financial and other interests and prejudices in a scientific field, the less likely the research findings are to be true.

So even if it's frustrating to deal with the lack of accurate data that field of information security seems to be stuck with, it's somewhat reassuring to see that we're not alone in having this problem.

The best place to find preprints of papers on cryptography is probably the IACR's eprint preprint server. But it looks like there's also another place to find this type of preprint, and that's the on the arXiv.org preprint server that's maintained by Cornell. It turns out that they have a section for Cryptography and Security, although there aren't many papers there yet. Maybe it will get more useful in the future.

The fact that "When Zombies Attack!: Mathematical Modelling of an Outbreak of a Zombie Infection" was recently published in Infectious Disease Modelling Progress seems to tell us that zombies are good for more that just entertainment. Here's the abstract of this paper, which should give you a good idea whether or not you'd be interested in reading the full version: 

Zombies are a popular figure in pop culture/entertainment and they are usually portrayed as being brought about through an outbreak or epidemic. Consequently, we model a zombie attack, using biological assumptions based on popular zombie movies. We introduce a basic model for zombie infection, determine equilibria and their stability, and illustrate the outcome with numerical solutions. We then refine the model to introduce a latent period of zombification, whereby humans are infected, but not infectious, before becoming undead. We then modify the model to include the effects of possible quarantine or a cure. Finally, we examine the impact of regular, impulsive reductions in the number of zombies and derive conditions under which eradication can occur. We show that only quick, aggressive attacks can stave off the doomsday scenario: the collapse of society as zombies overtake us all.

This paper even includes MATLAB code that finds solutions to the system of ODEs that the paper proposes for modelling zombie outbreaks, so you can try different parameters and see how they affect the chances of the human race surviving.

And it turns out that this particular model has been cited elsewhere. It's an example used in Numerical Methods for Ordinary Differential Equations and it was also referenced in Theories of International Politics and Zombies and What's So Austrian about Austrian Economics? as well as in The Proper Care and Feeding of Zombies: A Completely Scientific Guide to the Undead, The Open Laboratory 2009 and the Proceedings of the 5th International 2010 Fun with Algorithms Conference.

That's a lot of exposure for a paper about zombies.

A while ago I noted how information security is probably more like poker than craps because there's more than just chance involved. Recent research (PDF) by Steven Levitt and Thomas Miles seems to indicate that this is actually true. They found that more successful players tend to win more at poker than average players do. That's something that you wouldn't expect to see in games that were just games of chance.

But not all successes that we might think of as being due to skill are really due to skill. Some research has suggested (PDF), for example, that the performance of successful mutual fund managers is more easily explained as good luck instead of a higher level of skill or superior knowledge.

What about CISOs? Do successful CISOs have superior skills or knowledge that significantly affect the performance of their organizations? Or are they just lucky?

I haven't seen any research that tries to answer this question, but I'd guess that the element of luck is getting more and more important. Today's software is extremely complicated, and with that complexity comes all sorts of bugs, some of which affect security. And because all software has bugs, it's probably possible for a clever hacker to find them and exploit them in any software. You might be able to find strategies that minimize your chance of hackers finding and exploiting them, but the chances of this happening never drops to zero. This means that no matter how good a CISO is, there's always a chance of their systems being hacked. And because the chance of being hacked is always there, maybe it's more luck than CISO skill that determines whether or not a particular business gets hacked.

And because so many decisions are now made for compliance reasons instead of a CISO thinking that a particular strategy is good, I wouldn't be surprised if the affects of chance are getting greater and the affects of CISO skill are getting smaller. And because software is likely to get more complicated in the future and regulatory compliance is likely to become a bigger factor in information security strategies than it is now, it might also become more and more difficult for good CISOs to make a difference in the future.

Peter Gutmann's book Engineering Security (PDF) is one of the best single books that I've found on the topic of information security. It collects all sorts of information that's both useful and interesting, and it seems to be the only place where this type of information is collected. If you read a chapter of this book, you're able to amaze and astound people with the fascinating information security knowledge that you have.

My memory's not as good as it used to be, so for me, this effect wears off after a couple of weeks. But for those couple of weeks, I look much smarter than I really am.

I don't know if this book has found a publisher yet, but it's definitely the sort of book that deserves to be printed.

The Ponemon data breach studies are one of the few sources of information that we have about data breaches, but their results may either overestimate or underestimate the true cost of a data breach because the breaches that are looked at in these studies aren't really representative of all breaches.

As I've noted before, the size of data breaches follows a lognormal distribution fairly closely. Historically this distribition has had a logmean (base 10) of about 3.4 and a logdeviation (base 10) of about 1.2. In other words, the base 10 logarithm of the breach size follows a normal distribution or "bell curve."

But when we look at the breaches that the Ponemon studies look at, the breaches don't seem to be representative of all breaches. The 2010 report (PDF), for example, looked at US breaches that exposed between 5,010 and 101,000 records. Here's what we get when we graph that range (of the log) of breach sizes:

So it certainly looks like that range of breaches isn't really representative of all breaches. It only includes breaches that are above-average in size but aren't too big, and it only represents about 31 percent of all breaches.

The Ponemon reports claim that they're carefully tailored to be representative of companies that suffer data breaches. As their 2010 U.S. Cost of a Data Breach report said,

This benchmark study examines data breach costs resulting in the loss or theft of protected personal data. As a benchmark study, Cost of a Data Breach differs greatly from the standard survey study, which typically requires hundreds of respondents for the findings to be statistically valid. Benchmark studies are valid because the sample is designed to represent the population studied. They intentionally limit the number of organizations participating and involve an entirely different data-gathering process.

A more representative sample of breaches would also include companies that suffered breaches that are both much larger and smaller than those interviewed for the 2010 report. Because those breaches weren't considered in this report, there's a good chance that the report either overestimates or underestimates the true cost of data breaches. Maybe we'll find out which one in a future report.

It looks like IARPA's Reynard project is well under way at this point. This project is looking for ways to correlate things in virtual worlds, like World of Warcraft, with things in the real world. Here's how IARPA described what they're looking for:

Starting from the premise that Real World (RW) characteristics are reflected in VW behavior, the IARPA Reynard program seeks to identify behavioral indicators in VWs and MMOGs that are related to the RW characteristics of the users. Performers in the Reynard program will be expected to produce one or more VW behavioral indicators that serve to identify RW attributes of individuals or groups. Attributes of interest include the following: gender, approximate age, economic status, educational level, occupation, ideology or "world view", degree of influence, "digital native" vs "digital immigrant," approximate physical geographic location, native language, and culture. Other RW characteristics might also be empirically deduced through behavioral indicators. VW behavioral indicators may be examined in the areas of Avatars and Representation, Communication, Things That Avatars Do, Group Formation and Dynamics, Money and Economics, and Cultural Differences.

Because it's IARPA, the US government agency that funds research that the intelligence community is interested in, is sponsoring this research, they're probably trying to do things like find which people in a WoW game are really terrorists or similar things. That's what the ODNI's 2008 Data Mining Report (PDF) seems to suggest that they're interested in. But because the intelligence community is sponsoring this research, we'll probably never find out what they learned. That's too bad. This might actually be some interesting results from this project.

I just came across an interesting paper ("Statistical Analysis of Texas Hold'em" (PDF)) by application security consultants Cigital that tries to determine whether poker is a mainly game of skill or chance. Their conclusion is that it's mainly a game of skill. Here's how the executive summary of this paper describes what they found:

The effect of luck (i.e., the dealing of the cards) in Texas Hold’Em is a subject of much debate in the legal community. This study seeks to establish clear numbers derived from a significant sample of actual play. This study does not quantify the effect that luck has on Texas Hold’Em, but it provides compelling statistics about the way that the outcomes of games are largely determined by players’ decisions rather than chance.

Cigital examined 103 million hands of Texas Hold’Em poker played at PokerStars. In the majority of cases, 75.7% of the time, the game’s outcome is determined with no player seeing more than his/her own cards and some or all of the community cards. In these games all players fold to a single remaining player who wins the pot. In the 24.3% of cases that see a showdown (where cards are revealed to determine a winner), only 50.3% of showdowns are won by the player who could make the best 5-card hand. The other roughly half of the showdowns are won by someone with an inferior 5-card hand because the player with the best 5-card hand folded prior to showdown.

Much like poker, information security also deals with making decisions in the face of uncertainty, so a reasonable question to ask is: Is luck or skill more important in information security? Is it possible to make 75.7% of hackers not even try to attack your systems because they think that it's a waste of time because your security would be too tough for them to crack? And if that's possible, exactly how would you do it?

In Pricewaterhouse-Coopers’ 2011 Global State of Information Security Survey, people were asked who their CISO reports to. As this table shows, CIOs were the big losers over the past few years and CPOs were the big winners. I wasn’t surprised to see fewer CISOs reporting to CIOs, but I was quite surprised to see such a big increase in the number of CISOs reporting to CPOs.

Update: Yes, as a couple of alert readers have pointed out, that really should be "Whom do CSIOs report to."

I just came across an interesting article on the IEEE web site that talks about how researchers have recently created transistors that use proton conduction instead of electron conduction. And it seems that these new transistors are actually made from nanofibers of an organic compound extracted from squid.  

In lots of materials, current is really both a flow of negatively-charged particles and positively-charged particles. I don't know the details of what really happens, but I'd guess that when you're struck by lightning, for example, the current flow through your body is pretty much half from positive ions moving one way and half from negative ions moving the other way. Even in common silicon-based semiconductors you have both majority carriers and minority carriers, so electrical current is often not as simple as just coming from electrons moving in some particular direction.

But it turns out that current flow from positive charges moving is actually fairly common, particularly in biological systems. A good summary of this is available in "Et tu, Grotthuss! and other unfinished stories," (PDF) by Samuel Cukierman, which talks about proton current through water wires in biological molecules.

It also turns out that proton current has been known for quite a while. In 1806, Theodor Grotthuss actually proposed a mechanism for this happening in water as part of his approach to understanding electrolysis ("Sur la décomposition de l'eau et des corps qu'elle tient en dissolution à l'aide de l'électricité galvanique," which is commonly translated as "Theory of decomposition of liquids by electrical currents"). Cuikerman's article was actually written to commemorate the 200th anniversary of Grotthuss' earlier paper.

In any event, it looks like the first transistors have been created that actually use proton current. I don't understand exactly what the advantages of such devices would be. It seems to me that they'd be slower and bigger than the CMOS devices that we can make today. Perhaps even much slower and much bigger. But it's definitely an interesting step forward. And it did get me to learn something about the Grotthuss effect, something that I hadn't heard of before.

I just came across an interesting paper about indirect survey methods. This was "'How many zombies do you know?' Using indirect survey methods to measure alien attacks and outbreaks of the undead," by Andrew Gelman of Columbia University. A quick summary of this paper is that because it's too dangerous to actually go out and do field research on attacks by aliens or zombie outbreaks, it's better to learn about them indirectly. So instead of witnessing the events directly, talk to people who were actually at them instead.

Because a survey of about 1,500 people can give you indirect information about 1 million people, it's possible to get much more coverage using indirect methods than by more direct methods. Gelman mentions social networking web sites as a potential way of doing this. (My LinkedIn network connects me to over 5,252,783 professionals. Hoody hoo! And I don't really go out of my way to add LinkedIn connections.)

Gelman's approach is eerily similar to one that I've seen using for years to estimate the chances of information security incidents happening. I usually do this at the RSA Conference with a group of information security professionals, usually after a free beer or two that some vendor's party has conveniently provided. I ask people things like, "Have you or anyone that you know ever been hacked through a buffer overflow in their Lisp interpreter?" This is an obviously-fake example, of course, but it's one that's using an indirect survey to estimate the chances of a certain attack happening.

I also ask how many people know of someone who's died in a certain way. Things like, "Do you know anyone who has died in a car accident?"  I assume that people tend to remember deaths more than other events. And because the chances of dying in various ways are fairly well known, this provides a handy way to calibrate the answers about security incidents.

This probably gives me a good idea of what types of incidents happen fairly often and which ones don't. And it might be accurate to within a factor of 10 or so for estimating probabilities. So I can probably distinguish between security incidents that have a 1 in 10,000 chance of happening per year and incidents that have a 1 in 100,000 chance of happening per year.    

I used to think that this isn't a careful and scientific approach, but since an well-known statistician wrote a paper about it, it might be better than I had first thought.  

I just came across the program (PDF) for the Fera/JIFSAN 12th Annual Joint Symposium, a joint meeting of the UK's Food and Environment Research Agency and the American Joint Institute for Food Safety and Applied Nutrition that was held in College Park, Maryland, on June 15-17, 2011. Here's a list of the four sessions that comprised this meeting:

Session 1: Sources of Uncertainty in Food Safety Risk Assessment – Current Practice

Session 2: Improving Data Collection to Quantify and/or Reduce Uncertainty

Session 3: Tools Used for Characterizing Uncertainty

Session 4: Informed Decision Making

When I saw that, my first thought was roughly, "Holy cow! Those are the very same issues that a workshop discussing the big issues in information security might talk about!" You'd have to change "Food Safety" to "IT Systems" in Session 1, of course, but that's all you'd need to do to have the basis for a great information security workshop.

So maybe the lesson to be learned here is that everyone who deals with risks is really dealing with the same underlying hard issues. If that's the case, I'll have to make an effort to read more papers from workshops like the Fera/JIFSAN 12th Annual Joint Symposium in the future.

There was an interesting article (unfortunately restricted to subscribers) in The Wall Street Journal recently that described how the number of retractions published for scientific papers has dramaticaly increased over the past decade.  According to the data in the WSJ, here's how the number of retractions published for some scientific fields has changed since 2001:

So although I may frequently criticize the sloppy and inaccurate research that's so common in information security, it looks like information security isn't alone in having a problem with this. One big difference, of course, is that you typically don't see any retractions at all published for the terribly inaccurate information security research. And it's not clear at all that information security research was any better 10 years ago than it is today. But why has the number of errors increased so dramatically recently?

My first thought is that this is due to the increased pressure in the workplace. I don't know about how scientists feel these days, but I definitely feel more pressure to do more in less time than I did 10 years ago, and that probably results in mistakes that wouldn't have been made at the slower and more deliberate pace.

One of the Voltage engineers has another theory of why the number of retractions has increased recently. I'll see if I can get him to do a post about it.

The CSI's annual Computer Crime and Security Survey used to be one of the few good sources of information about trends in information security. It had all sorts of useful information about what the main threats that businesses were facing, how much damage various types of security incidents caused, etc. And it was one of the most commonly cited sources for this type of information.

This report used to be free, but now CSI is charging $185 for a copy of it. That's more than I'm willing to pay for this information, and from what I've heard, it's also more than most others are willing to pay. So I expect that this particular report will quickly become little more than a footnote in the history of information security. It may still be around in the future, but it probably won't be anywhere close to being as useful as it was in the past.

Not much of the field of information security can really be considered a science. The only part that can is cryptography. Here's how the JASON group report Science of Cyber-security (PDF) described this:

Cryptography, which examines communication in the presence of an adversary and in which the assumed power of that adversary must be clearly specified is viewed today as a rigorous field, and the approaches pursued in this area hold useful lessons for a future science of cyber-security.

Now if we could just make the rest of the field just as rigorous, lots of our problems would get much easier.

Here's another view of data from the 2011 CyberSecurity Watch Survey (PDF) from CERT that seems to show that the insider threat isn't bigger than the outsider threat.(There's apparently no data for 2009.)

 I still can't quite figure out how to get Excel to make the sort of graph that I'd like to see.

Here's some data from the 2011 CyberSecurity Watch Survey (PDF) from CERT. It seems to show that the insider threat isn't bigger than the outsider threat and that it probably never has been. (There's apparently no data for 2009.)

Placed between the novels of Rider Haggard and H. G. Wells, intermingled with volumes about ape men and space ships, these textbooks could harm no one. Placed elsewhere, among works of reference, they can do more damage than might at first sight seem possible.

C. Northcote Parkinson, Parkinson's Law and Other Studies in Administration, 1957

When Parkinson wrote these unjustifiably non-famous words, he was talking about textbooks on business. I'm not sure how he ended up with the opinion that he expressed in these words. I'm not even sure that he meant for us to believe that his words were to be taken seriously. But my experience with the academic study of information security leads me to believe that Parkinson was a visionary. The words that he wrote in 1957 seem to apply to lots of the academic literature on the business aspects information security that's published today. Much of this academic literature seems to have been written by people who've never actually been outside academia. Some of their conclusions are just plain wrong.

The problem with the academic world is that once something that’s wrong gets into print, it then gets referenced by other publications, so that it's the basis for other similarly-wrong conclusions. I gave an example of this a while ago in this post.

As you learn in high-school math classes, from a false premise you can prove anything. And because there are so many false premises about the business aspects of information security being taken as facts, it's easy to draw all sorts of wrong conclusions.

Over the past 10 years, IBE has become the one of the fastest deployed encryption technologies as measured by the commercial adoption of Voltage SecureMail™ and the use of IBE as a general purpose key management solution used across the Voltage Security product line. Since its commercial launch 8 years ago, Voltage SecureMail has become one of the most widely adopted secure email products in the world with over one billion secure business emails sent annually and over 50 million worldwide users; those numbers are expected to double by 2014.

IBE was first introduced on Tuesday August 21 at the 2001 Crypto conference in a seminal paper by Dan Boneh, Stanford University, and Matt Franklin, University of California Davis. The paper, entitled “Identity-Based Encryption from the Weil Pairing,” set forth a simple but powerful approach for encrypting information with identity-based keys. This cryptography breakthrough became the founding technology for Voltage Security that was incorporated in 2002 by three Stanford students working with Professor Boneh: Matt Pauker, Rishi Kacker and Guido Appenzeller. In July 2003, the new company launched Voltage SecureMail, an email encryption product using IBE to secure messages without the difficulties and expenses of traditional certificates.

Key metrics in the 10 year history of IBE:

• 50 million Voltage SecureMail users worldwide.
• Approximately one billion IBE secured business emails will be sent in 2011.
• By 2014, it is estimated there will be 100 million Voltage SecureMail licensed users and over two billion secure emails will be sent that year.
• All the messages protected by IBE in 2011, if printed out, would circle the globe seven times.
• Nearly a third of the world’s 20 biggest public companies (per the Forbes Global 2000) have standardized on Voltage SecureMail.

 World’s Biggest Companies Standardize on Voltage SecureMail

Nearly 30% of the world’s 20 biggest public companies (as listed by Forbes Global 2000) have standardized on Voltage SecureMail powered by IBE including four of the world’s largest global financial institutions; one of the world’s largest retailers, one of the largest U.S. managed healthcare providers and several large regional healthcare providers.

Notable Voltage SecureMail customers from the last year include:

• One of the largest Wall Street banks with over 230,000 employees standardizes on Voltage SecureMail
• A major Wall Street bank and Fortune 100 financial services provider with global operations chooses Voltage SecureMail for its 100,000 employees around the world.
• A major credit card brand with over 60,000 employees standardizes on Voltage SecureMail
• An award-winning regional health care organization replaces a non-functioning email security solution from one of the largest technology companies in the world with a policy-based encryption solution from Voltage SecureMail

• A Fortune 50 global financial services company deploys Voltage SecureMail to over 320,000 internal and several million external users across 86 countries, replacing an aging PKI-based encryption technology.

In addition, over 1000 enterprise companies have standardized on Voltage SecureMail, and thousands of mid-size to smaller business use the cloud-based Voltage SecureMail Cloud™ solution to protect private and confidential information.

More information at www.voltage.com

An alert reader recently pointed out that there's a Unicode character that might be particularly suitable for use in describing some of the less-than-accurate data and questionable research that plagues the information security industry. This is the U+1F4A9 code point.

I don't know anyone who's involved in developing Unicode standards so I can't say for sure whether or not that was why U+1F4A9 was included in Unicode 6.0.0, but it's the best reason that I've heard so far.

There's new research that's being described as saying that the AES encryption algorithm has been "cracked."

I'm probably not alone in dreading these sorts of stories. Many people who work for encryption vendors probably feel the same way about them because they always end up being a distraction for a week or so as we explain to people why their sensitive data is still safe, even if hackers have access to the latest and greatest attack.

The headlines often aren't quite true, but that that doesn't stop lots of people from worring about exactly what's what. And that's understandable, because most people really don't care about the details of encryption. And they shouldn't. As Calvin Coolidge might have said if he were around today, "The business of America is business, not worrying about the arcane details of encryption."

So what's the bottom line this time and how does it affect the security of any sensitive data that you're encrypting with AES?

Here's the way that Andrey Bogdanov, one the researchers who found this weakness in AES, described the implications of this new attack:

The practical consequence is that the effective key length if AES is about 2 bits shorter than expected - it is more like AES-126, AES-190 and AES-254 instead of AES-128, AES-192 and AES-256.

So we're looking at reducing the security provided by an AES key by about 2 bits, or about a factor of 4. But because even the weakest AES keys, the 128-bit keys, require hundreds of billions of years on implausibly-powerful supercomputers to crack, knocking off 2 bits is really no big deal. That might reduce the time needed to crack a key from 100 billion years to only 25 billion years, for example, which is still isn't the sort of attack that's practical for a hacker to do. And it's one that probably never will be.

So the work by Andrey Bogdanov, Dmitry Khovratovich and Christian Rechberger (BKR) that's being described as leading to AES being cracked really isn't really worth losing sleep over. Even if hackers only have to do one-quarter of the work that they would have otherwise needed to do to crack an AES key, this still leaves them with an impossible amount of work left. So much work that they'll never try to actually carry out this attack.

So the bottom line is that if the BKR attack is the best that a hacker can do, your data's still extremely safe.

A group of Canadian researchers have shown another example of how hard it can be to anonomize sensitive data. In this case, the researchers found that it was relatively easy to uniquely identify a person based on information that isn't usually considered to be the sort of PII that needs to be protected. Here's how they summarized what they found:

Background

The public is less willing to allow their personal health information to be disclosed for research purposes if they do not trust researchers and how researchers manage their data. However, the public is more comfortable with their data being used for research if the risk of re-identification is low. There are few studies on the risk of re-identification of Canadians from their basic demographics, and no studies on their risk from their longitudinal data. Our objective was to estimate the risk of re-identification from the basic cross-sectional and longitudinal demographics of Canadians.

Methods

Uniqueness is a common measure of re-identification risk. Demographic data on a 25% random sample of the population of Montreal were analyzed to estimate population uniqueness on postal code, date of birth, and gender as well as their generalizations, for periods ranging from 1 year to 11 years.

Results

Almost 98% of the population was unique on full postal code, date of birth and gender: these three variables are effectively a unique identifier for Montrealers. Uniqueness increased for longitudinal data. Considerable generalization was required to reach acceptably low uniqueness levels, especially for longitudinal data. Detailed guidelines and disclosure policies on how to ensure that the re-identification risk is low are provided.

Conclusions

A large percentage of Montreal residents are unique on basic demographics. For non-longitudinal data sets, the three character postal code, gender, and month/year of birth represent sufficiently low re-identification risk. Data custodians need to generalize their demographic information further for longitudinal data sets.

So the bottom line is that we need to protect all data, not just some of the data. Any other approach probably doesn't provide as much protection as you might think that it does.

There was an article in a recent issue of IEEE Spectrum that made me think about how well the government would do if they tried to collect information about information security incidents. This article was “One Million Plug-in Cars by 2015?” and it discussed how realistic the US government’s goal is of having 1 million electric cars in use by 2015.

This article describes how study of this by industry experts reported (PDF) that the goal of 1 million was probably unattainable. The experts based this conclusion on things like announced production volumes and the experts’ own projections of consumer demand.

Shortly after the industry experts released their report, the US Department of Energy released their own study (PDF). Theirs concluded that 1.22 million electric cars was attainable by 2015.

But what did the DOE base their projection on?

According to IEEE Spectrum, it was based on media reports of auto makers’ plans.

So we’re left wondering which is more accurate: the auto makers’ plans or media reports of their plans.

There’s might be a political agenda behind the DOE report. There might also be one behind the industry report. But when I see politics apparently influencing things to this degree, I’m led to believe that the government probably wouldn’t do a very good job of collecting and reporting statistics on information security incidents. If the government’s goal was to reduce incidents by 25 percent by a certain time, for example, there’s a good chance that there’ll be a report that shows that they met that goal. (Unless the GAO did the reporting. They seem about as unbiased as you can get. But this seems outside the scope of what they're allowed to do.)

So I wouldn't be surprised if political pressure would lead the government produce more questionable studies if they were in charge of reporting on information security incidents.  The information security industry already has lots of studies of questionable accuracy. To avoid getting even more of them, I'd say that the government shouldn't try to consolidate and report on security incidents.

The most recent issue of Popular Science had an interesting article about what they called "the 10 most awe inspiring projects in the universe." I was somewhat surprised to see how much some of these projects cost. Here's Popular Science's list:

I used to feel bad about spending a few million dollars per year on lab equipment. In the big picture, I suppose that that really wasn't much money. At least not when it comes to funding science.

I just received an interesting spam email telling me about an opportunity to get my research published. The senders apparently don't know that I work for a vendor of encryption products, and that we really don't do the sort of research that you'd publish in a scholarly journal. Here's what the spam said:

Do you feel scientifically isolated? Do you find yourself sitting on the side-line while others take the field by the nose and lead it? Are you unable to publish a model that summarizes your data and ideas because reviewers label it as being too speculative and unsupported? Can’t get those experiments published in any regular journal? Do you find that nobody is citing your papers? Haven’t published in your field for some time, but want to show that you are still a player? Well, no need to worry! There is a special category of publication for you, ‘the invited review’.

The journals that this email was soliciting contributions for were all related to biology or chemistry, so it's not clear exactly why I got it, but it was interesting to see that there's apparently a market in providing a place for research that might be called "not quite up to generally-accepted standards" to get published.

What I found surprising was how little it costs to do this: it looks like there actually aren't any fees associated with getting your work published this way. These journals clearly aren't trying to be a prestigious place for the world's leading scientists to publish their best work. Maybe their model is more like commercial magazines that are supported by advertising.  

I just came across an interesting article (and podcast) on the IEEE web site. It seems that a team of researchers at Cornell have found a way to tell truthful on-line reviews from the fake ones that are sometimes called "opinion spam". 

A quick summary of what they found is that people write differently when they're writing fiction versus non-fiction, and it's possible to use this as the basis for detecting bogus on-line reviews.

You can get slides that the researchers used at a recent presentation about their findings here (PDF). There's a lot missing from the slides, but there's enough there to get a reasonable idea of what they found and how they found it.

Information security concerns managing uncertain outcomes, so it's based on an understanding of those uncertain outcomes. Some people do this better than others. Like the subjects in the research by psychologists Baba Shiv, George Loewenstein, Antoine Bechara, Hanna Damasio and Antonio Damasio that's described in "Investment Behavior and the Negative Side of Emotion."

Can dysfunction in neural systems subserving emotion lead, under certain circumstances, to more advantageous decisions? To answer this question, we investigated how normal participants, patients with stable focal lesions in brain regions related to emotion (target patients), and patients with stable focal lesions in brain regions unrelated to emotion (control patients) made 20 rounds of investment decisions. Target patients made more advantageous decisions and ultimately earned more money from their investments than the normal participants and control patients. When normal participants and control patients either won or lost money on an investment round, they adopted a conservative strategy and became more reluctant to invest on the subsequent round; these results suggest that they were more affected than target patients by the outcomes of decisions made in the previous rounds.

In other words, the test subjects with brain damage actually did a better job of managing risk than the test subjects without brain damage. I'm not sure that I want to think about the implications of that in the field of information security for too long.

OK, enough of this worrying about what sort of patterns we can find for data breaches. What about more interesting things - like whether there's a correlation between children swallowing coins and the stock market? Well, it turns out that that's already been done. Three doctors at Harvard Medical School collected data for three years on this very topic. Here's the abstract from the article they published that described their findings:

Objective To examine the relation between coins ingested by children and the Dow Jones Industrial Average.

Design Observational study.

Main outcome measures Total value of coins ingested and number of incidents of coins versus other objects swallowed, measured before and after the stock market crash of October 2008.

Results Eighteen objects, including 11 coins, were ingested (NASDAQ (numismatic and sundry detritus acquired) composite of 18). The total value of the 11 coins swallowed was $1.03 (FTSE 100 (fraction of the US$ or 100 cents) index of 103). The pecuniary extraction ratio (PE ratio) was 0.57 (9/16). Comparing values for a period before and after October 2008, the mean monthly NASDAQ composite (0.41 (SD 0.67) v 0.5 (0.85), P=0.75), FTSE 100 index in cents (2.3 (6.8) v 3.1 (7.8), P=0.77), and PE ratio (0.54 (0.52) v 0.66 (0.29), P=0.50) did not change. The mean end-of-month closing value of the Dow Jones, however, decreased significantly (12 537 (841.4) v 8388 (699.8), P<0.001)

Conclusion There was no detectable difference in the total value of coins ingested, or ratio of coins to other objects swallowed, before or after a massive stock market crash.

I'm not sure that's as interesting as what we can learn about data breaches. Not as useful, either.

Academic researchers in information security would love to have some useful data to work with. Without data, lots of research isn't possible, and there's really not much data available for the entire field of information security.

Lots of researchers would like the government to require businesses to report all sorts of data about information security incidents. When I was at the National Cyber Leap Year meeting a year or two ago, that was their biggest single request.

I certainly hope that the government doesn't require businesses to report this sort of information. As a person who used to run a small business, I might be more sensitive to these issues than some people, but I can easily see this becoming a requirement that's very difficult and expensive for businesses to comply with.

And even if the government could somehow find a way to collect this data in a way that doesn't cost anything at all, its existence of it would be a huge security and privacy problem. Even if it's anonymized.

As I mentioned in a previous post, anonymizing data doesn't really work very well. This means that it would probably be impractical for researchers to have access to a hypothetical database of information about security incidents without giving them way more information than they really need.

So because I doubt that we'll have workable solutions to either of these problems any time soon, I expect that academics will never get the data that they'd like to have.

According to the Australian government,

Attorney-General Robert McClelland today released new research which shows nearly one in six Australians have been a victim or known somebody who has been a victim of identity theft or misuse in the past six months.

That's a puzzling statistic.

From what I've read about research into social networks, a typical person knows about 150 people. If only one in six people have someone in their network of 150 friends that has recently been a victim of identity theft, that means that there's probably only about a 0.1 percent chance of any one of them being a victim of identity theft in a six-month period. That's about a 0.2 percent chance per year, or only 1 in 500 people per year on average.

From what I've read from other sources, the actual chance of some soft of identity theft is actually much greater - almost a factor of 100 greater.

But because the Australian government seems concerned about the problem of identity theft, I'd guess that it's not the case that the chances of identity theft are 100 times lower for Australians than they are for others, so I'm left wondering exactly what the recent Australian research really showed.

There's a new paper, "Differential Cryptanalysis of GOST," that seems to make some fairly bold claims about the Russian symmetric cipher GOST being non-secure:

In this paper we show that GOST is NOT SECURE even against differential cryptanalysis (DC), or rather advanced attacks based on sets of differentials. We will revisit the idea by Schneier and Russian researchers who once claimed that GOST is very secure against DC, maybe for as few as 7 rounds out of 32. Yet two Japanese researchers were already able to break about 13 rounds. In this paper we show a first advanced differential attack faster than brute force on full 32-round GOST. This paper is just a sketch and a proof of concept. Better differential attacks on GOST will be published soon.

But how NOT SECURE is GOST? This paper says that

Our current attack requires 2⁶⁴ KP and allows to break full 32-round GOST in time of about 2²²³ GOST encryptions which is faster than brute force. This attack is just a sketch and a proof of concept. Better differential attacks on GOST with more detailed study and analysis will be published soon.

As I've mentioned before, 2⁶⁴ known GOST plaintexts takes about half the world's current storage capacity to hold, so any attack that's based on that assumption really isn't very feasible. And 2²²³ GOST encryptions is the sort of work that's extremely infeasible today and always will be. It's the level of work where Landauer's principle starts to become a significant constraint, telling you that you'd need more energy than several stars will ever put out to carry out the attack. The bottom line is that I'm still led to believe that GOST is secure enough to protect most forms of sensitive information.

It looks like Craig Costello and Kristin Lauter have found a way to implement operations on hyperelliptic curves of genus 2 that's faster than previous approaches. Here's how the abstract for their paper decribes this:

We derive a new method of computing the composition step in Cantor’s algorithm for group operations on Jacobians of hyperelliptic curves. Our technique is inspired by the geometric description of the group law and applies to hyperelliptic curves of arbitrary genus. While Cantor’s general composition involves arithmetic in the polynomial ring F_q[x], the algorithm we propose solves a linear system over the base field which can be written down directly from the Mumford coordinates of the group elements. One advantage to our approach is that we get explicit formulas for composition without unrolling the loop in Cantor’s algorithm which includes steps operating on polynomials in F_q[x] such as the Chinese Remainder Theorem. We give more efficient formulas for group operations in both affine and projective coordinates for cryptographic systems based on Jacobians of genus 2 hyperelliptic curves in general form. We also examine several other consequences of using the geometric picture of Jacobian arithmetic for various genera.

I'm not convinced that there's any compelling reason to use hyperelliptic curves instead of elliptic curves, at least when it comes to implementing cryptography, but it's always interesting to see progress made in clever ways to implement operations on them.

Dan Brown recently wrote a paper that described what he calls "identity-based decryption." Here’s how he describes this in this paper’s abstract:

Identity-based decryption is an alternative to identity-based encryption, in which Alice encrypts a symmetric key for Bob under a trusted authority’s public key. Alice sends Bob the resulting ciphertext, which Bob can send to the trusted authority. The trusted authority provides Bob the symmetric key only upon verifying Bob’s identity.

I’m not quite sure that this is really a new idea. It’s very similar to what existing implementations of identity-based encryption currently let you do.

Products like Voltage's SecureMail that use IBE to encrypt email let you do the IBE either with or without client software. If you have client software installed, they work like you’d expect:

1. Alice encrypts a message with a symmetric key
2. Alice encrypts the symmetric key with Bob’s IBE public key
3. Bob gets his IBE private key from a key server
4. Bob decrypts the symmetric key with his IBE private key
5. Bob decrypts the message with the symmetric key

But if Bob’s in an environment where he can’t install client software or his IT department won’t let him install any client software, a slightly different approach is used. In Voltage's SecureMail, we call this the Voltage Zero Download Messanger. Here’s how it works:

1. Alice encrypts a message with a symmetric key
2. Alice encrypts the symmetric key with Bob’s IBE public key
3. Bob sends the encrypted message to a secure server
4. The secure server gets Bob’s IBE private key
5. The secure server decrypts the symmetric key with Bob’s IBE private key
6. The secure server decrypts the message with the symmetric key
7. The secure server sends the decrypted message to Bob

That’s extremely close to Brown’s IBD. It just does an additional step or two for Bob.

And by using IBE to do this instead of IBD, you get some important advantages. The biggest of these is probably the fact that you don’t need to securely archive any private keys. This makes an IBE system very simpler to buy and operate, and that gives the technology a big advantage when it’s compared to other alternatives.

So IBD looks like an interesting idea, but I doubt that it would ever get the commercial acceptance that IBE has seen. The last numbers that I saw said that there are somewhere between 40 and 50 million users of IBE worldwide, and I’d guess that most of those users use it because some CISO liked the fact that systems that use it are much cheaper to buy and operate than the alternatives.

There's an interesting paper on the IACR's Cryptology ePrint Archive - "Identity-Based Cryptography for Cloud Security." Here's a summary of what it talks about:

Abstract—Cloud computing is a style of computing in which dynamically scalable and commonly virtualized resources are provided as a service over the Internet. This paper, first presents a novel Hierarchical Architecture for Cloud Computing (HACC). Then, Identity-Based Encryption (IBE) and Identity-Based Signature (IBS) for HACC are proposed. Finally, an Authentication Protocol for Cloud Computing (APCC) is presented. Performance analysis indicates that APCC is more efficient and lightweight than SSL Authentication Protocol (SAP), especially for the user side. This aligns well with the idea of cloud computing to allow the users with a platform of limited performance to outsource their computational tasks to more powerful servers.

In other words, technologies like IBE may be better suited for use in cloud computing than alternatives because they scale better and are easier to use. It's an interesting paper if you're interested in those sort of things.

There's new research that estimates how much it would cost to defeat various encryption and hashing algorithms using cloud computing. There's even a web site that summarizes the main results.

The bottom line is that it's too expensive to seriously think about trying. Even a 56-bit DES key will cost at least $15,000 to crack with cloud computing. Other algorithms cost so much more that their costs are given in log10 dollars instead of dollars. Here are some examples of this. Note that these are very close to what I estimated in a previous post and described in a recent Crypto Corner column in the ISSA Journal.

• An AES-128 key will cost about $10²⁶ to crack ($100 trillion trillion)
• An RSA-1024 key will cost about $10⁸ to crack ($100 million)
• An RSA-2048 key will cost about $10¹⁷ to crack ($100,000 trillion)

So it really looks like cloud computing does NOT cause a fundamental shift in the balance between attacker and defenders. Don't take anyone seriously who tells you otherwise. 

If you really want to recover a DES key you're much better off buying a COPACOBANA machine from SciEngines. One of these can recover a DES key is about a day, at a cost of about $150 per key, which is roughly 100 times cheaper than using the cloud computing approach, although it's probably still more than the data protected with a single DES key is worth.

I finally got around to looking at PWC's 2011 Global State of Information Security Survey. This report has lots of good information in it, but the part that I found the most interesting was the discussion of the trends in how information security budgets are justified in organizations. According to this report, here's are how often the top reasons are used:

Client requirements was the big winner, increasing by 21 percent over the past three years, while compliance was the big loser, decreasing by 26 percent over the same period.

So it looks like that customers are requiring that their vendors have a certain level of security in place as a condition of getting their business and that just checking the box on some compliance checklist is getting less important. That tells me that market forces are dealing with the problems that laws and other regulations haven't been able to deal with very well, and that's probably a good thing.

I've been asked lots of questions about recent research that shows that it's possible to do a remote timing attack against a particular version of ECDSA that OpenSSL uses. Here's my take on this.

Here's the abstract of the paper that describes this attack:

For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem that provides side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery's ladder that performs a fixed sequence of curve and field operations. This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key. Finally, we describe and implement an effective countermeasure.

If we look more closely at the paper, here's what we find:

• This IS very clever work. It's stuff that I wish that I could have thought of first.
• This IS an attack against a particular implementation of ECDSA.
• This is NOT an attack against all implementations of TLS.
• This is NOT an attack against all implementations of ECC.
• This is NOT an attack against all implementations of ECDSA.

So does it make sense to panic and ban all uses of TLS/ECDSA/ECC?

Absolutely not.

There might not even be anyone who this attack actually affects. For this to affect you, you need to be using ECDSA in OpenSSL's TLS, and you need to be using it over a binary field. That's probably fairly rare. The version of ECDSA that's specified in the NSA's Suite B cryptography only uses prime fields (curves P-256 and P-384), for example. But if it applies to you, you might want to switch to a different signing algorithm before you're exploited.  

There's an interesting paper on the IACR's eprint preprint server about how to use elliptic nets to calculate some types of pairings: the ate, optimal, etc. I'm not sure how useful this direction will end up being, but it looks like a possible alternative to continued optimizations of pairing calculations based on Miller's algorithm.  

According to a recent study by Nielsen, texting is actually the main reason that teens, who send an average of 3,339 text messages per month, get a cell phone, with 78 percent of them saying that texting is easier and faster than making a voice call. That's also much higher than the estimate of about 1,500 texts per month from April of last year.

It seems like we're really at the point where we should stop calling phones "phones" and find a better name for them. Or maybe knowing why they're called that will be the sort of trivia that will win you a free beer in not too many years.

(Or, if you really like extrapolating from a few data points, you could use those two studies to estimate that by the year 2015 or so that the cost of health care will be dramatically higher than it is today because we'll be texting 24 hours per day and never getting a chance to sleep.)

If it ever becomes practical, quantum computing could significantly affect what type of encryption algorithms are used in the future. So how soon can we expect to see practical quantum computers?

I'm not convinced that we'll ever see quantum computers that do calculations with a significant number of qubits, but quantum computing is currently an active area of research and the Advanced Research and Development Activity (which first changed its name to the Disruptive Technology Office before it became part of the Intelligence Advanced Research Projects Activity) actually made a technology roadmap for quantum computing that shows the US government's R&D goals for quantum computing through 2012.

You can get this roadmap and other related information here if you're curious about what they want to achieve.