 |
newsmaker Ari Juels' fascination with numbers is the stuff of fiction, literally.
The chief scientist and director of RSA Laboratories recently completed a novel in which the protagonist is hired by the U.S. government to counter the efforts of Pythagoreans, a Greek group that believed in the supremacy of numbers--subscribing to the notion that by mastering numbers, one could understand and control the forces of the universe.
That concept, he told ZDNet Asia during a recent visit to Singapore, had been "a little silly" until cryptography developed to a stage where "mastery of certain mathematical problems could in principle lead to considerable power over computing resources and consequently over our lives".
The book, which will be launched at the RSA Conference 2009 in San Francisco in April, was in essence, the coming together of two of Juels' interests--computer security and classical literature. He graduated from Amherst College in 1991 with degrees in Latin Literature and Mathematics.
Thirty-eight-year-old Juels, who joined RSA in 1996, shed some light on recent RFID (radio frequency identification) issues in e-passports, identity documents and transport-related systems, as well as how to balance security and privacy.
Q: What are you currently working on?
Juels: With the acquisition of RSA by EMC, we've turned our attention to some of the special security problems that storage systems present. In particular, we've looked at...the ability of a client to verify that a file that is stored on remote servers is still there--intact. We've been able to develop a protocol which accomplishes the seemingly paradoxical property of enabling a client to verify that a file is completely intact--that every bit is there, not a single bit has been changed--without downloading the file. In fact, the archiving service can send a very short proof--some tens of bytes--and that's enough for the client to establish that the file is completely retrievable. That's been a major area of research for us.
Is there a name for this concept?
There's been several names. I guess the most recent is an acronym called Hail, for High Availability and Integrity Layer.
 |
| EMC may one day be in the business of administering cloud storage. |
 |
Does Hail appeal to a specific industry or user?
Our feeling is that it will support storage services in the cloud. Online storage is becoming more prevalent and consequently, people have less control of knowledge of where their data is stored, so it makes sense for them to want some technical assurance that their data is still there. You store a file on your hard drive and you maintain the hard drive yourself--you've got at least some physical assurance of the integrity of the data you are storing. If you store it in a cloud you have no idea whether it's in California or Greenland and what organization...is responsible for protecting and administering the systems that store the data.
Wouldn't the online storage providers already boast that kind of capability?
They do presumably provide some sort of contractual assurance. But ultimately a client or customer is just relying on the reputation and contractual obligations of the organization that is storing the files. Different organizations have different ways of maintaining file integrity--they have varying backup policies and their systems are scripted in different ways...so ultimately the consumer probably knows very little about the physical media and the administration of those media on which the files are stored.
Would the technology be specific to EMC, or would it also apply to other online storage providers out there?
That we haven't figured out--[the technology] is still in the lab. We envision an economy in which storage becomes a tradable resource--a fungible resource--like electricity or water, in which case this tool can be used to test the quality and basic assurances of the resource.
EMC may one day be in the business of administering cloud storage; in fact it's just launched a cloud storage product--you can use this tool to provide internal integrity assurances, so that it is able to make stronger assertions to its customers or it could enable its customers to check directly their storage files are intact. Besides the fact that we haven't worked out the appropriate business models, there's several places from which we can come into play.
What is it that keeps you going when you don't feel like it?
[Security] continues to be intellectually engaging to me. Security and cryptography ramifies other disciplines...I recently worked on a paper studying the security of a new identity document initiative in the United States called the passport card, which is also influencing the design of driver's licenses. With colleagues at the University of Washington, we looked at the security of the RFID chip in these identity documents and found that the chips could be cloned. We found that to understand the security of the border crossing system as a whole, we really needed to understand the psychology of security, not just the technical facets of the card design. So we're looking at the literature and psychology to understand various phenomena like vigilance and decrement, which basically describes the common human behavior of relaxing vigilance when a threat is not emergent after a long period of time.
Cryptography is always interesting. Even if it became uninteresting, there are many intersections between security and other disciplines that my curiosity is perpetually self-renewing.
What were the conclusions of the paper about those identity documents for land and sea crossings?
We felt that a system in which human beings demonstrated ideal behavior, and in which you have perfectly vigilant border crossing agents, the fact a card could be cloned might not be so serious. But because of the limitations in human behavior and vigilance that we
Play video
There are currently no comments for this post.