April 27, 2003

“Don’t try to shoot for perfect security because you’ll fail,” said Prof. Adi Shamir Shamir at a recent conference in his field of computer security.Professor Adi Shamir of the Weizmann Institute, a computer security guru, has some bad news for government officials and business owners who want their systems to be completely secure and impervious: no such thing exists.

“Secure systems do not exist and they will never exist,” Shamir said at a recent conference in his field of computer security. “Don’t try to shoot for perfect security because you’ll fail.”

But thanks to computer scientists like Shamir, the world is a lot more secure and free of computer fraud than it might be otherwise. Shamir’s achievements in his field have been recognized with a prize known as the Nobel Prize in the field of computer science.

The A.M. Turing Award is considered the world’s most prestigious prize in computer science. Shamir will share the 2002 prize with Ronald L. Rivest of the Massachusetts Institute of Technology and Leonard M. Adleman of the University of Southern California.

While working at MIT in 1977, Shamir, Rivest, and Adleman together developed an algorithm that was later called RSA (the acronym for their last names). Used worldwide to secure Internet, banking, and credit card transactions, the RSA algorithm allows for the delivery of encrypted codes and their decryption between parties that have never previously been in contact. The amount of time needed to crack some versions of the method is estimated at millions of years.

Smart cards routinely installed in TV sets to ensure that only subscribers receive TV satellite broadcasts are among the numerous applications of this research. The smart card also allows the company activating the satellite to charge its customers only for programs they actually view.

The three men will be presented with their award in June by the Association for Computing Machinery (ACM.) The Turing award has been presented annually since 1966 to individuals who have made contributions of “lasting and major technical importance” in the field of computer science.

Shamir is the third Israeli and the second scientist from the Weizmann Institute to receive the A.M. Turing Award.

The English mathematician Alan Turing, for whom the prize is named, is known, among other things, for the system he developed (called “Bomba”), which succeeded in cracking the German coding system “Engima” during World War II. Many historians believe that this work actually decided the Battle of the Atlantic in favor of the Allies.

Shamir, now 51, first became involved with the Weizmann Institute as a teenager participating in its youth activities. He later earned his master’s of science and doctoral degrees there and went to MIT, where he spent three years, from 1977 to 1980. He then returned to the Rehovot institute, publishing numerous articles and receiving several prestigious awards, including ACM’s Kannelakis Award, the Erdos Prize of the Israel Mathematical Society, the IEEE’s W.R.G. Baker Prize, the UAP Scientific Prize, the Vatican’s PIUS XI Gold Medal, and the IEEE Koji Kobayashi Computers and Communications Award.

Speaking earlier this month at the eleventh annual RSA Conference in California, Shamir criticized the hodgepodge of security measures that went into effect following September 11, including airport screeners that sometimes prohibited innocuous items like fingernail clippers, while allowing materials that could be converted into weapons.

“I think that in computer security we know the importance of multiple lines of defense,” said Shamir. “They should use ethical computer hackers in order to think of ways that airline security could be breached.”

This philosophy fits with Shamir’s famous ’10 Commandments of Commercial Security’ originally presented at a lecture he gave on cryptography in 1995.

1. Don’t aim for perfect security. Be realistic, and do the best you can within your limits. Roughly, you should double security expenditure to halve risk.

2. Don’t solve the wrong problem. For example, note that US banks lose $10 billion dollars a year in check fraud but $5 million in online fraud.

3. Don’t sell security bottom-up (in terms of the personnel hierarchy).

4. Don’t use cryptographic overkill – even bad crypto is usually the strong part of the system.

5. Don’t make a system too complicated. This yields more places to attack the system, and it encourages users to find ways to bypass security.

6. Don’t make it expensive.

7. Don’t use a single line of defense. Have several layers so security can be maintained without expensive replacement of the primary line.

8. Don’t forget the “mystery attack.” Be able to regenerate security even when you have no idea what’s going wrong. For example, smart cards are attackable but are great for quick cheap recovery.

9. Don’t trust systems.

10. Don’t trust people.

More on Life

Read more: