From: John Young <jya@pipeline.com>
Date: Wed, 3 Jan 1996 03:43:21 +0800
To: cypherpunks@toad.com
Subject: In Search of Computer Security
Message-ID: <199601021239.HAA10963@pipe4.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   The New York Times, January 2, 1996, p. C15.
   Special section "Business World Outlook '96."


   In Search Of Computer Security

   By John Markoff


   Computer security is making a transition from the
   university and the research laboratory to the real world.
   So far it is proving to be a rocky evolution.

   Last year, a series of embarrassing gaffes and shortcomings
   undermined the faith of potential computer users in the
   certainty that their data are secure. The flaws have led to
   a growing realization that computer security systems are
   largely untested and that in complex environments like the
   Internet, they do not always respond the way their creators
   had intended.

   Paul C. Kocher, a computer security expert who discovered
   one potential flaw, said, "Many of the security systems
   that I am examining are good enough to keep out casual
   snoopers, but they're failing catastrophically when it
   comes to protecting data against determined attacks."

   The problems are emerging as the computer industry
   increasingly relies upon an arcane mathematical discipline
   that is intended to hide the secrets embedded in digital
   information behind a veil of imposing math problems.

   Cryptography, the science of writing secrets, was for
   centuries largely the province of kings, soldiers and
   spies. But that has changed in the 1990's as the world has
   rushed to use personal computers and computer networks as
   the basis for electronic commerce, communication and
   entertainment.

   Data scrambling has become the key to a vision that it will
   be possible to have private electronic conversations and
   secure financial transactions.

   In principle, data coding protects information by
   scrambling it to keep it out of the reach of everybody but
   those with a supercomputer and tens or even hundreds of
   years to crunch the data.

   But computer researchers have begun discovering flaws,
   sometimes subtle and sometimes glaring, that can help
   criminals take devious shortcuts to obtain the mathematical
   keys used to scramble the data.

   In August, a French computer hacker proved that it was
   possible to use a network of work stations to guickly find
   the secret key created by a coding system developed by the
   Netscape Communications Corporation, the leading developer
   of World Wide Web software.

   The feat cast doubts on the security of a system whose
   security had been scaled back to meet stringent United
   States Government export controls.

   The following month, two computer science graduate students
   at the University of California at Berkeley reported a flaw
   in the Netscape that would permit a technically skilled
   attacker to steal data by circumventing the complex
   calculations needed to break the code.

   In October, a team of Berkeley researchers, including the
   two computer science students, detailed security weaknesses
   in the fundamental software of the Internet that make it
   difficult to protect data that is sent between computers.

   And last month, Mr. Kocher explained a potential flaw in a
   widely used data coding approach known as public-key
   cryptography.

   The flaw could allow eavesdroppers to infer a secret key
   used to protect data in Internet security software,
   electronic payment smart cards and related systems by
   carefully timing how long it takes to compute the secret
   key.

   Mr. Kocher said that while he believed that trusted
   electronic security systems would ultimately emerge, there
   should be no urgency to rush their deployment.

   Banks have spent several hundred years perfecting systems
   for protecting money, he noted, but they have far less
   experience with the new computerized systems designed to
   protect information that represents money.

   One of the pioneers in the mathematics underlying most
   public key systems agrees that prudence is required in
   developing digital commerce.

   "Paul's discovery is one more piece of evidence that
   designing security mechanisms is tricky," said Whitfield
   Diffie, a Sun Microsystems researcher who was one of the
   co-inventors of the original public key technology.

   "Given the trust that we will be placing in systems for
   electronic commerce," he continued, "we should be putting
   all the effort we can into getting them right."

   [End]

----------

   [Box] 1996 Will Be the Year When:

   "Congress will pass a law restricting public comment on the
   Internet to individuals who have spent a minimum of one
   hour actually accomplishing a specific task while on line."

   Andrew Grove, Intel Corp. CEO