15th International Conference on Advanced Computing & Communication 18 - 21 December, 2007 Organised by:   Department of Computer Science and Engineering, IIT Guwahati Advanced Computing and Communication Society (ACS), Bangalore Hosted at:   Indian Institute of Technology Guwahati, INDIA

Menu:

• Home
• Post Conference New
• Unique Features
• Call for Papers
• Paper Submission
• Student's Forum
• Committees
• Announcements
• Keynote Speaker
• Tutorials
• Important Dates
• Accommodation
• Location
• Travel
• Fellowship registration
• Registration
• Technical Programme
• Industry Exhibition
• Sponsors
• Contact

Outline of the talk of Dr. Sanjay Burman

Title: Cryptography & Security - Future Challenges and Issues

Abstract and Outline:
Background
We live in an era of unimaginably rapidly advancing and amazing technologies that enable instantaneous flow of information ? anytime, anywhere. The convergence of computers and networks has been the key force behind the development of these awe inspiring technologies. Increasing use of systems built using these information technologies (IT) is having a profound impact on our everyday lives. These technologies are becoming all pervasive and ubiquitous. An illustration of this is provided by the development of mobile communication. There is a flurry of activity in the development of novel applications that run on this infrastructure. Phones have gone from wireless to small to smart to a situation where they can be used as entertainment devices (games, radios, mp3 players, cameras and now television), for serious personal applications(for location services, messaging and authentication, banking) in addition to being used also to talk to people. The fast paced development of these applications has been enabled by the flexibility of the underlying computing platform and the communication infrastructure. The key perquisite for the continued development and successful exploitation of IT is the notion of assurance. Information Assurance involves ?Conducting those operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."

Current State of Affairs
Evidently the value of information being committed into the IT infrastructure is increasing and there is an increasing concern on the inadequacy of the assurance that can be provided with respect to availability, confidentiality, integrity, authenticity and privacy of the information being committed to the IT infrastructure by the currently deployed computing and communication platforms. Therefore, it is not surprising that the migration of demanding applications that require legal binding of digital signatures is not as ubiquitous as was initially envisaged. The cost of achieving the required level of security is increasing without actually providing the required level of assurance for such applications.

This Talk
The belief that the deployment of strong cryptographic mechanisms and security systems like firewalls, intrusion detection systems etc can deliver the required level of assurance is flawed. Cryptography is not a silver built that will ensure a secure system which will have the properties required for assurance in the IT infrastructure. Consider for example the proliferation of the all pervasive web interfaces for configuring systems in the IT infrastructure. These interfaces proliferate because of ease of use and ease of development. The interfaces are developed by designers with focus on features and usability, with less attention being paid to security - result is that secure configuration is the causality, by the time this is discovered security mechanisms are added as an add-on often resulting in a sub-optimal and expensive implementation that continues to be insecure! It is imperative that security is baked into the system at the time the system is designed. A secure system has to be built to enforce a security policy ? in the absence of which it is impossible to realize a system that can deliver on the required level of assurance. During the build process the system must be evaluated for security and not functionality alone ? current practice. In this talk I will first establish through a case study ? the current insecurity of the widely deployed IPSec, and then a demonstration ? the shocking ease with digital signature can be bypassed, that while cryptography is necessary, it definitely is not sufficient to achieve the required level of assurance. Next the reasons for the current state of affairs will be explored. I will follow this up with my arguable (controversial) views on why some of the current consortium approach of the Trusted Computing Group to achieve assurance is not likely to be successful ? the issues. Opinions will be offered on what needs to be done to potentially achieve the required level of assurance ? the future challenges. The content of this talk is based on my experiences as a dabbler in, and a spectator of, cryptography and security for more than twenty years.

Copyright © 2007 Computer Science and Engg. department, Indian Institute of Technology Guwahati.
Email: adcom07 AT iitg.ernet.in   Ph: +91-361-258 2354   Fax: +91-361-269 2787