Four Questions For: Jean-Philippe Aumasson
Long term, who wins: the cryptographers or the code breakers?
Nobody breaks codes anymore, strictly speaking. When you hear about broken crypto, it’s most of the time about bugs in the implementation or about the use of insecure algorithms. For example, the DROWN attack that just won the Pwnie Award of the Best Cryptographic Attack at Black Hat USA exploits weaknesses in: 1) a protocol already known to be shaky, and 2) an algorithm already known to be insecure. So we’ve got unbreakable crypto, we just need to learn how to use it.
What innovations in cybersecurity should companies implement today?
The hot topic in my field is end-to-end encryption, or encryption all the way from the sender’s device to the recipient’s device. This is therefore the strongest form of encryption. WhatsApp and Facebook recently integrated end-to-end encryption in their messaging platforms for the benefit of their users’ privacy. Enterprise encryption software lags behind, however, with encryption solutions that often expose the unencrypted data to an intermediate server. That’s acceptable, for example, for compliance or controllability reasons, but otherwise you should make sure that you use end-to-end encryption to protect sensitive information, such as VoIP phone calls (telecommunication standards, including the latest LTE, are not end-to-end encrypted).
What are the implications of mobile technology and wearables in personal security?
Companies creating those products often neglect security and privacy concerns to save cost (or through ignorance) while security experts tend to exaggerate these concerns. We’ll have to find a middle ground between the needs and expectations of users and regulations. Meanwhile, the lack of security in IoT systems creates great opportunities for conference talks and marketing FUD.
In the Internet of things, is everything hackable, and if so, will someone hack all the pacemakers some day and turn them off?
The “everything is hackable” mantra is actually less scary than it sounds. Literally everything is hackable: from your refrigerator’s micro controller to your mobile phone, as long as you put enough effort in it. One shouldn’t think in terms of mere possibility but instead in terms of risk and economic interests: if I spend X days and Y dollars to hack a pacemaker, will my profit be worth the X-day and $Y investment? A secure pacemaker is obviously better than an insecure one, but the scenario you describe is unlikely to happen; it would just make a great movie plot.
Jean-Philippe (JP) Aumasson is Principal Cryptographer at Kudelski Security, and holds a PhD in applied cryptography from EPFL. Switzerland. He has talked at top-tier information security conferences such as Black Hat, DEFCON, and RSA about applications of cryptography and quantum technologies. He designed the popular cryptographic algorithms BLAKE2 and SipHash, and organized the Password Hashing Competition project. He wrote the 2015 book “The Hash Function BLAKE”, and is currently writing a book on modern cryptography for a general audience. JP tweets as @veorq.