Essays in the Category "Computer and Information Security"
Page 31 of 33
The Crypto Bomb Is Ticking
Today’s faster, less expensive computers can crack current encryption algorithms easier than ever before. So what’s next?
Cryptographic algorithms have a way of degrading over time. It’s a situation that most techies aren’t used to: Compression algorithms don’t compress less as the years go by, and sorting algorithms don’t sort slower. But encryption algorithms get easier to break; something that sufficed three years ago might not today.
Several things are going on. First, there’s Moore’s law. Computers are getting faster, better networked, and more plentiful. The table “Cracking for Dollars” on page 98 illustrates the vulnerability of encryption to computer power. Cryptographic algorithms are all vulnerable to brute force—trying every possible encryption key, systematically searching for hash-function collisions, factoring the large composite number, and so forth—and brute force gets easier with time. A 56-bit key was long enough in the mid-1970s; today that can be pitifully small. In 1977, Martin Gardner wrote that 129-digit numbers would never be factored; in 1994, one was…
The Secret Story of Nonsecret Encryption
GCHQ, the British equivalent of the U.S. NSA, released a document on December 1 1997, claiming to have invented publickey cryptography several years before it was discovered by the research community (http://www.cesg.gov.uk/ellisint.htm). According to the paper, GCHQ discovered both RSA and Diffie-Hellman, then kept their discoveries secret.
James Ellis the author of the paper (who died a few days before the paper’s release), wrote that he was inspired by an unknown Bell Telephone labs researcher during World War II. This researcher had the idea that a receiver could inject noise onto a communications circuit and effectively drown out any signal. An eavesdropper would only hear the noise, but the receiver could subtract the noise and recover the signal. The interesting idea here is that the sender doesn’t have to know any encryption “key” to send a secret message to the receiverthe receiver does all the work. (This is essentially what ech(>cancelling modems do; they scream at each other along the same line, and subtract out their own signal when they listen for the other.) This was promptly classified by the Li.S. government…
Security for Remote Access VPNs Must Be Simple
Unlike site-to-site VPNs, where remote offices are hard-wired to a central facility firewall, remote access VPNs are fraught with security problems. Much of the security consists of trusted passwords that traveling workers use on their notebook computers.
To be effective, a VPN’s security implementation must be user-friendly while not penalizing your enterprise in other ways, such as by degrading network performance or compromising corporate control of the remote access network.
Think of the lock on the front door of your home. It certainly is easy to use, and it doesn’t force you to endure undue hardship to install, maintain or control…
Click Here to Bring Down the Internet
The Internet is fragile, rickety. It is at the mercy of every hacker and cracker. In recent Congressional testimony, hackers from the L0pht boasted that they could bring down the Internet in under 30 minutes. Should we be concerned?
In almost every area, those with the expertise to build our social infrastructure also have the expertise to destroy it. Mark Loizeaux is President of Controlled Demolitions, Inc.; he blows up buildings for a living. He’s quoted in the July 1997 Harper’s Magazine: “We could drop every bridge in the United States in a couple of days…. I could drive a truck on the Verrazano Narrows Bridge and have a dirt bike on the back, drop that bridge, and I would get away. They would never stop me.” Ask any doctor how to poison someone untraceably, and he can tell you. Ask someone who works in aircraft maintenance how to knock a 747 out of the sky, and he’ll know. The Internet is no different…
Security Pitfalls in Cryptography
Magazine articles like to describe cryptography products in terms of algorithms and key length. Algorithms make good sound bites: they can be explained in a few words and they’re easy to compare with one another. “128-bit keys mean good security.” “Triple-DES means good security.” “40-bit keys mean weak security.” “2048-bit RSA is better than 1024-bit RSA.”
But reality isn’t that simple. Longer keys don’t always mean more security. Compare the cryptographic algorithm to the lock on your front door. Most door locks have four metal pins, each of which can be in one of ten positions. A key sets the pins in a particular configuration. If the key aligns them all correctly, then the lock opens. So there are only 10,000 possible keys, and a burglar willing to try all 10,000 is guaranteed to break into your house. But an improved lock with ten pins, making 10 billion possible keys, probably won’t make your house more secure. Burglars don’t try every possible key (a brute-force attack); most aren’t even clever enough to pick the lock (a cryptographic attack against the algorithm). They smash windows, kick in doors, disguise themselves as policemen, or rob keyholders at gunpoint. One ring of art thieves in California defeated home security systems by taking a chainsaw to the house walls. Better locks don’t help against these attacks…
The Challenge of Cryptography
Never underestimate the time and effort attackers will expend to thwart your security systems.These days, security is on the minds of anyone involved in building or using information systems. After all, every form of commerce has had its share of fraud, from farmers rigging their weight scales to counterfeiters passing off phony currency. Electronic commerce is no exception, with fraud taking the form of forgery, misrepresentation, and denial of service. And it doesn’t stop with electronic transactions. There are privacy breaches, with competitors intercepting communications, and electronic vandalism, with attackers destroying Web pages and mail-bombing ISPs. It seems threats are coming from everywhere…
Cryptography, Security and the Future
From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today’s information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can protect your anonymity or prove your identity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital…
Why Cryptography Is Harder Than It Looks
From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today’s information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can prove your identity or protect your anonymity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital…
Protect Your E-Mail
Safeguard your messages today, and prepare for electronic commerce tomorrow
You may have just started using the Internet for your business, but scientists, academics, and computer programmers have been using it for years. It was designed specifically as a public network for sharing information. Because the availability of information was the priority, provisions for data security were not considered essential. But now that you’re sending proprietary business information over the Internet that openness can become a drawback. You need to take steps to protect your communications…
Electronic Speech – For Domestic Use Only
The U.S. State Department recently ruled that some forms of electronic speech are not protected by the First Amendment and can be prohibited from export. This decision raises questions about freedom of speech on the information superhighway. As business communications continue to migrate from paper mail to electronic mail, these questions will become more important. It is vital that laws address this new form of speech.
Last year, I wrote a book called Applied Cryptography> (John Wiley & Sons, 1994), which explains cryptography in nonmathematical language. It describes how to build cryptography into products, illustrates cryptographic techniques, and evaluates algorithms and makes recommendations on their quality. It even includes source-code listings that enable readers to implement many of the algorithms and techniques described…
Sidebar photo of Bruce Schneier by Joe MacInnis.