Wednesday, August 14, 2013

Will There Be A Total Failure Of Trust in the Internet?

Here's a good reason to keep anything you want confidential offline.

The encryption systems used to secure online bank accounts and keep critical communications private could be undone in just a few years, security researchers warned at the Black Hat conference in Las Vegas yesterday. Breakthroughs in math research made in the past six months could underpin practical, fast ways to decode encrypted data that’s considered unbreakable today, reports Technology Review..

Alex Stamos, chief technology officer of the online security company Artemis, led a presentation describing how he and three other security researchers studied recent publications from the insular world of academic cryptopgraphy research, which covers trends in attacking common encryption schemes.

“Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years,” said Stamos, referring to the two most commonly used encryption methods.

TR continues:
Any hints that those methods could be undermined must be taken seriously, said Stamos. They are used to protect banking, online commerce, and e-mail, as well as the mechanisms that ensure that updates downloaded by operating systems such as Windows and OSX are genuine. The result of the two encryption methods being broken would be, said Stamos, “a total failure of trust on the Internet.”

RSA and Diffie-Hellman encryption are both underpinned by a mathematical challenge known as the discrete logarithm problem. That problem is computationally difficult to solve, ensuring that encrypted data can only be decoded quickly with knowledge of the secret key used to encode it in the first place. Breaking RSA or Diffie-Hellman encryption today requires using vast computing resources for significant periods of time.

However, it is possible that algorithms able to solve the discrete logarithm problem quickly could exist. “We rely on that efficient algorithm not being found,” said Jarved Samuel, a cryptographer who works for security consultancy ISEC Partners and presented alongside Stamos. “If it is found the cryptosystem is broken.”

Earlier this year, French academic Antoine Joux published two papers that suggest such an algorithm could be found before long. “This is a big deal, since there was marginal progress for 25 years,” said Samuel. “This will spur researchers into looking more closely at the problem and most likely result in more progress.”

One reason to believe that progress will be swift, says Samuel, is that Joux’s advances weren’t based on inventing completely new techniques. Rather, he applied known tricks that hadn’t previously been used on this specific problem. Beating RSA encryption would take a little more additional work, Samuel notes, because it relies less directly on the discrete log problem than Diffie-Hellman encryption does.

However, Stamos believes that once a mathematician publishes a good enough technique, it would quickly be used in online attacks. “Joux or one of these guys could have a breakthrough, throw it onto the crypto mailing lists, and a practical implementation could be worked out in a day or two,” he said.

But there may be a safe option for now:

 Stamos called on the security industry to think about how to move away from Diffie-Hellman and RSA, and specifically to use an alternative known as elliptic curve cryptography (ECC), which is significantly younger but relies on more intractable mathematical challenges to secure encrypted data.

The scary part is the NSA is urging movement towards ECC, which suggests they may know how to get around that:

The U.S. National Security Agency has for years recommended ECC as the most reliable cryptographic protection available. In 2005 the agency released a toolkit called SuiteB featuring encryption algorithms to be used to protect government information. SuiteB makes use of ECC and eschews RSA and Diffie-Hellman. A classified encryption toolkit, SuiteA, is used internally by the NSA and is also believed to be based on ECC.


  1. "Here's a good reason to keep anything you want confidential offline."

    Great point.

    I use the google office suite, gmail, etc. all with the knowledge they are completely unsecure and even being sifted through...but make me productive none the less.

    I use a tertiary OS stationed on an encrypted USB with encrypted apps to store things with the notion they MIGHT be secure...

    But it's better to simply keep some information offline.

  2. There already should be a failure of trust in the GOOG, MSFT Facebook, Telecom companies that sold us down the river to the Feds.

  3. How do we know that those urging a move to ECC Suite B are not just NSA plants?

  4. The Internet craze has been going on for more than 20 years, and during that time the governmental network has ensnared communications, and commerce, throughout the world in a way that the heavily regulated PSTN had yet to do by the early 1990s.

    Of course, the Internet is a good deal older than 20 yrs. Still, 20 years is plenty long enough to figure out that maybe it's foolish to rush into a computer network controlled by some of the most well organized and well capitalized brigands and killers ever to call their affairs a government. The Internet has taken on much of the substance of a monopoly such that we can scarcely conceive of a competitor network taking millions of users away from it, and now the net is being closed before our very eyes behind the fish who swam into it with great enthusiasm.

    Is it not interesting that a great, popular religion called Capitalism was used so effectively to make the net and to lure gullible fish into it? Granted, porn, too, helped to make the Internet, as some hosting sales reps I knew 12 years ago were fond of repeating. (I was a product manager at a web hosting firm that hired them from an established competitor.) Yet even in the case of Internet porn, it was the old craving for profit that was exploited so well.

    Perhaps now is a good time to dwell upon any lessons which might have been embedded thousands of years ago in the parable of the three fishes (Mitacinti), which can be found in the Jataka.



    Once on a time when Brahmadatta was reigning in
    Benares, there lived in the river of Benares three fishes,
    named Very- thoughtful, Thoughtless, and Duly-thoughtful.
    And they came down stream from the wild country to
    where men dwelt. Hereupon Duly-thoughtful said to the
    other two, " This is a dangerous and perilous neighbour-
    hood, where fishermen catch fish with nets, basket-traps,
    and such like tackle. Let us be off to the wild country
    again." But so lazy were the other two fishes, and so
    greedy, that they kept putting off their going from day
    to day, until they had let three months slip by. Now
    fishermen cast their nets into the river; and Very-
    thoughtful and Thoughtless were swimming on ahead in
    quest of food when in their folly...