July 7th, 2008

$1 Million prize offered for cracking an encryption algorithm

Posted by Dancho Danchev @ 3:55 pm

Categories: Germany, Governments, Malware, Privacy, Rootkits, Spyware and Adware, United States of America

Tags: Encryption Challenge, Cryptography, Permanent Privacy, Peter Schweitzer, Guerilla Marketing, Dancho Danchev

It’s 2008, and companies perhaps rich on VC money to waste in a guerilla marketing tactic for generating viral buzz, still talk and act as the utopian “unbreakable encryption” algorithm is the panacea of security, or the “Hackers Hell: Privacy That Can’t Be Compromised” as they pitch it.

Permanent Privacy is one of these companies suffering from marketing myopia, and re-inventing the wheel by promotion what’s already available on the market, unbreakable encryption if the algorithm is directly attacked, and the opportunity for obtaining the keys and passphrases through malware excluded. They are, whatsoever, offering $1m to those who manage crack their data encryption system :

“Permanent Privacy  announces the world’s first practical data encryption system that is absolutely unbreakable. And is offering a $1,000,000 challenge to anyone who can crack it. Permanent Privacy (patent pending) has been verified by Peter Schweitzer, one of Harvard’s top cryptanalysts, and for the inevitable cynics Permanent Privacy is offering $1,000,000 to anyone who can decipher a sample of ciphertext. Peter White, Managing Director of Permanent Privacy, said:

“The world of cryptography shuns and disparages outsiders, but Permanent Privacy is the real thing. You can now send emails and store data with 100% security. Even the Pentagon can’t read your secrets if they don’t have the keys”.

There’s a business model in here, and not necessarily the brand with a mission like you’d want it to be.  For instance, in order to participate in the challenge, you’d have a purchase the tool for $39 - “Each licence bought will entitle one entry into the Million Dollar Challenge“, and what follows is the best part. Even if you purchase it and encrypt a message, the person who wants to decrypt the message would also have the purchase the tool - “if your friend wants to decrypt something you’ve sent he/she will also need to purchase PP as well.” Thinking for a second about the number of people with whom you exchange encrypted emails on a daily basis, and how they wouldn’t be able to read them unless they too, purchase the tool, ruins my understanding of public key cryptography.

As far as the “unbreakable encryption” is concerned, it’s already there. The GPcode authors use it, and probably you use it, which doesn’t mean that you are no longer susceptible to malware and spyware attacks aiming to steal your secret keys and passphrase, since it would be virtually impossible, if not impractical to directly attack the encryption algorithm used. Cases in point :

• the recent espionage attempts against pro-tibet groups were aiming to steal their PGP encryption keys through malware

• police spyware also known as fedware aiming to assist law enforcement in dealing with “unbreakable encryption” is only starting to take place as a concept

• in Bavaria, Skype encryption wiretapping trojans are already legally used and, of course, abused lawfully

These ongoing developments clearly indicate that whenever the algorithm cannot be cracked, adaptive approaches are already in the works, and so even the “unbreakable encryption” can by simply bypassed by stealing your keys and associated passphrase through malware. Therefore, the “unbreakable encryption” used in a compromised environment is literally worth nothing.