Notes on Crypto '95 invited talks by R. Morris and A. Shamir

by Jim Gillogly and Paul Syverson

Crypto '95 attendance continued its upward trend this year, with over 300 participants. Proceedings are available from Springer-Verlag (see the IACR home page ( or via the Interesting Links section on Cipher's Web page) that cover the regular sessions, but we include notes on invited talks by Robert Morris, reported by Jim Gillogly, and Adi Shamir, reported by Paul Syverson. Bob Morris has reviewed Jim's summary, but, as Paul notes, Adi Shamir, has NOT have the opportunity to review Paul's summary.]

Notes on "Non-cryptographic Ways of Losing Information" a talk by Robert Morris

reported by Jim Gillogly

Bob Morris (recently retired from NSA) gave a fascinating invited lecture entitled "Non-cryptographic Ways of Losing Information". I hope he writes it up; until then, here are my notes from his presentation.

Two things he said which I found new and fascinating:

Morris emphasized and said we should write down these dicta:

The real start of modern cryptology should be dated to the Enigma machines, which typified the new character of the art. Much has been made of the errors of the German cipher clerks, but egregious as they were, the errors made by the British cryptographers were vastly worse, and the American blunders were worse yet. German analysts regularly read and used Atlantic convoy orders throughout the war -- they were transmitted in an old code.

One must always assume that the enemy has a copy of the machine/algorithm. A system that relies on keeping the algorithm secret is eventually doomed to failure, because it will always be discovered by some means or other.

He sees microphones and antennas everywhere: the telephone line cord is an antenna; if telephone linemen were working on a pole outside his house he'd call the police an then find out what they were working on. In an unspecified country he called Lower Slobbovia (Al Capp, isn't it?) American troops used encrypted radiophones; when they broke they were taken to local repair shops to be fixed. When they got home the US engineers were interested to see the modifications that had been made. He mentioned a few similar instances, including the lovely carved wooden seal given to the US Embassy in Moscow to decorate the Ambassador's residence. [A replica is now on view at the National Cryptologic Museum with the transmitter cavity visible.] Cordless phones have a range of 5 miles or so. Use of cellular phones is increasing dramatically, as well as fax and modems.

He discussed the Walker/Whitworth spying case, and said one of his design criteria is to design systems with Walker in them: it's not good enough to have a system where everyone must be trusted, but it must also be made robust against insiders. This may include going to non-paper systems, so that there are no paper keys that the Walkers of the world can shop to the other side.

Threats and risks include: overconfidence, carelessness, eavesdropping and tapping, theft of floppies and other materials, purchase, theft of key material, burglary and blackmail. Much or most loss is due to insiders.

In the future there will be more radio used for ordinary communications. Americans are unwilling to pay for secure telephones, but that's not the case in Europe.

Notes on "Cryptography -- Myths and Realities", a talk by Adi Shamir

Reported by Paul Syverson
[Note: I produced this writeup from memory without the beneifit of notes, and Shamir has not had the opportunity to review it. So, caveat lector! -Paul Syverson]

The IACR Distinguished Lecture, ``Cryptography---Myths and Realities'' was given by Adi Shamir. The lecture was both entertaining and informative, tracing the early history of events surrounding the development of the RSA algorithm and giving practical advice for computer security today.

One of the first myths dispelled was that one has to be a longstanding expert on algorithms to come up with a good one. Shamir's first contact with Ron Rivest was in a letter suggesting they discuss the advanced algorithms course that the two would teach together when Shamir was visiting at MIT. Actually this letter, sent just weeks before the beginning of the spring term, was the first he knew of his assignment. And, at that point he had no background in algorithms! He also documented the laborious uphill struggle that the cryptographer faces as the cryptanalyst relentlessly swoops down on his work; apparently early proposals for what would become RSA were worked out on ski trips in Vermont that winter and spring. On the ride up someone would propose a scheme which would then be broken during the next run down the mountain. The final version actually came to Ron Rivest on another occasion as he lay delirious and sick on his couch at home. Another myth he refuted was that NSA is some vicious three headed monster. He agreed that it has three heads but said that, contrary to popular belief, his dealings with NSA had always been quite reasonable if sometimes a bit unclear.

After the history lesson, Shamir concluded his talk with lessons for commercial security today, which he called the

10 Commandments of Commercial Security

1. Don't aim for perfect security
So, be realistic, and do the best you can within your limits. Roughly, you should double security expenditure to halve risk.
2. Don't solve the wrong problem
For example, note that US banks lose 10 billion dollars a year in check fraud but only 5 million in online fraud.
3. Don't sell security bottom-up
(in terms of the personnel hierarchy).
4. Don't use cryptographic overkill
Even bad crypto is usually the strong part of the system.
5. Don't make it complicated
This yields more places to attack the system, and it encourages users to find ways to bypass security.
6. Don't make it expensive.
7. Don't use a single line of defense
Have several layers so security can be maintained without expensive replacement of the primary line.
8. Don't forget the ``mystery attack''
Be able to regenerate security even when you have no idea what's going wrong. For example, smart cards are attackable but are great for quick cheap recovery.
9. Don't trust systems.
10. Don't trust people.