April 30th, 2006

Is encryption really crackable?

Posted by George Ou @ 1:44 am

Categories: Security

Tags:

When I sent out this alert about Banks not using SSL to prove their identity to their users, quite a bit of feedback was excessively cynical on encryption technology and cryptography in general along the lines of "it’s useless anyways".  While there are times when a little cynicism is healthy, this isn’t one of them and it seems all too common for some in the IT industry to say things like "encryption is easily broken".  Spreading misinformation 256 bits is roughly equal to the number of atoms in the universe. about the weakness of encryption is harmful because the biggest problem with Cryptography is that it isn’t used correctly or isn’t used at all.  Spreading the myth that encryption is useless will only get people to say "why bother if it’s already broken" and make people less secure.

The problem is compounded by the fact that much of the misinformation out there actually sounds somewhat believable and many people just don’t know what to believe.  So to settle this once and for all, let’s look at the facts.  One of the things that make these myths plausible is the fact that "128-bit" WEP encryption used in 802.11 Wireless LANs is so pathetically weak.  The inside scoop is that WEP was designed during the late 90s during a time when USA export laws were extremely tight.  Fearing 802.11 devices would be banned by US export laws, good encryption algorithms were deliberately passed up by the 802.11 group in favor of a weaker one.  The WEP algorithm was fundamentally flawed and the 802.11 standards body knew full well that it wasn’t a strong encryption algorithm when they selected it.  However, WEP’s glaring weaknesses are not characteristic of any properly implemented symmetric encryption algorithms used in SSL or VPN implementations.  To give you an idea of how good something like DES is, DES is 30 years old and no one has found any weakness or shortcut for cracking it yet though it can be brute forced.  Brute force techniques are considered impractical because modern encryption algorithms are 128 to 256 bits long.

Further propelling the myth that encryption is worthless is that I often hear people saying that they heard that a 512 bit RSA key was broken.  The truth of the matter is that 512 bit (and recently even 660 bit) RSA keys have been broken by the University of Bonn in Germany but that is has absolutely nothing to do with the type of encryption that’s used for ordinary bulk encryption.  Furthermore, RSA’s inventors were well aware of the fact that it takes a much larger key to be secure which is why typical implementations are at a minimum 768 bits and can easily go up to 2048 bits and beyond.  To give you an idea what it takes to break an RSA 1620 bit key, you would need a computer with 120 Terabytes of memory before you can even think about attempting it and the memory requirement virtually rules out massively distributed cracking methods.  Some may ask why use RSA keys when it’s many orders of magnitude slower and requires so many more bits to be secure, the reason is that RSA encryption has the special property of being able to do secure key exchanges in plain sight of an adversary who is trying to break in but still remain safe.  For this reason, RSA keys are strictly used for the initial phases of a secure communication session for the purpose of Authentication (where one entity proves who they are) and for secure key exchanges (used for bulk symmetric encryption).  Once the initial transaction is complete, the key that was exchanged during the initial RSA phase can now be used for SSL or VPN bulk encryption with algorithms like RC5, 3DES, or AES.

The last big factor in encryption myths and bit size inflation is salesmen and marketers because bigger numbers always sound nicer.  I’ve had salesmen come in to my office and try to tell me that RSA or AES encryption was worthless and that I should be using their product which uses some kind of 1000 bit wonder-crypto solution.  All it takes is one company to try and out do their competitors and pitch their products using 4096-bit RSA and the next company will come along and pitch 16384-bit RSA keys in their product.  Many IT consultants will shy away from quoting smaller bit sizes because they’re afraid to be out done by their competitors.

Ah, but what about the dreaded massively distributed cracking brute force method for attacking something like 128 bit RC5 encryption?  There are massive zombie farms of infected computers throughout the world and some may have gotten as big as 1 million infected computers.  What if that entire army was unleashed upon the commonly used 128 bit RC5 encryption?  Surprisingly, the answer is not much.  For the sake of argument, let’s say we unleash 4.3 billion computers for the purpose of distributed cracking.  This means that it would be 4.3 billion or 2 to the 32 times faster than a single computer.  This means we could simply take 2 to the 128 combinations for 128-bit encryption and divide it by 2 to the 32 which means that 2 to the 96 bits are left.  With 96 bits left, it’s still 4.3 billion times stronger than 64 bit encryption.  64 bit encryption happens to be the world record for the biggest RC5 bit key cracked in 2002 which took nearly 5 years to achieve for a massive distributed attack.

Now that we know that the distributed attacks will only shave off a few bits, what about Moore’s law which historically meant that computers roughly doubled in speed every 18 months?  That means in 48 years we can shave another 32 bits off the encryption armor which means 5 trillion future computers might get lucky in 5 years to find the key for RC5 128-bit encryption.  But with 256-bit AES encryption, that moves the date out another 192 years before computers are predicted to be fast enough to even attempt a massively distributed attack.  To give you an idea how big 256 bits is, it’s roughly equal to the number of atoms in the universe!

Once some of these basic facts on encryption become clear, "is encryption crackable" isn’t the right question because the real question is "when can it be cracked and will it matter then".  This is just like Bank safes which are rated by the time it takes an attacker to crack it open and never sold as "uncrackable".  Encryption strength and the number of bits used are selected based on how many decades the data needs to be kept safe.  For a secure E-Commerce transaction, the data being transmitted is moot after a few decades which is why 128-bit encryption is perfectly suitable since it’s considered unbreakable for the next few decades.  For top secret classified data that needs to remain secret for the next 100 years, the Government uses NIST certified 256-bit AES encryption.  So the next time someone tells you that encryption is crackable, ask him if he’ll be around on this earth to see it demonstrated.