3

Some might argue that it has been a bad year for encryption. After all, just as the last decade was ending came reports that the algorithm that is used to encrypt GSM mobile phone calls (as used by some 4 billion people around the world) had been cracked wide open. Now this has been followed by the announcement that 768-bit RSA encryption has been cracked. I'm inclined to think that this is a good thing, and am happy to explain why starting with GSM encryption.

The GSM Association responsible for developing the algorithm in the first place responded by stating that the work of the scientists behind the code cracking would be highly illegal in the UK and other countries. Well duh! Seriously though, there is an argument to suggest that it's better for the good guys to crack the code than the bad guys. After all, at least it is now known to be vulnerable and that should, as the guys who did the donkey work suggest, create pressure to produce a better encryption algorithm. Some argue that if they had not published the results of their work (which was apparently done after taking legal advice) then things might have been a little safer until such a time that this happens. Of course, the counter argument being that without the publication of such work the motivation to make changes is reduced considerably.

In many ways I think that this has probably done us a favour, in that the A5/1 GSM encryption algorithm involved is some 22 years old so it's about time it was overhauled to be honest. Not least because researchers have been poking holes in it for the last 16 years or so. Eavesdropping on GSM conversations is nothing new either, it just cos a small fortune (we are talking six figures) to be able to put together the right rig to perform the task. You had better believe that government agencies have been doing it for the longest time, but now the costs have lowered considerably, down to low five figures in fact. And that means that all sorts of unsavoury types from terrorists to criminal gangs and even, he says popping his head above the parapets, the media might be tempted to listen in. All of which means that the plans to phase in a stronger A5/3 encryption will be put into the fast lane and should become the new standard sooner rather than later.

OK, so what about the news that 768-bit RSA encryption has been cracked. How can that be good for security, good for anyone in fact? Well, for a start the actual crack took a huge amount of processing power to generate a massive 5 terabyte password file. According to Andy Cordial, managing director at Origin Storage, "cracking this crypto system using a 2.2GHz Opteron processor-based PC would reportedly have taken around 1,500 years". Of course, using distributed computer resources via a brute force cluster approach reduces the time dramatically. And that's good because it makes people think about moving up to stronger encryption.

Which does mean that the debate about what is 'enough' in terms of encryption will no doubt fire up again. Some argue that 1024-bit RSA only has 10 years at the most left in it before the encryption is cracked, while others suggest that it's probably going to be plenty safe enough for the foreseeable future. Some talk of quantum computing changing everything, and indeed it will if it ever becomes a reality outside of the lab and that's a big if right now. Some suggest that now is the right time to move right up to 2048-bit RSA, after all why bother with weaker links when the strongest chain is available to lock up your data.

I say that whatever you move up to in terms of encryption, the mere fact that you are talking about it is good news for the security of your data in years to come. If you can also start thinking about additional measures such as biometric authentication and PIN-based protection alongside that encrypted drive then you really are starting to take security seriously.

Which is why I will suggest that all this encryption cracking is not such a bad thing after all. After all, does anyone actually use WEP encryption for WiFi or even WPA these days? After the widely reported cracking of these technologies, WPA2 is becoming the defacto standard.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
3
Replies
6
Views
7 Years
Discussion Span
Last Post by HenryTom
0

Good thoughts...

Risk / reward plays into this though, especially if the broader user base needs to catch up with the technologies. The multi-factor authentication also definitely helps with the end points, but the storage medium remains vulnerable to the crypto algorithm alone IMHO.

0

It's a cat and mouse game with the crackers and the hackers and it always will be. Once one encryption algorithm is cracked, then a stronger one is built in an ongoing business to keep ahead of the "bad guys". At least it keep people employed.

0

There's no such thing as 100% security, and it's just a matter of time for a security control to break down. At least it keeps people on their toes. Constant improvement and innovation is a good thing if there's competition.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.