The clock is ticking on encryption

Today's secure cipher-text may be tomorrow's open book

1 2 3 4 Page 2
Page 2 of 4

The beauty of public-key cryptography

The genuine weakness of AES -- and any symmetric system -- is that the sender has to get the key to the receiver. If that key is intercepted, transmissions become an open book. That's where asymmetric algorithms come in, as a method for disseminating symmetric keys.

Moorcones explains that asymmetric systems are also called public key cryptography because they use a public key for encryption and a different, private key for decryption. "You can post your public key in a directory with your name next to it, and I can use it to encrypt a message to you, but you are the only person with your private key so you are the only person who can decrypt it."

The most common asymmetric algorithm is RSA (for inventors Ron Rivest, Adi Shamir and Len Adleman). It is based on the difficulty of factoring large numbers, from which the two keys are derived.

But RSA messages with keys as long as 768 bits have been broken, notes Kocher. "I would guess that in five years even 1,024 bits will be broken."

Moorcones adds: "You often see 2,048-bit RSA keys used to protect 256-bit AES keys."

Other kinds of algorithms

Besides responding with longer RSA keys, users are also turning to elliptic curve (EC) algorithms, based on the math used to describe curves, with security again increasing with the size of the key. EC can offer the same security with one-fourth the computational complexity of RSA, Moocones says. However, EC encryption up to 109 bits has been broken, Kocher explains.

Anna Chapman
Anna Chapman and nine other accused Russian spies were rooted out earlier this year when the FBI filched a 27-character password that revealed data that the spy ring had hidden. Photo courtesy of the U.S. Marshals Service.

RSA remains popular with developers because implementation requires only multiplication routines, leading to simpler programming and higher throughput, Kocher says. Also, all the applicable patents have expired. For its part, EC is better when there are bandwidth or memory constraints, he adds.

As for private individuals, IDC's Kolodgy says that many turn to freeware implementations of PGP (Pretty Good Privacy), published in 1991 by Phil Zimmermann. PGP traffic can be readily identified, inviting attempts to intercept key transfers.

For those who want to hide the fact that they are receiving messages, there's steganography, which involves hiding text, encrypted or not, typically within the pixels of photos posted on the Web. Anyone can download the picture and extract the message, assuming he has the right software. In fact, the previously cited 27-character code used by the Russian spies was for the password protection of a steganography software disk.

"The problem with steganography is that is not encryption, it's hiding, like putting drugs in a secret compartment of your suitcase," says Zimmermann, now a security consultant in Santa Cruz, Calif. "If your opponent knows about it they can intercept the message."

The quantum danger

This mostly tidy world of cryptography may be seriously disrupted by the expected arrival of quantum computers. "There has been tremendous progress in quantum computer technology during the last few years," says Michele Mosca, deputy director of the Institute for Quantum Computing at the University of Waterloo in Waterloo, Ontario, Canada. Mosca notes that in the past 15 years we have moved from playing with quantum bits to building quantum logic gates. At that rate he thinks it is likely we will have a quantum computer within 20 years.

"It's a game changer," Mosca says, explaining that the change comes not from a speed-up in the computer's clock speed, but from an astronomical reduction in the number of steps needed to perform certain computations.

Basically, Mosca explains, a quantum computer should be able to use the properties of quantum mechanics to probe for patterns within a huge number without having to examine every digit in that number. Cracking both RSA and EC ciphers depends on this very issue -- finding patterns in huge numbers.

1 2 3 4 Page 2
Page 2 of 4
Shop Tech Products at Amazon