Tomasz Wysocki: A National Cryptology Centre was established at the Ministry of National Defence. The Wroclaw University of Technology and several other universities will cooperate with the new institution. What is the purpose of the Cryptology Centre?
Prof. Mirosław Kutyłowski: The experiences of other countries demonstrate that it is better to have one's own centres where the knowledge about security techniques, in the field of both engineering and fundamental sciences. Due to its "dual use" (military and civilian), this is an area where no one shares all their experiences. However, this knowledge is of fundamental importance not only to the military, but also to economic security.
The Chinese decided to establish their own operating system and to eliminate Windows from public administration as early as ten years ago. This was due to the fact that Windows was initially developed for retail customers and for home use. Efficient operation of such applications such as computer games or small office applications, was more important than the security of the system.
Of course, due to the development of the market and new technologies, this started to change very much; nevertheless, the architecture of the system still has many of its original shortcomings.
Does it mean that its security was weak?
Prof. Mirosław Kutyłowski: It was appropriate for the purposes the system was made for. However, it was not a product that could be used for controlling intercontinental missiles or even for processing important government data. The Chinese decided to create their own operating system, with some rather innovative solutions with regard to security.
Of course, China is a big country with enough customers in the public administration to guarantee a return on the investment. By the way, private companies that were concerned about American surveillance also started to use the system.
Another example comes from Poland's western neighbour. Germany created a strong competence centre in the field of IT security, the famous BSI agency. It deals with many security aspects. One of them is certification of equipment that must ensure security on the cryptographic level. They design new technologies and procedures, prepare technical recommendations related to security, etc. Their materials are available to companies and their assistance is often priceless. Owners of small companies do not need to, and often are unable to, have the knowledge about IT security systems. Instead, they receive high-quality instructions from a reputable institution about, for example, the methods of evaluation of IT security risks in their companies. After all, assessed threats are easier to counter.
Why is a separate new agency required, as it was in Germany and Poland? After all, there are many IT companies that work on security systems.
Prof. Mirosław Kutyłowski: It is in the interest of every corporation to first sell a product and then to keep a customer so as to have a source of income for a long period of time. What is more, the customer becomes dependent not only financially but also with regard to trust.
The National Cryptology Centre, on the other hand, is an institution whose task is to gather knowledge and skills so as to be able to design its own solutions that will be known "from the inside". Otherwise, the only thing we can do is to trust the vendor. In the light of Edward Snowden's disclosures, such a blind trust is no longer an option. Of course, this does not mean that we should not benefit from the experiences gained in an open international cooperation or that we should not participate in such cooperation. Also, there is no doubt that some joint work intended for the entire economy and for the public sector should be paid for with public funds.
For many years, 'cryptology' and 'cryptography' were terms associated mostly with systems used by the military.
Prof. Mirosław Kutyłowski: Such connotations were correct until the 1970's when cryptology served the needs of the military sector. In the 1970's, Americans published a symmetrical encryption standard. A method designed by a government institution was recommended and transferred for civilian use. At that time, not only a regular person but also computer scientists had problems with recommending appropriate encryption methods.
Soon after that, critical discoveries took place, such as the RSA algorithm for placing signatures, used since the very beginning in the IT system of the Social Insurance Institution (ZUS), and the DH key exchange protocol, still used universally to exchange the session key.
The dynamic technological changes that took place later have made us all surrounded by cryptography nowadays.
Where?
Prof. Mirosław Kutyłowski: We use mobile phones which, without cryptography, would enable making calls charged to someone else's account. When we try to make a call, our phone must first be authenticated with the operator. Then a key must be defined for encrypting the call so that it cannot be heard by others. Cryptography is also used in wireless home phones, for the exact same reasons.
Of course, cryptography is commonly used on the Internet. All websites with a locked padlock icon are pages where the communication between the server and the user's browser is strongly encrypted. Without such protections, online banking would be simply a careless act.
Cryptography is used in more and more systems. Some examples are speed cameras, cars, keys, etc.
How aware are Poles that they should be cautions when using new technologies?
Prof. Mirosław Kutyłowski: Not enough. Just go to a store and see how customers make payments with credit cards. Very often they enter the PIN codes in such a way that bystanders can see it. All the thief needs to do then in order to use the card without any limitations is to steal it.
Interestingly, I know that in some other countries there are information campaigns on ways to use cash machines or to make card payments. Similar advertisements would be very useful in Poland; after all where is the average person supposed to learn about security in IT systems?
Interview conducted by Tomasz Wysocki
*Prof. dr. hab. Mirosław Kutyłowski, a scientist at the Institute of Mathematics and Computer Science, Wroclaw University of Technology.
