[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
In Search of Computer Security
The New York Times, January 2, 1996, p. C15.
Special section "Business World Outlook '96."
In Search Of Computer Security
By John Markoff
Computer security is making a transition from the
university and the research laboratory to the real world.
So far it is proving to be a rocky evolution.
Last year, a series of embarrassing gaffes and shortcomings
undermined the faith of potential computer users in the
certainty that their data are secure. The flaws have led to
a growing realization that computer security systems are
largely untested and that in complex environments like the
Internet, they do not always respond the way their creators
had intended.
Paul C. Kocher, a computer security expert who discovered
one potential flaw, said, "Many of the security systems
that I am examining are good enough to keep out casual
snoopers, but they're failing catastrophically when it
comes to protecting data against determined attacks."
The problems are emerging as the computer industry
increasingly relies upon an arcane mathematical discipline
that is intended to hide the secrets embedded in digital
information behind a veil of imposing math problems.
Cryptography, the science of writing secrets, was for
centuries largely the province of kings, soldiers and
spies. But that has changed in the 1990's as the world has
rushed to use personal computers and computer networks as
the basis for electronic commerce, communication and
entertainment.
Data scrambling has become the key to a vision that it will
be possible to have private electronic conversations and
secure financial transactions.
In principle, data coding protects information by
scrambling it to keep it out of the reach of everybody but
those with a supercomputer and tens or even hundreds of
years to crunch the data.
But computer researchers have begun discovering flaws,
sometimes subtle and sometimes glaring, that can help
criminals take devious shortcuts to obtain the mathematical
keys used to scramble the data.
In August, a French computer hacker proved that it was
possible to use a network of work stations to guickly find
the secret key created by a coding system developed by the
Netscape Communications Corporation, the leading developer
of World Wide Web software.
The feat cast doubts on the security of a system whose
security had been scaled back to meet stringent United
States Government export controls.
The following month, two computer science graduate students
at the University of California at Berkeley reported a flaw
in the Netscape that would permit a technically skilled
attacker to steal data by circumventing the complex
calculations needed to break the code.
In October, a team of Berkeley researchers, including the
two computer science students, detailed security weaknesses
in the fundamental software of the Internet that make it
difficult to protect data that is sent between computers.
And last month, Mr. Kocher explained a potential flaw in a
widely used data coding approach known as public-key
cryptography.
The flaw could allow eavesdroppers to infer a secret key
used to protect data in Internet security software,
electronic payment smart cards and related systems by
carefully timing how long it takes to compute the secret
key.
Mr. Kocher said that while he believed that trusted
electronic security systems would ultimately emerge, there
should be no urgency to rush their deployment.
Banks have spent several hundred years perfecting systems
for protecting money, he noted, but they have far less
experience with the new computerized systems designed to
protect information that represents money.
One of the pioneers in the mathematics underlying most
public key systems agrees that prudence is required in
developing digital commerce.
"Paul's discovery is one more piece of evidence that
designing security mechanisms is tricky," said Whitfield
Diffie, a Sun Microsystems researcher who was one of the
co-inventors of the original public key technology.
"Given the trust that we will be placing in systems for
electronic commerce," he continued, "we should be putting
all the effort we can into getting them right."
[End]
----------
[Box] 1996 Will Be the Year When:
"Congress will pass a law restricting public comment on the
Internet to individuals who have spent a minimum of one
hour actually accomplishing a specific task while on line."
Andrew Grove, Intel Corp. CEO