Interview with Joshua Holden
We interviewed Joshua Holden, a professor in the mathematics department of Rose-Hulman Institute of Technology, Indiana. He did a comparison of courses where he taught one cryptography course from a technical angle for mathematics majors at Rose-Hulman Institute, and the other from a social angle at Dukes University. We asked him about the social aspect of cryptography and his opinions, as an educationist.
N: Most people analyze cryptography from a technical point of view. What do you think are the various dimensions to it that people tend to overlook?
JH: One thing that I think a lot of people overlook is that in practical use, cryptography is part of a larger system. I once sat in on a course by Susan Landau and she liked to point out that an attacker will always try to go for the weak link in a communication system. Even if your cryptography is strong, it might be used incorrectly, or bypassed, or an attacker might be able to exploit side-channel attacks, or traffic analysis, or social engineering, or untrustworthy people in your organization, or something else you haven't thought of. Even concentrating on the cryptography itself, your cipher might be secure against one type of attack, maybe known-plaintext for example, but your attacker might figure out a way to mount a chosen-ciphertext attack. A lot of the things I just mentioned fall into the technical realm, but in order to properly evaluate the risks you need to understand how your system will work in practice.
N: How much is the social aspect to cryptography important in a cryptography student's curriculum?
JH: Social aspects of information security have been in the news a lot lately and I think that because of that there's been a lot more attention to social implications of cryptography. I think that any student of science or engineering (including computer science and software engineering) needs to understand the social and ethical implications of what they are learning how to do. This has been understood for many years in certain areas: civil engineering almost from the beginning, physics certainly since the atomic bomb, and so on. I teach at a school that specializes in engineering, and it is becoming clear that ethics and society need to be addressed across the curriculum in all disciplines. Computer science and software engineering are new fields, but they are catching up quickly, I think.
N: Is there any mainstream course in cryptography? What would be your advice to students who want to take up cryptography?
JH: I advise students not to specialize too much, especially as undergraduates. Who knows: maybe some new innovation in complexity theory or quantum computing will make everything we know about cryptography obsolete next year! You need to have a good grounding in basic principles that can be applied to a wide range of areas, because you never know what you are going to be doing in ten years --- chances are good that it won't be the field you were thinking of, and even if it is, that field may look completely different. If you are interested in cryptography, by all means take cryptography and information security classes. Theoretical computer science classes like theory of computation and analysis of algorithms are also critical for understanding why modern cryptography (public-key, for instance) is even possible. Also take a *lot* of mathematics. The most common types of cryptography currently use a lot of number theory and linear algebra. But older types use lots of statistics (and linear algebra) and the newest varieties are using geometry, abstract algebra, even topology. Really, any sort of math you can think of someone is trying to apply to cryptography. And then there's the larger systems view that I talked about above; in order to understand that you have to be familiar with computer architecture, operating systems, programming languages, software design, computer networks, and even business and industrial organization and management.
N: What is your take on personal privacy as opposed to national security?
JH: Bruce Schneier has a nice essay about this on his blog . He says: The debate isn't security versus privacy. It's liberty versus control. [...] If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither. The important thing is to understand when giving up some of our privacy is actually going to make us safer, and when it is just trying to make us feel better, or when someone is just trying to exploit our fears for their own ends. I'm not a crypto-anarchist; I don't encrypt every email that I send and I don't think that it would solve the world's problems if everyone did. But I don't think that massive public surveillance will make us safer either, whether it's the government doing it or large corporations. And I am concerned about how those organizations would use the data they collect.
The interview continues on the next page: