Everyone who has studied mathematics at the movie theater knows that encryption is pretty boss. Practically every spy in every spy movie looks at an encrypted file with fear and dread. Armies of ninjas can be fought. Bombs can be defused. Missiles can be diverted. But an encrypted file can only be cracked open with the proper key -- and that key is always in the hands of a dangerously attractive agent hidden in a sumptuous hideout on the other side of the world. (Never in Newark or New Haven -- who wants to film there?)
Alas, this theorem of encryption security may be accepted as proven by math geniuses at Hollywood U., but reality is a bit murkier. Encryption isn't always perfect, and even when the core algorithms are truly solid, many other links in the chain can go kablooie. There are hundreds of steps and millions of lines of code protecting our secrets. If any one of them fails, the data can be as easy to read as the face of a five-year-old playing Go Fish.
Encryption is under assault more than ever -- and from more directions than previously thought. This doesn't mean you should forgo securing sensitive data, but forewarned is forearmed. It's impossible to secure the entire stack and chain. Here are 11 reasons encryption is no longer all it's cracked up to be.
Encryption's weak link No. 1: No proofs -- just an algorithm arms raceThe math at the heart of encryption looks impressive, with lots of superscripts and subscripts, but it doesn't come with any hard and fast proofs. One of the most famous algorithms, RSA, is said to be secure -- as long as it's hard to factor large numbers. That sounds impressive, but it simply shifts the responsibility. Is it truly that hard to factor large numbers? Well, there's no proof that it's hard, but no one knows how to do it right all of the time. If someone figures out a fast algorithm, RSA could be cracked open like an egg, but that hasn't happened yet ... we think.
Encryption's weak link No. 2: Disclosure is the only means of detecting a crackSuppose you figured out how to factor large numbers and crack RSA encryption. Would you tell the world? Perhaps. It would certainly make you famous. You might get appointed a professor at a fancy college. You might even land a cameo on "The Big Bang Theory."
But the encryption-cracking business can be shady. It isn't hard to imagine that it attracts a higher share of individuals or organizations that might want to keep their newfound power secret and use it to make money or extract valuable information.
Related
- Yahoo turns on encryption between data centers
- Google trumpets extra encryption for Gmail, but stays mum on other apps
- Securing the Internet of Things
Sponsored
Many of our assumptions about the security of cryptography are based on the belief that people will share all of their knowledge of vulnerabilities -- but there is no guarantee anyone will do this. The spy agencies, for instance, routinely keep their knowledge to themselves. And rumors circulate about an amazing cryptographic breakthrough in 2010 that's still classified. Why should the rest of us act any differently?
Encryption's weak link No. 3: The chain is long and never perfectThere are a number of excellent mathematical proofs about the security of this system or that system. They offer plenty of insight about one particular facet, but they say little about the entire chain. People like to use phrases like "perfect forward security" to describe a mechanism that changes the keys frequently enough to prevent leaks from spreading. But for all of its perfection, the proof covers only one part of the chain. A failure in the algorithm or a glitch in the software can circumvent all this perfection. It takes plenty of education to keep this straight.
Encryption's weak link No. 4: Cloud computing power is cheap and massiveSome descriptions of algorithms like to make claims that it would take "millions of hours" to try all the possible passwords. That sounds like an incredibly long time until you realize that Amazon alone may have half a million computers for rent by the hour. Some botnets may have more than a million nodes. Big numbers aren't so impressive these days.
Encryption's weak link No. 5: Video cards bring easy parallelism to crackingThe same hardware that can chew through millions of triangles can also try millions of passwords even faster. GPUs are incredible parallel computers, and they're cheaper than ever. If you need to rent a rack, Amazon rents them too by the hour too.
