Some might argue that it has been a bad year for encryption. After all, just as the last decade was ending came reports that the algorithm that is used to encrypt GSM mobile phone calls (as used by some 4 billion people around the world) had been cracked wide open. Now this has been followed by the announcement that 768-bit RSA encryption has been cracked. I'm inclined to think that this is a good thing, and am happy to explain why starting with GSM encryption.
The GSM Association responsible for developing the algorithm in the first place responded by stating that the work of the scientists behind the code cracking would be highly illegal in the UK and other countries. Well duh! Seriously though, there is an argument to suggest that it's better for the good guys to crack the code than the bad guys. After all, at least it is now known to be vulnerable and that should, as the guys who did the donkey work suggest, create pressure to produce a better encryption algorithm. Some argue that if they had not published the results of their work (which was apparently done after taking legal advice) then things might have been a little safer until such a time that this happens. Of course, the counter argument being that without the publication of such work the motivation to make changes is reduced considerably.
In many ways I think that this has probably done us a favour, in that the A5/1 GSM encryption algorithm involved is some 22 years old so it's about time it was overhauled to be honest. Not least because researchers have been poking holes in it for the last 16 years or so. Eavesdropping on GSM conversations is nothing new either, it just cos a small fortune (we are talking six figures) to be able to put together the right rig to perform the task. You had better believe that government agencies have been doing it for the longest time, but now the costs have lowered considerably, down to low five figures in fact. And that means that all sorts of unsavoury types from terrorists to criminal gangs and even, he says popping his head above the parapets, the media might be tempted to listen in. All of which means that the plans to phase in a stronger A5/3 encryption will be put into the fast lane and should become the new standard sooner rather than later.
OK, so what about the news that 768-bit RSA encryption has been cracked. How can that be good for security, good for anyone in fact? Well, for a start the actual crack took a huge amount of processing power to generate a massive 5 terabyte password file. According to Andy Cordial, managing director at Origin Storage, "cracking this crypto system using a 2.2GHz Opteron processor-based PC would reportedly have taken around 1,500 years". Of course, using distributed computer resources via a brute force cluster approach reduces the time dramatically. And that's good because it makes people think about moving up to stronger encryption.
Which does mean that the debate about what is 'enough' in terms of encryption will no doubt fire up again. Some argue that 1024-bit RSA only has 10 years at the most left in it before the encryption is cracked, while others suggest that it's probably going to be plenty safe enough for the foreseeable future. Some talk of quantum computing changing everything, and indeed it will if it ever becomes a reality outside of the lab and that's a big if right now. Some suggest that now is the right time to move right up to 2048-bit RSA, after all why bother with weaker links when the strongest chain is available to lock up your data.
I say that whatever you move up to in terms of encryption, the mere fact that you are talking about it is good news for the security of your data in years to come. If you can also start thinking about additional measures such as biometric authentication and PIN-based protection alongside that encrypted drive then you really are starting to take security seriously.
Which is why I will suggest that all this encryption cracking is not such a bad thing after all. After all, does anyone actually use WEP encryption for WiFi or even WPA these days? After the widely reported cracking of these technologies, WPA2 is becoming the defacto standard.
