Notes on Crypto '95 invited talks by R. Morris and A. Shamir

Crypto '95 attendance continued its upward trend this year, with over 300 participants. Proceedings are available from Springer-Verlag (see the IACR home page (http://www.swcp.com/~iacr/) or via the Interesting Links section on Cipher's Web page) that cover the regular sessions, but we include notes on invited talks by Robert Morris, reported by Jim Gillogly, and Adi Shamir, reported by Paul Syverson. Bob Morris has reviewed Jim's summary, but, as Paul notes, Adi Shamir, has NOT have the opportunity to review Paul's summary.]

Notes on "Non-cryptographic Ways of Losing Information" a talk by Robert Morris

Bob Morris (recently retired from NSA) gave a fascinating invited lecture entitled "Non-cryptographic Ways of Losing Information". I hope he writes it up; until then, here are my notes from his presentation.

Two things he said which I found new and fascinating:

• During the early 1950's many major powers were discouraged by the tendency of then-modern crypto machines to fail in a way that would send plaintext instead of ciphertext, and they went to one time pads for most of their high-level enciphered traffic. Because of key re-use, we were regularly and routinely reading pieces of that traffic. This included many systems from various countries. (I wonder if he meant to include VENONA among these systems?) Sometimes the people who prepared OTP's would double their profit by selling them to more than one customer.
• By the middle to late 1960's cryptanalysis became less cost effective than obtaining the information by other means -- wiretaps and so on.

Morris emphasized and said we should write down these dicta:

• Never underestimate the attention, risk, money and time that an opponent will put into reading traffic.
• Rule 1 of cryptanalysis: check for plaintext.

The real start of modern cryptology should be dated to the Enigma machines, which typified the new character of the art. Much has been made of the errors of the German cipher clerks, but egregious as they were, the errors made by the British cryptographers were vastly worse, and the American blunders were worse yet. German analysts regularly read and used Atlantic convoy orders throughout the war -- they were transmitted in an old code.

One must always assume that the enemy has a copy of the machine/algorithm. A system that relies on keeping the algorithm secret is eventually doomed to failure, because it will always be discovered by some means or other.

He sees microphones and antennas everywhere: the telephone line cord is an antenna; if telephone linemen were working on a pole outside his house he'd call the police an then find out what they were working on. In an unspecified country he called Lower Slobbovia (Al Capp, isn't it?) American troops used encrypted radiophones; when they broke they were taken to local repair shops to be fixed. When they got home the US engineers were interested to see the modifications that had been made. He mentioned a few similar instances, including the lovely carved wooden seal given to the US Embassy in Moscow to decorate the Ambassador's residence. [A replica is now on view at the National Cryptologic Museum with the transmitter cavity visible.] Cordless phones have a range of 5 miles or so. Use of cellular phones is increasing dramatically, as well as fax and modems.

He discussed the Walker/Whitworth spying case, and said one of his design criteria is to design systems with Walker in them: it's not good enough to have a system where everyone must be trusted, but it must also be made robust against insiders. This may include going to non-paper systems, so that there are no paper keys that the Walkers of the world can shop to the other side.

Threats and risks include: overconfidence, carelessness, eavesdropping and tapping, theft of floppies and other materials, purchase, theft of key material, burglary and blackmail. Much or most loss is due to insiders.

In the future there will be more radio used for ordinary communications. Americans are unwilling to pay for secure telephones, but that's not the case in Europe.

Notes on "Cryptography -- Myths and Realities", a talk by Adi Shamir

The IACR Distinguished Lecture, ``Cryptography---Myths and Realities'' was given by Adi Shamir. The lecture was both entertaining and informative, tracing the early history of events surrounding the development of the RSA algorithm and giving practical advice for computer security today.

One of the first myths dispelled was that one has to be a longstanding expert on algorithms to come up with a good one. Shamir's first contact with Ron Rivest was in a letter suggesting they discuss the advanced algorithms course that the two would teach together when Shamir was visiting at MIT. Actually this letter, sent just weeks before the beginning of the spring term, was the first he knew of his assignment. And, at that point he had no background in algorithms! He also documented the laborious uphill struggle that the cryptographer faces as the cryptanalyst relentlessly swoops down on his work; apparently early proposals for what would become RSA were worked out on ski trips in Vermont that winter and spring. On the ride up someone would propose a scheme which would then be broken during the next run down the mountain. The final version actually came to Ron Rivest on another occasion as he lay delirious and sick on his couch at home. Another myth he refuted was that NSA is some vicious three headed monster. He agreed that it has three heads but said that, contrary to popular belief, his dealings with NSA had always been quite reasonable if sometimes a bit unclear.

After the history lesson, Shamir concluded his talk with lessons for commercial security today, which he called the

10 Commandments of Commercial Security