Whit Diffie on Encryption and PKI

10.11.2008
In the 1970s, co-wrote the recipe for one of today's most widely used security algorithms in a paper called "New Directions in Cryptography." The paper was a blueprint of what came to be known the Diffie-Hellman key exchange, a seismic advancement in Public Key Infrastructure (PKI) technology that makes secure online transactions possible. It's part of such popular protocols as the Secure Sockets Layer (SSL) and Secure Shell (SSH).

But much has happened in the world of security since then, which begs the question: Does the old recipe hold up in today's environment? Diffie answered that and other questions in a recent e-mail exchange:

CSO: The tech landscape has changed considerably since the advent of PKI. Does it still hold up in today's environment? If so, explain where it continues to do good.

Cryptographic algorithms are far and away the best cooked and most successful part of information security. If breaking into Web sites, stealing identities or subverting critical infrastructure required breaking AES or elliptic-curve cryptosystems, we would not be complaining about cybersecurity. Public key cryptography still seems to be the best known solution for moving credentials in unprotected environments. Why is public infrastructure not more successful? One answer is that it is very successful. SSL appears to be the most widely deployed cryptography-based security mechanism of all time.

If SSL is so great why is e-mail, laptop and data storage all so insecure?

Clearly more broadly applicable mechanisms are needed. Why are they not more successful? One possibility is that it is a capital and marketing development problem. Keying infrastructure is like any communications phenomenon: the more people who have telephones, the more valuable each individual phone becomes. As long as only a small amount of peer-to-peer PKI is installed, there is little motivation for any individual user to install it. This problem is aggravated by another: Competing providers and standards fragment the market and dilute interoperability. More important, however, is the problem of implementation.