Funding, carelessness, hurdles to secure networks: Dr Whitfield Diffie

Cryptographic pioneer Dr. Whitfield Diffie spoke at SecurityByte 2011 in Bengaluru, where SearchSecurity caught up with him. Here’s what he had to say.

Considered to be the father of public key encryption, Dr. Whitfield Diffie’s work in cryptography underlies the security of Internet commerce and modern secure communications systems. He published the Diffie-Hellman paper on cryptography in 1976, ushering in a revolution in a field that was previously the preserve of government agencies. We caught up with him at the SecurityByte 2011 conference held in Bengaluru, where he shared ideas and opinions from a lifetime in information security, public policy and cryptography.

To begin with, says Diffie, the security of information has always been seen as a cost, and this might very well be the biggest problem in the way security is approached today. Securing an IT resource is seen as a cost. Whereas to an attacker, resources invested are seen as a potential source of profit. “As long as security is seen as a cost center,” argues Diffie, “this funding disparity does not augur well for the development of secure networks.”

He believes that as things stand, defenders will constantly be outmaneuvered and outclassed by better funded, supported and determined adversaries. However, Diffie is optimistic about the current situation, since the majority of break-ins are the result of carelessness, in his opinion. It is therefore possible in principle to push people to be careful, he reasons. ”We have come a long way from the era of the radio, where everything was human mediated, to the era of the interactive today. Thus the attendant problems are different in nature,” says Diffie.

Looking back at the history of information security over the last 100 years, Diffie says that the shift from shared computing to network computing (or client-server computing) was probably a watershed for information security. “It is network computing that rescued us from the security problems of time sharing in the 1960s,” he says.

The dominant problem now is ubiquitous availability and the fact that everything is automated. Diffie affirms that we are already at a stage in the history of computing where the intervention of human beings is a sporadic and intermittent phenomenon, rather than a constant aspect.

Given that significant parts of our business and society are conducted over the Internet, Diffie foresees major changes in the way things are done. The first of these changes has been the paradigm of cloud computing. Diffie firmly believes this is the future of computing, as there is always going to be someone else who can compute more cheaply and viably than us. Diffie believes that we are on the cusp of another era in computing and that the commercial potential behind this idea is going to drive its success.

However, Diffie maintains that there is an intrinsic security problem built into cloud computing. “If you hand your data to someone to compute, it’s a little hard to keep them from knowing what you are computing,” he says. While there is hope on this front in the form of fully homomorphic encryption, its operational efficiencies are quite low. It remains unclear if the approach will ever become competitive.

Speaking about building in strong authentication into the Internet from the beginning, he says that a secure system simply cannot perform the function that the Internet does, because its inherent lack of authentication is the major facilitator of free communication. Diffie states, “It is not meaningful to secure the Internet itself, and ever expect that there will be forces whose activities will not be regarded as unlawful. In fact if that were achieved, it would squash the incredible engine of cultural development and intellectual and commercial progress that is the Internet.”

On the subject of the recent privacy stipulations under the IT (A) Act in India, Diffie says his opinion may be irrelevant in India, in view of the cultural differences. That said, he opines that it is generally the view of governments that rights are something governments grant or bestow upon citizens. Diffie believes that any such view needs to be opposed, because if governments are allowed to dictate the terms of our privacy, computer technology might end up going the same way as drug technology. Citing global examples, Diffie explains that bringing an FDA-like approval process for new communications software may sound the death-knell for innovative technologies such as Skype, if compliance and regulation becomes an overriding issue.

Read more on Security policy and user awareness