Crypto Elite Down on Blockchain’s Security Applications, Call for Hardware Bug-Disclosure Improvements
SAN FRANCISCO—The Cryptographers’ Panel at RSA Conference is an annual table-setter for the security field where the industry’s elders and the best of the next generation make an informal declaration about what’s going to matter for the next 12 months.
In a rapid-fire hourlong panel on Tuesday, Ron Rivest, Adi Shamir (the R and S of the RSA encryption algorithm), Whitfield Diffie (a co-inventor of public-key cryptography), Paul Kocher (an architect of SSL 3.0) and Moxie Marlinspike (Signal protocol author) put together a fairly definitive agenda that included a takedown of blockchain’s security applications, the need for improved hardware vulnerability disclosure processes, and why performance is no longer an acceptable metric for security solutions.
Blockchain was first on the chopping block, drawing particular ire around any suggestions that it could help secure the integrity of elections.
“It’s often seen as security pixie dust,” said Rivest, a pioneering cryptographer and Institute professor at MIT. Rivest conceded that its decentralized nature, open and public access and immutability are interesting properties, but that it “fails miserably” in terms of scalability and especially as it may be applied to voting.
“As you cast your ballot, voters need the ability to know their vote was recorded properly,” Rivest said. “Blockchain won’t work. It doesn’t matter if it’s immutable, if it’s wrong. Blockchain has limited security properties that may not fit what we need.”
Marlinspike, founder of Open Whisper Systems, said blockchain reminds him of the craze around peer-to-peer in the last decade.
“There’s a lot of enthusiasm and ideas, but not a lot of sound engineering principles behind it,” he said, adding that there are not many applications where a distributed nature has much value.
Kocher, formerly of Cryptography Research Inc., was among the researchers involved in the discovery and private disclosure of the Spectre vulnerability affecting primarily Intel processors. Spectre and the companion Meltdown bug leaked memory from the processors that could be advantageous to an attacker.
Kocher said on Tuesday that the embargo process for hardware vulnerabilities was one of the many challenges that derailed the Spectre and Meltdown disclosures. Details about both bugs were partially leaked to the media before all the issues were patched, and since the initial round of patches, additional fixes have been released further muddying the waters.
“The embargo process for hardware bugs is something we do not know how to do,” Kocher said. “With software, the idea is to wait a few months to disclose after telling the party who can fix it. But who can fix a problem in ARM where the design goes from ARM to chip makers to device makers. Who should know about vulnerabilities in Intel processors (Intel? Cloud companies? Customers?). I have a lot of emails from people who were unhappy we did not tell them (in advance).”
Kocher said numerous media leaks forced a panicked end to the planned disclosure date in January.
“You don’t want to be in a position where attackers have enough information to mount attacks and defenders not knowing what to do,” Kocher said. “As more vulnerabilities come out, we need a road map of what to do.”
Shamir, meanwhile, said that the multitude of patches caused him more angst than a failed disclosure process.
“I’m worried we get to the point where millions of microprocessors are bricked and that becomes irreversible,” Shamir said. “With software, we can reinstall and things will be OK. But if you play with the microcode in a microprocessor, there is the real possibility this could be a huge disaster.”
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.