Schneier, Bruce Schneier. This name can be used to test if you are really into cryptography. 😎
A “security guru”, as he was called by The Economist, aka a computer security technologist, cryptographer, and writer gave a vivid live interview during the recent NoNameCon practical cybersecurity conference.
Watch the whole interview, as it is very dense. Here are some starting points for your interest.
On starting his career >>
– For many professionals, Bruce Schneier has always been a renowned cryptographer and security expert. But everything has a start, so your career also had to start somehow. Could you tell us more, how have you started in the field? What was your very first success?
– I was always into cryptography, even as a kid. In 1991 I was laid off from the job and I started writing for computer magazines... I wrote about many-many topics but also about security and cryptography, a little bit here and there.
I decided to write a book on applied cryptography since no such book existed. I took the articles I wrote, and wrote a proposal to John Wiley (publisher John Wiley & Sons). They bought the proposal and I wrote the book, which was published in 1993.
This book allowed me to write more, to start consulting, to start my companies, and really launched me as an expert in this field, and it really was because no one else has written this book. I wanted to read it so I had to write it. And it happened in a really lucky time when everything started to explode on the Internet.
On crypto books >>
– Your book was among the first ones that tried to close the gap between academic cryptography, computer science and applied software engineering. We still see books today written with the same purpose and still being popular.
– The later book I wrote was Cryptography Engineering which I wrote with a couple of co-authors, and that is much more modern and bridges that gap.
💎 I always recommend Ross Anderson’s book Security Engineering. It’s like this thick, it’s phenomenal, and it’s not just cryptography, it has so many aspects of security.
If there’s one book I tell people to get if they are in this field, it’s Security Engineering. Not just because you can actually cause damage if you hit somebody with it, it really is a good book. And it’s coming out, I thought, in a 3rd edition. They have put some chapters online, so you can go for Ross Anderson webpage and download the chapters.
On national encryption standards >>
– Recently we’ve got a competition for a national encryption standard in Ukraine, in 2015 we adopted a new cipher Kalyna that replaced the Soviet GOST 28147. Do you think that countries should develop their own standards, or use internationally standardized and well-known?
– We do better when we have fewer standards. In cryptography, we want the single well-tested thing that we all use. Everyone is using AES already, it’s hardware-backed, if you have another cipher, how do you get to use it in Microsoft products, or Whatsapp, or PKZIP? That’s gonna be hard.
I think academic competitions are valuable for spurring intellectual knowledge. They get people to pay attention, and graduate students to think about math and cryptography, which is good. But in general, I think, we’re better with fewer standards.
💎 The Internet is not national, it’s international, so a national standard doesn’t really fit the structure of the Internet.
It makes sense to develop ciphers and take part in global competitions (like NIST-driven), but it doesn’t make sense to develop national standards.
On post-quantum crypto >>
– Do you think it makes sense to actually implement quantum-safe systems, roll them out in adoption and even though the threat of quantum computer is still very far from being a threat to cryptography?
– I don’t think we really need to implement them today. NIST is doing competition well ahead of the science of quantum computing. And that’s what we want – we don’t want NIST to do this quickly because suddenly quantum computers become mainstream and powerful. No, we want NIST to do this process well-before, because it’s a multi-year process.
💎 Right now everything is quantum-safe, because there are no quantum computers!
Quantum computers are years, possibly decades away, we don’t really know. I’d wait for the standard, once the standard exists, then probably everyone will switch to it.
It took Microsoft over a decade to get rid of their insecure hash functions. So when standard arrives, we should start having it as an option, so when the threat appears, we can flick a switch. We do want to deploy the algorithms way before the threat, that’s gonna be the safest for us.
On blockchain usage >>
– Do you think there is a use case that is legitimate for blockchain? Is it good use in some cases?
– I’ve never seen a legitimate use case for blockchain. I’ve never seen any system where blockchain provides security in a way that is impossible to provide in any other way. Blockchain has a lot of baggage, a lot of problems and things that make it hard and insecure and way reason not to do it. But if there’s a benefit, then you have to weigh the benefits and costs.
💎 I have not seen any application where blockchain is essential.
I’ve seen a lot of applications where blockchain is used, because people like the tool and look for ways to use it. Now you can’t do these digital currencies without blockchain. But if you look at the way the trust flows, I’m not convinced that doing blockchain-based digital currencies is a better way than we are doing it now – with credit cards, PayPal, Venmo, and all those systems. I’m not convinced that they are less secure.
The world that crypto anarchists envision is not a more secure world.
The world where if you forget your password, then you lose your lifetime savings – nobody wants that. In a world where if you accidentally hit the wrong key, you lose your savings and can’t get it back – nobody wants that. That’s not a trust system that people are gonna trust.
On owning your data >>
– You mentioned that we want to own our data, and you are part of the project that works in that direction, could you tell us about it?
– This is Tim Berners Lee’s new project, it’s called Solid. That's a system for a personal distributed data ownership. The idea is that you own your data in a data bank, you would give people and organizations permissions to access and change parts of your data.
💎 Owning your data is a different way of thinking about data.
Right now our data is stored by everybody – credit card company, airlines, doctor, insurance company. It’s very hard to control my data, basically I don’t have any control over my data.
Wouldn’t it be better that all of my data pieces be brought to me and I store them, and then the airlines, the fitbit, doctors, facebook have access to it. It’s really a different way of thinking and it changes our relationship with the companies. It sounds like decentralization done right.
On secure ciphers >>
– What’s your opinion on ARX ciphers? Is it a future for the IoT world, or it’s not safe enough?
– The answer to any cryptography question: it depends. That’s the answer.
If it’s a good cipher – great, if it’s a bad cipher – then no. We try to optimize for different things, when we make ciphers – for speed, for size, for throughput. For a lot of applications in IoT, speed doesn’t matter. If it takes a minute for my thermostat to encrypt the message – who cares, it’s a thermostat! So you can invent ciphers for IoT that are very simple but just very slow, like a thousand rounds, and they would be secure.
There always be a place for ciphers that use a very simplistic instruction set. Maybe they are using a cheap 8-bit CPU, and because they can handle slow, that’s fine. I’d never categorize “there are gonna be insecure”. You can design a secure cipher with a simple instruction set, and that’s fine.
On security complexity >>
– One of your famous quotes is “Complexity is the worst enemy of security”. Do you still observe growing of this complexity? What are the ways of simplifying security nowadays?
– That's true, we’re still finding complex systems that are insecure because they are so complex. The solution is to try to simplify. We know how to do it in a software – modularization, hierarchy, libraries. There are languages that let us code more simply.
I don’t have a silver bullet, but yes, complexity is still the worst enemy of security, and simplicity is still hard.
TLS 1.3 is a great example of moving from agility to simplicity. While things become more complicated, we strive for simplicity in protocols for sure.
💎 I mean, don’t give users options, because they will mess it up. Just tell them what to do.
On future of security industry >>
– Do you have any words of advice you’d like to give to Ukrainian infosec community, especially the young enthusiasts who are striving to become professionals in the future?
– I think that’s the most exciting area in computers to work. I’ve always enjoyed it, it’s a great fun. And there’s an enormous demand, this is not an area that’s going away. You could read about the cybersecurity skills shortage in any magazine. There’s gonna be a lot of work and interesting things to work on, so stay here. Pick the area you like, be broad.
💎 Security is the way of thinking and it's powerful and useful, and something we all need.
Sounds encouraging, doesn't it?
Cut through complexity!