Are we heading for a 'cryptopocalypse'?

Patrick Lambert considers the current state of cryptography. Is it doomed to become obsolete as technology advances?
High profile security breaches, leaks about the NSA's surveillance program, and the risks of storing data in the cloud have all combined to put a big spotlight on encryption. That is often the mitigation championed by the tech community as a means to protect sensitive and personal data from prying eyes. If we encrypt our files, our connections and messages, then we avoid snooping. It keeps the bad guys and potential spies away. But is encryption really the end-all, be-all of security and privacy? It may not be that simple.

Recently, there was a lot of discussion about a presentation at the Black Hat conference, talking about the impending cryptopocalypse, a time when our technology will be advanced enough to make all current crypto obsolete. Researchers in this field have thought long and hard about this. Encryption relies on a set of very simple yet peculiar properties in mathematics, where a function is very easy to do in one way, but almost impossible in the another. Simplified, a one-way function is used to convert two numbers into a much larger one. But by the very nature of this function, that larger number cannot be brought back down to the initial values, unless you have the original ones. In encryption lingo, this means the private key. But what if a function was found that could reverse a one-way function? That would instantly render all encryption based on that function pointless.

In reality, the chance of this happening is low. Experts have tried to come up with ways to do this but have remained empty handed. What is far more likely to happen is that as computers become more powerful, we can brute more quickly. However, a recent rebuttal from Bruce Schneier says that we shouldn't fear a cryptopocalypse. Even if factoring is getting easier thanks to faster computers and new advances in mathematics, new algorithms are invented all the time to strengthen encryption, and longer keys ensure that the difficulty in brute forcing messages increases exponentially. Bruce says that while the Black Hat presentation bases itself on very real advances in fundamental algorithms, the results used are very specialized and can't be applied generally to encryption.

It would be wrong to assume that the story ends here. Even though brute forcing encryption becomes easier, you can always use stronger keys and stay ahead of them. However, this isn't the only issue with encryption. Most of the time, things don't break down because of fundamental issues with the underlying protocols. They break down for other reasons. There was a perfect example last month when word got out that the NSA had been actively seeking out past SSL keys from large cloud providers. After all, if a company changes its SSL certificate every year, the private key used for last year's encryption can't be considered as critical anymore. But if the government stored every encrypted message sent during that year and now has access to the key, they can easily decrypt everything without ever needing to break the code. In this case, a feature called Perfect Forward Secrecy thwarts that attack by changing the key used for each session. Anyone running a SSL server should implement this if they care about privacy.

Another example is poor implementation or unforeseen complications, as exemplified by the recent Breach Attack, a problem with SSL that was unveiled this month. This particular problem relies on the fact that most encrypted connections use compression as well as encryption. By studying how this compression behaves, it's possible to break the SSL protocol and read what goes on. Short of completely disabling compression, there currently isn't much to defend against this attack.

So the point of all of this is that no, encryption is not the end-all, be-all of security. While algorithms being broken or brute force attacks being attempted may not be a very widespread problem if you use strong enough keys, there are other things that can go wrong. What if the private key used gets lost or stolen? What if side-channel attacks are found? What if bugs happen in implementations? And there's even talk of back doors in commonly used software. It's important not to place too much trust on any single technology or security measure. It's been said before, but computer security is a layered system. You should rely on a series of barriers to keep yourself and your users safe and ensure their privacy. The safest advice is that if you don't want something to get out, don't put it online. There is still cause for having computers be kept completely offline, and documents never sent out via email or cloud services.


Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

Editor's Picks