Skip to content

Ergo Sum

Personal tools
You are here: Home » Members » cmcurtin's Home » RSA 2005

RSA 2005

Document Actions
When Bill Gates began to lecture me on how to build secure software, I knew I was in trouble. I had to wonder how we got here and whether there was any point.

RSA Data Security, Inc., the company that owned the patents to the RSA encryption algorithm invented by Rivest, Shamir, and Adelman, held a conference. The idea was to bring together people who were working on cryptography and to get them all talking to one another. They simply called the conference, “RSA.”

Some fourteen years later, RSA is not just a conference for cryptographers, but is in fact a multi-track conference that covers essentially all aspects of information security. Besides the conference, and in fact, a much bigger part of the entire event, is a security trade show. Hundreds of vendors come in from all over the place and try to get you to buy their stuff. It's hard to imagine that this is the same event where years ago, one could get an RSA poster that said, “A good marketing organizations listens to its customers, and we've been listening” complete with 1950s-style retro imagery showing men listening to a woman talking on the telephone and a National Security Agency logo down at the bottom. This year, NSA was there, complete with what was probably a 600 square-foot exhibit area (the entire island!), complete with an information assurance awareness video, an actual German Enigma from World War II, and information on the NSA IA Training and Ratings Program.

Some of the invited talks included presentations by the heads of Microsoft and Cisco. Each told how his company was going to take security head-on and solve the problems that everyone is facing, as well as lots of others. I found the hype to be tiresome in the extreme, especially as we're now dealing with infrastructures that are largely implemented on Microsoft and Cisco gear. Had these been well-designed and implemented from the beginning, it might be argued, there would be no need for them to be talking about malicious software, for example, in 2005.

I hate trade shows. But I went, knowing that this was the same conference that, in 1997, was the beginning of the RSA Secret Key Challenge contests. Among the contests announced was one to crack a message encrypted with DES, the U.S. government standard for data encryption. In June of that same year, Rocke Verser, Justin Dolske, and I lead the team that did the deed, performing cryptanalysis on DES for the first time in open research. That project is the subject of my new book, Brute Force: Cracking the Data Encryption Standard and there would be no better place to launch the book than RSA. In fact, we did manage to move some books in those few days and I had enough people at the booksigning to make it interesting.

The theme of the event was “Prohibition of the Codes,” which was enforced throughout the event with signage, bits of trivia, and other visual aids using Prohibition-era design. I found the topic to be somewhat ironic today, as cryptography is freer now for U.S. citizens and companies than it has been than any other time in the digital age and possibly even before.

I spent most of my time in the cryptographers' track (i.e., the math club). I heard some discussions of some really interesting things there, including some great work that Cynthia Dwork has been doing on providing privacy-respecting databases for research (allowing potential participants to decide when to participate with their definition of privacy requirements) that are also statistically sound. Moti Young offered updates on a fascinating idea: malicious cryptography. Malicious cryptography is really nasty stuff, in effect, showing how to build systems that gave the users of the cryptosystem the security they were hoping for, but with a twist: an attacker could build in a back-door, one that would itself be cryptographically safe. This is some pretty frightening stuff: it means that people could theoretically be using cryptographic toolkits that appear to be doing the right thing but are in fact also giving the bad guys a view into the good stuff, and the backchannel is secure. The good news is that like any backchannel, such a thing in practice would have architectural ramifications that could be used for detection purposes. (For example, getting the contents of encrypted data sent through the backdoor would require that traffic be injected on to the network, or something similar. Even so, bad guys can start to adapt other kinds of techniques (onion routing, perhaps?) that would make detection and analysis of the backchannel still more difficult.

One evening, I managed to catch up with some other cypherpunks for dinner, when I got to meet both Peter Trei and Lucky Green for the first time in person, both of whom I had known for years via the List. The restaurant was not particularly special, but the company was excellent. On another, I joined Columbus-based ENDFORCE for the launch of the new version of its product, which came in the form of a party that included entertainment by the guys from Mythbusters, the show on the Discovery Channel. On still another, I managed to catch a lovely dinner with a colleague. The beginning of the evening experiences actually started before the conference itself, with a trip to the famous Chinese restaurant, House of Nanking. Excellent food, great service, and a really pleasant environment, where patrons are packed in pretty closely and from time to time manage to interact with each other, particularly when a recommendation for something from the menu is called for.

While in San Francisco, I stayed at the Pickwick Hotel, which was not far from the location of the conference, the Moscone Center. Generally, I like to stay near but not at the official conference hotel because I prefer to experience a slice of life in a different town, away from the script of the conference. Of course, there were plenty of hotels that would fit that requirement, including one where I stayed during my previous visit to San Francisco, but one offered an opportunity that I could not resist. RSA was being held in mid-February, which turned out to be seventy-five years after the release of Dashiell Hammett's classic noir novel, The Maltese Falcon, which made several references to the Pickwick. I must confess some satisfaction in arranging my own trip to take advantage of a literary reference, especially one to a Prohibition-era novel while visiting a conference with a Prohibition-era theme.

All in all, I would have to say that I am glad I went to RSA, but the further I stayed away from the trade show floor, the happier I was. My advice is to go to the sessions, find some interesting people, and take the time to engage them in thoughtful discussion. That really is, after all, the point of any conference worth attending.

Created by cmcurtin
Last modified 2005-05-22 07:26 AM
In Print

This site conforms to the following standards: