A time-limit on encryption?

5:20 pm on February 2, 2009 | By Dan Maksim | In brute-force attack, key destruction, password policy, rainbow attack, social engineering |

The computational power required to brute-force attack most the most widely used encryption algorithms (RSA, PGP, 3DES) is currently beyond anyone’s reach, provided that a sufficiently large key is used for encryption.  Such power should continue to be out of anyone’s reach for the foreseeable future, assuming that:

1. Moore’s law holds true- that computing power only doubles every 18 to 24 months

2. a breakthrough in quantum computing is not just over the horizon

3. no striking advances to currently used factoring algorithms

These assumptions are generally considered to be reasonable.  The real, immediate risk to most security systems continues to be weak password policies and social engineering.

However, what if your encrypted data falls into an attacker’s hands, and an exploitable flaw is found in the way your data is encrypted and stored?  How likely is this to happen?  If we look at cryptographic systems introduced only ~10 years ago, we see that flaws are often found ~5 years after their widespread implementation, which usually lead to full cracks of the system in the following ~2-10 years.  Granted, current encryption algorithms are more robust and have already withstood far more scrutiny than older ones, but breaches do still happen.  For example, SSL was recently compromised and attackers were able to create a rogue certificate authority.

Encryption alone isn’t sufficient to guarantee long-term security.  Removal/destruction of secure data in addition to encryption is preferable.  If nothing else, destruction of private keys is a great start.

Share/Save/Bookmark

 

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>