The Key to Security: A Conversation with Sun's Chief Security Officer, Whitfield Diffie

Print-friendly Version

Introduction

Whitfield Diffie is a rarity, a person who has gained nearly legendary status in his lifetime. His 1975 invention of the concept of public key cryptography has revolutionized cryptography for nearly 30 years. Stanford Law School professor Lawrence Lessig has called it, "the most important technological breakthrough in the last thousand years." Public key cryptography is a set of techniques that enables two people who share no secret in common to exchange information secretly. In the past, to send and receive a secret message, two parties had to share a secret encryption/decryption device, known as a key, that both encoded and unlocked the message. Party A would encrypt the message using a key and send the message to Party B, who needed the same key to unlock it. The sharing of keys created problematic vulnerabilities.

Diffie's groundbreaking insight was to split the key in two, to have a matching private and public key that have a mathematical relationship. If one person wants to send information secretly, they possess a public key available to anyone, and a matching private key, known only to them. They can use the public key to encrypt, and a private key to decrypt messages; or vice versa. I can encrypt a message with your public key and send it to you -- only your private key can unscramble it. Or, if I send you a message encrypted with my private key, only my public key can unscramble it -- thus you can simultaneously unscramble the message with my public key and authenticate that it is from me -- or at least someone who has my private key.

"Public key cryptography is the most important technological breakthrough in the last thousand years." - Lawrence Lessig, Stanford Law School

To implement public key cryptography, Diffie and his colleague, Martin Hellman, drew upon a procedure in mathematics known as one-way functions, by which it is possible to transform data in such a way that it cannot, practically speaking, be untransformed. For example, it is relatively easy to multiply two very large prime numbers, but can be very hard to determine, when given a huge number that is the product of two primes, exactly which two primes were multiplied to produce the number. Or to express the idea more vividly, if one smashes a plate into smithereens it may be practically impossible to put it together exactly as it was, especially if the smithereens number in the billions. One-way functions scramble data mathematically so that it is impossible to unscramble it -- unless you have a matching key. A so-called "trapdoor one-way function" enables people to scramble a message so that only someone with a matching key can unscramble it. So, for example, someone can "smash the plate" with the intended recipient's public key and the only way to put it back together is with the matching private key, and vice versa.

Diffie, who first came to Sun Microsystems in 1991, spent the 1990s working primarily on public policy aspects of cryptography and has testified several times in the Senate and House of Representatives. He and Susan Landau are joint authors of Privacy on the Line, a book that examines the politics of wiretapping and encryption and won the Donald McGannon Award for Social and Ethical Relevance in Communications Policy Research, along with the IEEE-USA award for Distinguished Literary Contributions Furthering Public Understanding of the Profession. Diffie, a fellow of the Marconi Foundation, is the recipient of awards from many organizations, including IEEE, The Electronic Frontiers Foundation, NIST, NSA, the Franklin Institute and ACM. He received a Bachelor of Science degree in mathematics from the Massachusetts Institute of Technology in 1965, and was awarded a Doctorate in Technical Sciences (Honoris Causa) by the Swiss Federal Institute of Technology in 1992. Diffie is currently Vice President, Sun Fellow, and Chief Security Officer for Sun.

We met with him recently to get his current thoughts on cryptography.

What are the biggest misconceptions about security? What misinformation do you find yourself coming up against repeatedly regarding security?

The deepest misconception may be that security can be value-neutral. "Security" is a word in English that codes for legitimacy. But typically, security measures have consequences that are in one group's interest over another's. If you can lock your door more securely, that's in your interest and not in a burglar's interest, and since we don't take a burglar's rights very seriously, that's not much of a tradeoff. But what if both parties have legitimacy? Frequently, security measures will, for example, favor management over labor, which is very popular in the current economy. But labor is a major part of the economy, and whether it's necessarily appropriate for "security measures" to disadvantage labor is not clear.

"The most important thing to ask about security is: `Whose security? Whose interests are served by the security that is being proposed?'" - Whitfield Diffie, Vice President, Sun Fellow, and Chief Security Officer, Sun Microsystems

You can imagine the following conflict: Somebody wants to run a TV show, and they've arranged it so you absolutely can't record it. That's a security measure -- they're keeping you from "stealing" their property. Another big lobby is the child protection lobby, where the parents say, "Wait a moment. We are not going to take your word for it that this movie is suitable for our children. We want to record it and look at it before the whole family watches it together." So you have two different legitimate security requirements which are in conflict with each other. The most important thing to ask about security is: "Whose security? Whose interests are served by the security that is being proposed?"

The second big misconception is that you can do security entirely defensively and build a strong enough wall to protect yourself. This is sometimes true, but it's not true across the board, because most people want to secure a place of business in which they can entertain lots of people who aren't friends as well as a variety of people who are.

With our cryptographic techniques, we could build the sort of networks that the military wanted 20 years ago when they didn't want to talk to anyone but themselves. But we can't yet adequately build secure networks in which you can talk to yourselves, your customers, your partners, your creditors, and all the different parties that you do business with who have conflicting interests. For instance, a vendor and a customer often have conflicting interests.

You have written that the key to strong security is less reliance on secrets, and argue that it is unrealistic to rely on secrecy for security in computer software.

If you're relying on a secret that you can't change readily, then you should think of that as a vulnerability. Cryptographic keys are secrets that are inexpensive. You can change them readily. But if the design of the operating system, or the cryptographic system, or the security program, is a secret, then what do you do if it becomes public? It takes a lot of work to write an operating system. We've been working on ours for 20 years. So not open-sourcing a program, for example, for security reasons, is a very dubious notion. Because you should be thinking about what's going to happen -- what are the security implications if it becomes public despite your best effort?

"If you're relying on a secret that you can't change readily, then you should think of that as a vulnerability." - Whitfield Diffie, Vice President, Sun Fellow, and Chief Security Officer, Sun Microsystems

I'm not saying that there's never any reason to keep secrets in security. I'm saying that you should keep secrets when you don't know of an alternative. A good example where you have no alternative is the secrecy surrounding which U.S. flights carry sky marshals. That's an ever-changing secret. The object is to keep the wrong people from knowing whether a sky marshal is going to be on the flight ahead of time. So it is a protectable secret. Now, as a matter of fact, they try to keep the past records secret because -- and I'm just guessing -- they would probably say that if you saw what they've done in the past, you'd have some basis for predicting what they're going to do in the future. The critical point about all of this is that they don't know how to do any better. They only have a couple of thousand sky marshals, and if they were going to put two on each flight, they'd need, say, 50,000. Congress hasn't voted the money for that many sky marshals, and consequently, they're trying to leverage the number that they have and keep it secret which flights they are on.

So that's an example of how, with limited resources, secrets are the best option. But this does not apply to most software because the marginal cost of production of programs is very small, so you can have many copies of a program. So even if you don't circulate the source code, if it's a widely used program, your opponents will have access to the object code, and consequently, dedicated opponents will figure out how it works. It's not a very good environment to depend on secrets.

What is your assessment of the dangers of high-tech security in the hands of the wrong people?

I think it's unavoidable that high-tech security will get in the hands of the wrong people, because this is part of the fabric of the modern world. A major trend in high tech security and crypto security in particular, is to move away from being an element of competitive advantage. So if you look at the Second World War, we kept our crypto system secret and tried to attack the crypto systems of others. And, to a limited extent we still do that. The U.S. adopted the Advanced Encryption Standard in 2001, which was a good move. It is part of the drift in policy that gave up on trying to control the use of high-grade encryption, as the government recognized that high-grade encryption was absolutely indispensable for an electronic economy.

Then, in 2003, the government did something strange. The Department of Defense Committee on National Security Systems issued a policy memorandum called CNSS Policy Memorandum 15, approving the use of the Advanced Encryption Standard for all levels of classified information.

So we now have a public cryptographic system that the government has said publicly is strong enough to protect any information we have. We are not trying to use that particular form of security as a competitive advantage over our opponents because there are simply so many ways in which this security is needed throughout the world. It is much more important that the banks and Internet commerce, and so forth, have good security than it is to try to prevent opponents who aren't under our control and whose security needs are not very complex, from having security.

If you think about trying to prevent an organization of hundreds or thousands of people from being able to pass messages securely, that is not very complex, compared with Internet commerce, where there are millions of messages a second, tens of thousands of merchants online, millions of people purchasing products, thousands of banks participating in clearing transactions and so forth. Our economy turns on the security of a much more elaborate infrastructure than is probably needed by any military -- certainly by something like a terrorist cell. And when there are thousands of people participating in something it's very hard to keep it secret, or limit its spread.

Is there anything important or interesting to say about "quantum cryptography" that aspires to apply Heisenberg's uncertainty principle so that by trying to crack a code you actually change the code -- which, in effect, makes the code uncrackable?

"If quantum computing works correctly, it will utterly transform civilization, and, in fact, break a variety of cryptographic systems, particularly the public key systems in favor now." - Whitfield Diffie, Vice President, Sun Fellow, and Chief Security Officer, Sun Microsystems

It's important to distinguish quantum cryptography from quantum computing, two very different things with similar names. I don't, in essence, regard quantum cryptography as cryptography, because the essential characteristic of cryptography as a security measure is that it is independent of the communication channel in use. The point of having a secured telephone is that you pick up the phone and make a call and it is of no concern to you whether the phone company, as a security matter, routes the call through optical fibers or over a satellite channel. Quantum cryptography, so far, can only be done through optical fibers, which, as a practical matter, is already rather difficult to tap, so you're gilding the lily.

And, second, the essential characteristic of cryptography as a security measure, which is that the cryptography is independent of the channel, is missing, so calling it cryptography strikes me as odd.

Quantum computing may be vastly more important than quantum cryptography. If quantum computing works correctly, it will utterly transform civilization, and, in fact, break a variety of cryptographic systems, particularly the public key systems in favor now. That is fine with me considering all the other positive things that it's going to do. It will expand our computing capabilities so that all sorts of design and scheduling problems, and engineering limitations, will be overcome. Four years ago, businesses were saying that in another 20 years it will be up and running. Time will tell.

Did 9/11 change your beliefs about appropriate policy on the export of cryptographic devices? Or change government policy?

It didn't change government policy, in fact, the Advanced Encryption Standard was actually finally signed off as the Federal Information Processing Standard on the 26th of November, 2001. And the export policies didn't change. The battle over intercept has moved to another area since people recognized that cryptography is very important in principle in the protection of communications. But most of the communications in the world aren't encrypted and never have been. So the FBI is now pushing for an FCC ruling that would effectively give it veto power over Internet standards. So there's going to be another policy battle shaping up, but it isn't focused on cryptography.

• Whitfield Diffie Biography
• Java Cryptography Architecture
• Java Cryptography Extension (JCE)
• Using AES with Java Technology