The future of security

Ian Grigg iang at
Thu May 6 19:52:39 EDT 2004

Graeme Burnett wrote:
> Hello folks,
> I am doing a presentation on the future of security,
> which of course includes a component on cryptography.
> That will be given at this conference on payments
> systems and security:
> Would anyone there have any good predictions on how
> cryptography is going to unfold in the next few years
> or so?  I have my own ideas, but I would love
> to see what others see in the crystal ball.

I would see these things, in no particular
order, and no huge thought process applied.

a.  a hype cycle in QC that will peak in a year
or two, then disappear as purchasers realise that
the boxes aren't any different to ones that are
half the price.

b.  much more use of opportunistic cryptography,
whereby crypto systems align their costs against
the risks being faced.  E.g., self-signed certs
and cert caching in SSL systems, caching and
application integration in other systems.

c.  much less emphasis on deductive no-risk
systems (PKIs like x.509 with SSL) due to the
poor security and market results of the CA

d.  more systems being built with basic, simple
home-grown techniques, including ones that are
only mildly secure.  These would be built by
programmers, not cryptoplumbers.  They would
require refits of proper crypto as/if they migrate
into successful user bases.  In project terms,
this is the same as b. above - more use of
opportunistic tactics to secure stuff basically
and quickly.

e.  greater and more costs to browser users
from phishing [1] will eventually result in
mods to security model to protect users.  In
the meantime, lots of snakeoil security solutions
will be sold to banks.  The day Microsoft decides
to fix the browser security model, phishing will
reduce to a "just another risk."

f.  arisal of mass crypto in the chat field,
and slow painful demise of email.  This is
because the chat protocols can be updated
within the power of small teams, including
adding simple crypto.  Email will continue to
defy the mass employment of crypto, although
if someone were to add a "create self-signed
cert now" button, things might improve.

g.  much interest in simple crypto in the p2p
field, especially file sharing, as the need
for protection and privacy increases due to
IP attacks.  All of the techniques will flow
across to other applications that need it less.

h.  almost all press will be in areas where
"crypto is sure to make a difference."  Voting,
QC, startups with sexy crypto algorithms, etc.

i.  Cryptographers will continue to be pressed
into service as security architects, because it
sounds like the same thing.  Security architects
will continue to do most of their work with
little or no crypto.

j.  a cryptographic solution for spam and
viruses won't be found.  Nor for DRM.


[1] one phisher took $75,000 from 400 victims:

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list