Microsoft CEO Bill Gates kicked off the annual RSA Conference on information security in San Jose this week with a call for a simpler approach to making computers more secure. His big-picture vision: the entire computing industry working together to fashion a “true ecosystem” of security, as businesses continue facing cyberattacks.
Although the solutions for data security won’t be foolproof, experts agree, they believe that hardware, software, and networks can be made much safer by creating a multilayered solution. At least, that’s the argument Gates and others made to an estimated 14,000 conference attendees – from software developers and cryptographers to hackers and lawyers.
Gates’ most radical solution is replacing password protections, often too easily defeated by phishing and other forms of low-tech hacking, with an InfoCard, a digital identity that can be stored in the microchip of a smart card and used to access password-protected websites.
Of course Microsoft has a keen interest in promoting more secure computing environments, since its operating systems are routinely the target of virus attacks. The InfoCard is one of many new security features supported by Internet Explorer 7 and Vista, the latest incarnation of Microsoft’s ubiquitous operating system (see “A Window into Vista”). Gates noted, however, that the shift away from passwords would likely take as long as four years because it requires the collaboration of numerous vendors.
While the InfoCard technology should be useful for personal data security, large institutions, such as banks, are looking at large-scale defenses to tackle Internet scams. Art Coviello, CEO of RSA Security International, discussed his company’s network-based solution, which he dubbed “community policing.” By using the very networks that hackers exploit, he says, companies can fight fraud and cybercrime at different nodes, instead of in isolation. For instance, if a cybercriminal in a third-world country exploits a stolen credit card number, then tries to hide behind a proxy server in New York, RSA’s system quickly blacklists that New York IP address and immediately notifies banks and other organizations.
In addition to software and network defenses proposed by Microsoft and RSA, Scott McNealy, CEO of Sun Microsystems, addressed the steps his company has taken to ensure that computer hardware in servers and data centers is as secure as possible. Sun has built computer processors that support a form of encryption called “elliptical curve” cryptography (ECC), a standard approved by the National Security Agency. ECC uses a smaller “key” – the collection of bits used to encrypt and decrypt a message – than traditional cryptographic methods, and is therefore ideal for not only computers, but also small devices such as cell phones and even sensors.
While creating more secure technology requires the coordination of software, networks, and hardware, cryptography is at the heart of it. Keeping with the theme of creating a more diverse security shield, a panel of noted cryptographers – Ronald Rivest of MIT, Adi Shamir of the Weismann Institute of Science in Israel, Martin Hellman of Stanford, and Whitfield Diffie, Chief Security officer at Sun Microsystems – called for new encryption methods to be developed and disseminated.
Aside from ECC, only two encryption techniques are widely used nowadays, called RSA and Diffie-Hellman. The RSA method, named after the three MIT researchers who developed it, basically relies on factoring large numbers, while the Diffie-Hellman technique uses discrete logarithms to create a key. If there existed more than just two encryption schemes, Hellman says, there could be more redundancy in the encryption: if one type failed, others could keep information secure.
Issues of security are becoming increasingly important as more and more business transactions migrate to the Web. Hellmen notes that, while no encryption scheme will be completely foolproof, there’s a strong effort going on to address security issues before they become major problems. In the interim, he offers a bit of low-tech advice: “Write down your password. Your wallet is a lot more secure than your computer.”