Topic: RSA Conference 2013: Experts Say It's Time to Prepare for a 'Post-Crypto' World (Read 1660 times)

Why is this?  I don't know anything about QM and only a little about crypto-- I'm assuming that somehow QM crypto can have an infinite keyspace, and that's how it's provably unbreakable, but that's just a wild-ass guess.  Do you have more information on your statement?  It intrigues me!

The only difference between quantum cryptography and classical cryptography is that quantum cryptography is (allegedly) provably unbreakable and classical cryptography just hard to break.

Just throwing this out there but could it be replaced by quantum networks and quantum communication?  This technology is in its infancy but could explode over the next 10-20 years if it develops.  Our tech is expanding faster than we can even keep up.

http://www.sciencedaily.com/releases/2012/04/120411161604.htm

Hasn't anyone ever heard of or use www.openbsd.org?  Why would anyone NOT use that for their servers?

Their point is that computers are getting so insecure that it doesn't matter if they communicate encrypted or not - not that crypto gets broken.

E.g. somebody hosting a wallet on a server not at home makes it easy for the hoster to spy on that. As long as security measures are followed, your coins are safe too.

It kinda boils down to: "You can't trust the others to handle their stuff properly and it gets harder and harder for you to handle your own stuff."

SAN FRANCISCO--In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important and defenders need to start thinking about new ways to protect data on systems that they assume are compromised, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm, said that security experts should be preparing for a "post-cryptography" world.

"I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks," Shamir, of the Weizmann Institute of Science in Israel, said during the Cryptographers' Panel session at the RSA Conference here today.

"We should rethink how we protect ourselves. Traditionally we have thought about two lines of defense. The first was to prevent the insertion of the APT with antivirus and other defenses. The second was to detect the activity of the APT once it's there. But recent history has shown us that the APT can survive both of these defenses and operate for several years."



Shamir, who shared the panel with Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie of ICANN and Ari Juels of RSA Labs, said that the continued assaults on corporate and government networks by sophisticated attackers in recent years has become the most important development in the security world. The time, he said, has come for security researchers and others involved in defending networks to look for methods other than cryptography that are capable of securing their sensitive data.

"It's very hard to use cryptography effectively if you assume an APT is watching everything on a system," Shamir said. "We need to think about security in a post-cryptography world."

One way to help shore up defenses would be to improve--or replace--the existing certificate authority infrastructure, the panelists said. The recent spate of attacks on CAs such as Comodo, DigiNotar and others has shown the inherent weaknesses in that system and there needs to be some serious work done on what can be done to fix it, they said.

"We need a PKI where people can specify who they want to trust, and we don't have that," said Rivest, another of the co-authors of the RSA algorithm. "We really need a PKI that not only is flexible in the sense that the relying party specifies what they trust but also in the sense of being able to tolerate failures, or perhaps government-mandated failures. We still have a very fragile and pollyanna-ish approach to PKI. We need to have a more robust outlook on that."

Shamir pointed to the incident recently in which TurkTrust, a Turkish CA, was found to have issued subordinate certificates for Google domains to two separate parties, one of which was a Turkish government contractor. He said he wouldn't be surprised to see other such incidents crop up.

"I think you will see more and more events like this, where a CA under pressure from a government will behave in strange ways," he said. "It brings into question whether the basis of security, the PKI infrastructure, is under severe strain."