Speaking of Security – The RSA Blog and Podcast

Last Thursday, a six-institution team of scientists (Kleinjung et al.) announced the successful factorization of RSA-768. RSA-768 is a 768-bit (232 decimal-digit) RSA public key created in 2001 by RSA Laboratories as a cryptanalytic challenge number. The fall of RSA-768 is a landmark result, but no surprise. It reflects a consistent pace of growth in computing power, and continuing scientific interest in the problem of factoring, not an algorithmic breakthrough.

My cryptographic thriller novel Tetraktys is slated for official release in July. My publisher is launching it this week, however, in a pre-release event at the RSA Conference.

Data-security vendors sometimes get tall orders from customers. Not unheard of are: "I’d like a good digital signature system… with 20-bit keys" and "I want to use one-time pads for encryption… and I need to compress them." But one of the most challenging I’ve heard was recently offered up by colleagues in the RFID (Radio-Frequency IDentification) industry.

We often swallow ideas that we needn’t or shouldn’t. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful – to the heart, among other things – that they are now banned in restaurants in NYC. Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8×8 rule comes from or if it is good or bad.

So what pieces of conventional wisdom in computer security are like margarine and the 8×8 water doctrine? I’d hold forth password expiration as a prime candidate.

Kevin Bowers is a Research Scientist at RSA Laboratories. Here are his views on the controversy surrounding REAL ID. What do you think?

The U.S. Passport card or PASS (People Access Security Service) card, a new travel document, is slated for issue by the federal government in the spring of this year. A poor cousin to the standard passport, it’s more compact and less expensive, but valid only at land and sea points of border entry into the United States, not for air travel. The PASS card emerged as part of the Western Hemisphere Travel Initiative (WHTI), which phases out drivers’ licenses as border-crossing documents for the U.S.

I’ve heard two starkly contrasting opinions on the security of the PASS card…

In his Histories, Herodotus tells the story of Polykrates, overlord of the island of Samos. The king of Egypt counseled Polykrates to throw away some possession of great value, lest a surplus of good fortune bring him tragedy. Heeding this advice, Polykrates pitched his most prized possession, an emerald ring, into the sea. Several days later, a fisherman brought Polykrates a fish as tribute. When the fish was cut open, it was discovered to contain the fatal ring. (Polykrates was, of course, brutally murdered soon afterward.)

Herodotus’s story (and book) was crafted as a parable about hubris. It is also a good parable about banking–and more generally about risk…

“Phishing,” as you probably know, is a form of online con game. Users are lured by e-mail messages to legitimate-seeming but criminal sites–typically falsified versions of their real banking sites–and encouraged to enter password information. Having harvested this information, the operators of the criminal sites use it to break into victims’ accounts. (As the term suggests, most “phishing” e-mail goes wide of the mark, arriving as spam unconnected with the recipient’s bank. A phishing expedition, though, can be profitable with only a few successes.)

The remedies offered by the security community are numerous. Most prevalent are various types of red flags…

“The writing is on the wall for 1024-bit RSA,” one trade publication has declared in response to the recent announcement of the successful factoring of a 307-digit (1017-bit) number. As 1024 bits is the length of many RSA keys used in practice today, a short journalistic leap of fancy raises the specter of imperiled retail transactions on the Web.
If there is writing on the wall for 1024-bit RSA, though, what’s written is in cipher–and it’s wholly unclear how long the cryptanalysis will take.

Several years ago, I gave a talk at a local university on biometric authentication–the security applications of fingerprint recognition, iris scanning, and so forth. A faculty member approached me afterward to ask why I was bothering. After all, wouldn’t we all be surgically implanted with digital authentication devices in the not-too-distant future?

I laughed at the idea of “prosthetic biometrics.” Gently, I hope. Today a company called VeriChip conducted an initial public offering. VeriChip sells small, encapsulated microchips (RFID tags) that transmit unique serial numbers over short distances via radio–surgically implantable authentication devices, in fact.

Dogs and cats have been regularly implanted with RFID tags for years. That beta test, if you will, has been has largely successful: Many shelters are equipped to scan RFID tags in animals lacking other identification, and many pets and owners owe their happy reunification to the devices…