Tuesday, February 26, 2008

My Princeton Experience and Optimism for Encryption

As we all know by now, Ed Felten and his research group at Princeton have announced yet another landmark result in the realm of data security. For systems ranging from Java VMs to digital rights management to electronic voting machines – and now to disk encryption – the research group has shown that foundations for a secure world remain elusive to the industry.

I enjoyed the opportunity to collaborate with Dr. Felten on the SDMI cracking effort while I was at Princeton. In Felten's recent paper on cold boot attacks against encryption keys in DRAM, part of my Ph.D. thesis (which explored next-generation security architectures) is cited as a long-term solution. Indeed, for laptop encryption and trusted systems to truly realize their promise, hardware and software must be engineered with security at the core, not at the periphery.

The exposed flaws in many encryption solutions are disquieting examples of how difficult it is to engineer security systems for our impatient and diverse world. Routinely, software developers – as opposed to trained security architects – are being asked to design cryptographic systems with complex design parameters and even more complex security implications. The various attacks described in the cold boot paper show that security designers must improve their modeling of human behavior (and physics) when poised in front of their whiteboards.

Security is hard, but it is attainable! I’m optimistic that security engineering methodology will advance over time. Fortunately, today, a few companies are embracing a truly proactive approach for modeling threats and designing security systems.

This week, BitArmor will be making some key technical announcements on the strength of BitArmor software against attacks described in the Felten paper and beyond. Keep your eyes on this space...

No comments: