Cryptography is an essential practice for our data-driven world. In this Q&A, Dr. Partha Dasgupta, an Associate Professor at Arizona State University (ASU) with experience at DARPA, shares some of his insights on the state of cryptography.
For computer science students, the ASU Online Master of Computer Science (MCS) degree is an opportunity to learn from world-class faculty like Dr. Gupta in a flexible, affordable online format. Here’s the Q&A:
After last year’s disclosure of the EFAIL vulnerability, what is the future of the PGP standard for end-to-end email encryption?
Dr. Gupta: The PGP standard is not compromised by EFAIL. EFAIL uses complicated vulnerabilities in the applications that support PGP to extract secret data. These vulnerabilities are essentially programming defects in the applications, and not design defects in PGP. They can be (and have been) fixed.
Password managers like LastPass are becoming an increasingly popular tool — and thus an increasingly appealing target for hackers. How secure are they?
Dr. Gupta: The security of password managers depends on the implementation of these applications. Super secure password managers would store passwords on local storage, secured by long passphrases and not store the passphrase anywhere. However, such an approach is “dangerous” since there is no way of recovering anything if the password store is corrupted, deleted, or lost, or the passphrase is forgotten. Hence other, more usable methods are implemented, giving rise to weaknesses that can be exploited by hackers. Of course, if a hacker succeeds in introducing a virus into the computer that has a password manager, then all passwords are trivially exposed. There is no known defense against this hacking attack.
Blockchain protocols are designed to be fundamentally secure, but several recent hacking incidents have called that premise into question. Should we still be looking to blockchain as a “trustless” solution for business applications like smart contracts and supply chain tracking?
Dr. Gupta: Blockchain is fundamentally secure, as long as it is a distributed blockchain and it has a large number of trusted miners. That is the design specification of a blockchain network, and the security methodology works as long as the bad actors are a minority of the miner community. Hackers have targeted communities with low numbers of miners and added large numbers of colluding miners to compromise the security — hence the term “51% attack.” Once again, this is an example of badly-designed implementation and not a fault of the blockchain design.
Last November, Deputy Attorney General Rod Rosenstein called for tech companies to use “responsible encryption” that balances consumer desire for secure products with the government’s need to ensure public safety. Is “responsible encryption” possible? What would it look like?
Dr. Gupta: There is no such thing. Data that can be accessed by a government can also be accessed by a bad actor. Much has been written about why encryption with law-enforcement backdoors is a disastrous product that no one will use. We went through this drama with the Clipper Chip in 1998. This is just a replay of that old, failed attempt at backdoor encryption.
The race to come up with quantum-proof encryption techniques before hackers gain access to a quantum computer is heating up. Is this threat a likely scenario, or science fiction?
Dr. Gupta: Partially both. There has been some work on quantum-proof symmetric encryption, but nothing exists for public key cryptography. However, quantum computing is terribly underpowered, and it is not clear whether it is possible to build anything that will compromise conventional cryptography. A good discussion can be found on Bruce Schneier’s blog.
Is it important for a computer science grad student to follow trends in cryptography?
It is more important for a CS student to understand the basics of cryptography, rather than following trends. Cryptography is a well-established set of algorithmic procedures that secures data in a variety of applications. It is not as well understood by the CS community as it should be, as data security is an important facet of today’s world.
Any recommendation you can give to a computer science student who wants to learn about cryptography?
Cryptography is logical, mathematical, and practical. The student should definitely learn about “public key encryption” and its importance in web-based secure communications. Of course, to understand public keys, one also needs to know about hash functions and symmetric key encryption. Apart from taking courses, there is a large volume of self-study material available via Wikipedia and YouTube.
The Online Master of Computer Science from Arizona State University gives you the opportunity to do high-level coursework in specialized topics like blockchain, data mining, artificial intelligence, and cybersecurity.