Cryptography's future

Dr. Burt Kaliski is chair of the office of the CTO and vice president of research at RSA Security, the security division of EMC. He is also chief scientist of its research center, RSA Laboratories. He joined RSA Data Security in 1989 and helped launch RSA Laboratories as an academic environment within RSA Data Security in 1991. Through the years he has been involved extensively in the development of cryptographic standards. He sat down with Senior News Writer Bill Brenner before moderating the popular cryptographers' panel at last year's RSA.

You're planning to give a presentation on Symmetric Key Infrastructures (SKI) and how it will likely play an even...

more important role in IT security than Public Key Infrastructures (PKI) in the years ahead. Talk about the differences between PKI and SKI and why SKI may grow in importance going forward. Both PKIs and SKIs are concerned with full lifecycle management for cryptographic keys: creation and distribution, archive and recovery, revocation and deletion. In SKIs, the keys must be kept secret. A key needs to be available either to a single principal or a small group of principals who share the key. Public keys in PKIs, of course, can be made public and available to everyone. Private keys in PKIs, on the other hand, must be kept secret. A private key generally needs to be available only to a single principal, and is not shared.

Most of the application of cryptography to date has been for data "on the fly"--over networks or via email. Here, the encryption and decryption typically happen when the data is sent or received, or the message is sent or opened. The keys are identified and already available to the principals involved in the process. The data is typically encrypted with a symmetric key, where the symmetric key is conveyed using public-key techniques. However, the symmetric key itself does not need to be managed explicitly. The only long-term secret that needs to be managed is usually a PKI private key, and it generally needs to be available only to a single principal.

The renaissance of SKIs is due to the emerging emphasis on applying cryptography to data "at rest"--in a database or on a disk or tape. Here, the decryption might happen a long time after the encryption, and by a principal not involved when the data was originally encrypted. The symmetric key in this case typically does have to be managed explicitly. Furthermore, the key may need to be available to more than one principal. Managing these keys thus requires a richer and more complex infrastructure than for PKI private keys. What are some concrete aspects of SKI that could help IT professionals secure their companies against today's threats? How could the features make the business of security easier on them?

If data compromise is the threat, encryption is a countermeasure -- but it's only effective if the decryption keys are available when needed to the parties that need them, and available only to them and no one else. In this sense, decryption keys are another information asset that IT professionals need to manage. SKIs can help IT professionals manage them more easily and effectively. Your company's management and your customers may be telling you, "Encrypt the data." It's a lot easier to do so if you have an infrastructure for managing the keys. What do you expect to be some of the highlights at the RSA show in terms of speakers and topics?

As usual, I'm expecting the show to be an informative event that gives motivation for the year ahead. Innovation has always been an underlying theme for the conference, but the 2007 event is bringing it to the forefront with a lineup of keynote speakers. In addition to senior executives from major IT companies, Gen. Colin Powell, Ray Kurzweil and IDEO's Tom Kelley will be presenting their expert perspectives on innovation in today's world. Additionally, the RSA Conference has added an entire track on consumer protection to address the increasing need for the information security industry to approach applications from the consumer's standpoint. I'll be moderating the cryptographers' panel once again. Finally, for the more technically oriented, we continue the cryptographers' track, an academic research workshop within the conference, chaired by Masayuki Abe of NTT.

Dig Deeper on Data encryption techniques

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

As I see it, the real challenge in keeping cryptography a viable practice for protecting enterprise data is the management of keys. With humans in the mix, there is always going to be a concern that keys are compromise, data is breached and systems are attacked. In fact, as I said in another discussion recently, the only way to protect your data is to not use any data or be connected to the Web.

Since that's unrealistic, the best approach is a series of checks and balances to ensure keys aren't stolen, shared or widely available. And that your codes/passwords/cryptography measures are implemented in the best way.

It's an ongoing process and will remain so.
Keeping the keys safe is my main concern. This sounds like how "Ransom" ware came about. Someone set or changes keys and you you out of your own data. Scary thought.