Dr Ron Steinfeld is one of the world’s foremost experts in lattice based cryptography, and a senior lecturer at Monash University in Melbourne, Australia.
Ron is a familiar figure at cryptography conferences worldwide, serving as program committee member at ASIACRYPT, ACISP and EUROCRYPT. At the ASIACRYPT 2015 conference, Ron Steinfeld was bestowed the award for best paper “Improved security proofs in lattice-based cryptography using the Renyi divergence rather than the statistical distance”.
In addition to Ron’s research and teaching commitments, he is also consulting cryptographer to Scram Software. We are thrilled to have Ron on our team, and it’s accurate to say that ScramFS wouldn’t exist if it weren’t for Ron.
In late 2017, he sat down to answer some questions about his experiences working as the principal designer of the ScramFS cryptographic file system.
Q: Why do you think, even though crypto has been around for decades, that there are still so many data breaches and leaks?
I think one of the reasons for this is the scarcity of secure cloud storage encryption software that is easy to use and integrated/compatible with commonly used software applications. For that reason, many users store their cloud data unencrypted, or with keys stored on the cloud server. Consequently, any hacker that manages to expose the contents of server can gain access to the data. Web content exposures are not infrequent due to the prevalence of web application bugs and security vulnerabilities, and weak password choices or password reset procedures by users. Encrypting stored user information on the cloud server with a key known only to the user, as is done by ScramFS, should significantly reduce the likelihood of such data breaches.
Q: So as a cryptographer, how much do you trust encryption products? Especially closed source ones that provide no details about who implemented the crypto or how it was done?
Ron: If carefully designed and implemented, crypto products can achieve a high level of security. But for most closed source products that provide no details about the implementation or identity of the designer, it is impossible to gain any confidence in their security. In particular, if security experts were not involved in the design, I would avoid relying on the security of such products, as they are likely to have significant vulnerabilities.
Q: It must be frustrating to see cryptography implemented incorrectly, and the number of snake oil products available in the marketplace. How should a software vendor achieve security and trust?
Ron: There are many examples of software products that promise security but are not well designed by security experts, and consequently have many security vulnerabilities. Scram’s partnering with security experts is an excellent way to avoid those common problems.
Q: What has your experience been like working with Scram Software?
Ron: It’s great to work with a company that has good technical expertise and is dedicated to developing high quality products, and in particular, appreciates the importance of a thorough security assessment.
Q: You’re very well regarded in academic circles for your research, especially in post-quantum cryptography. How does this industry research work compare with your academic work?
Ron: My work for Scram has allowed me to directly apply my expertise to the design of an industrial product, which is something that I don’t usually get to do in my other academic work. Most of my academic work has been focused on designing or analyzing algorithms or protocols solving specific problems, but my work for Scram involved integrating such algorithms within a big system, and dealing the associated system requirements.
Q: What got you interested working on ScramFS at the start?
Ron: I thought the problem tackled by ScramFS is a worthy one, as I didn’t know of a good existing solution in the marketplace that was easy to use and designed in consultation with security experts.
Also, I wanted to apply my crypto skills to industrial problems, and I got the impression that the people behind Scram had the skills and motivation to produce a successful product.
Q: How has Scram’s approach been different from other companies that produce crypto?
Scram’s careful approach of getting advice from and working closely with cryptography and security experts in developing crypto products is different from many other software developers I know of. I have heard of many examples of companies who put crypto design at the hands of software developers with little security background, and consequently make mistakes of incorrectly using or implementing crypto algorithms in their products. Crypto software is notorious for the ease with which such crypto mistakes can be made by inexperienced developers, and that has been the cause behind many crypto vulnerabilities discovered in software products over the years. Scram’s approach significantly reduces the liklihood of such vulnerabilities.
Q: What are your thoughts about having your ScramFS designs peer reviewed by other academics?
I think design reviews are important in any engineering project, and especially in a large security software system, as the security of such systems is ultimately only as strong as the weakest link in a system. Design reviews are important not only for getting other points of view or ideas for design improvements, but also to significantly increase the likelihood that overlooked issues or hidden assumptions and ambiguities are identified and addressed.
Q: And finally, what are your hopes for ScramFS?
I hope ScramFS will become well known as an easy to use foundation for software applications to encrypt stored data, and that it (and applications built on it) will give people and businesses a simple way of securing their stored data online. Consequently, I hope it will reduce the likelihood of data breaches.
Photo: Dr Ron Steinfeld (Senior Lecturer, Monash University), Linus Chang (Scram Software founder and CEO), Kevin Mitnick world famous hacker, and Trung Dinh (PhD student, Monash University).