Skip to content

Can Encryption Keep Our Information Safe?

2009 December 13

Imagine what would happen if we couldn’t encrypt our information.  Nothing we do electronically would be safe.  Hackers could run up our phone bills, buy things on our account or just simply steal all of our money and not bother with the rest.

Therefore, it is troubling – to say the least – that encryption we now consider “unbreakable” will be broken routinely in as little as a decade or so from now.

Although the details of encryption are mind-numbingly complex, the basic concept is accessible to anyone who has ever watched an Indiana Jones movie.

A Lost Temple

Imagine you are Indiana Jones, and you want to get inside a “Lost Temple.” (Of course it really isn’t lost any more, because you found it – after all, you are Indiana Jones.)  Unfortunately, you need a key to get in.

Since this is an Indiana Jones movie, it is not as simple as finding the key, because it is broken into two pieces, which are in different places and guarded by big, tough, bad guys.  If you are going to thwart the bad guys and open the Lost Temple, you will either have to outsmart the bad guys or overpower them.

A Code in Two Parts

Real world encryption is very similar to the Indiana Jones story, although instead of the key broken into two stone pieces, it’s broken into two prime numbers (in practice, one is a “public key” and one is a “private key”).

You will recall, from your high school math teacher, that a prime number is divisible only by one and itself (e.g. 2, 3, 5, 7, 11…).  Therefore, if you multiply two prime numbers, the resulting number is divisible only by one, itself and the two prime numbers that you started with.

Suppose you want to make a secret code and you don’t want anybody else to know the whole thing (To make things intriguing, let’s say the code is needed to reveal your killer in the event that you don’t come back from a secret mission.)

You do it quite simply by creating a numerical code of say, “35” (Which is the product of two primes, 5 and 7).  You can then give one part of the code, “5”to one friend and the other part of the code, “7” to another friend.

It is only by multiplying those numbers, not any others, that your secret code, and your killer, can be revealed.

That is basically how we keep the internet secure today.  The only difference is that the numbers (the bad guys guarding the keys) are really, really, really BIG.  They are so big that it would take today’s best supercomputer over 100 years to factor the number and crack the code. Presumably, the code will have changed by then.

Two Ways to Beat Encryption

As mentioned above, you (as Indiana Jones) have two ways to beat the “bad guys” if you are going to get both pieces of the key:  You will either need to outsmart them or overpower them.

Riemann Hypothesis: Far beyond the powers of the math teacher who taught you about prime numbers is the Riemann Hypothesis.

It was developed by Bernhard Riemann about 150 years ago and is so complicated, that nobody can prove it (and given that it has something to do with the distribution of zeros in something called “Zeta functions,” that he himself developed, few can even understand what it is).

Anybody who can prove it will win a number of prizes, including the Millennium Prize worth $1 Million.  As an ancillary benefit, the solution would also allow one to predict the distribution of prime numbers. To go back to the Indiana Jones analogy, the Rieman Hypothesis would provide a map showing exactly where the keys are.

Therefore, it is quite possible that anybody who actually did solve the Riemann Hypothesis would just skip the prize and steal all of our money.  (This idea was the subject of an episode on the TV show NUMB3RS).

 

Quantum Computing: Most probably, Quantum computing will be developed in the next decade or so and will create computers that are exponentially more powerful than the ones we have today.

How this can be done has already been demonstrated through Shor’s Algorithm.  Present day encryption will become breakable through what security experts call a “brute force” attack.  It’s just a matter of time.   In effect, it will allow Indiana Jones to just beat up the bad guys without having to outsmart them.

(For more on Quantum Computing, see: 3 Trends that will Shape the Digital World over the Next Decade).

Can Indiana Jones be Thwarted and our Information Kept Safe?

Most probably, new methods of encryption will be developed and critical information will be kept safe.  I’m not an expert (my degree was actually in Philosophy), but I can see two possibilities.  I would welcome any comments from people who know more.

Stronger Math: One obvious solution would be just to keep coming up with bigger numbers or to find a stronger mathematical method of encrypting.  However, it seems to me that either would be, at best, a medium term solution.

Teleported Bandwidth: Another possibility, as amazing as it is outlandish, is to simply teleport information point to point, anywhere in the universe – instantly.  Although teleportation is usually considered the stuff of science fiction, it has a basis in quantum theory and has been theoretically possible since the 1930’s.

The idea that information could simply be in one place and appear magically somewhere else was one of the reasons that Einstein was deeply skeptical of quantum theory.  As he famously said “God doesn’t play dice with the universe,” (to which Niels Bohr famously quipped, “Einstein, stop telling God what to do!”)

In 1935, Einstein and proposed an experiment (called the EPR experiment), to disprove the possibility of what he called “spooky action at a distance.”  He reasoned that if Quantum Theory were true, any action affecting one particle would then change another particle far away and indirectly teleportation would be possible.  The notion horrified Einstein.

The phenomenon, called Quantum Entanglement, was demonstrated with particles of light at IBM laboratories in 1993 (at which point, Einstein was no longer around to scoff).  Since then, whole atoms have been teleported, albeit over relatively short distances.  While teleportation of objects is still a long way off, transfer of information is significantly easier.

Ironically, if teleportation does become possible and practical, it will be the same quantum computing technology that creates the encryption crises which will make the solution possible.

What does the Future Hold?

Progress goes both ways.  So hopefully the technology that has the potential to breech computer security will also offer solutions that will protect our information.  Apparently, as Paul Benjou reports on his site, Google is already at work on a super secure “Quantum Search.”

As computers become more powerful, the basic problem of breakable encryption will become more real.  A solution will need to be found.

- Greg

14 Responses leave one →
  1. Sarah Khan permalink
    December 14, 2009

    As an Archaeology Major and a current Cyber Security Underwriter I truly enjoyed the allusion to Indiana Jones. Some alarming points were mentioned, yet most unsettling is the reality that many companies that posses our data encrypt personally identifiable information sparingly whether at rest or in transit.

    [Reply]

    Greg Reply:

    Sarah,

    It’s a very good point.

    Thanks.

    - Greg

    [Reply]

  2. December 15, 2009

    Commercial users of encryption tend to follow the herd – SSL, PGP, RSA, DES, etc.; largely because these are typically incorporated into COTS products.

    What commercial organisations seldom do is consider the value lifetime of the information they are encrypting. Military and diplomatic cypher systems are graded according to the value of the information they can be used to protect. Tactic (e.g. battlefield) information might only be valuable for minutes to hours, strategic information will likely be valuable for months to years. By “valuable”, I mean here that the information can be used immediately to the enemy’s (competitor’s) advantage.

    In commercial terms, parallels can be found in today’s sales figures for one store (tactical) and the Board’s plans for acquisitive growth in the next five years.

    There is an old tenet in encypherment, that you don’t use high-grade systems for low-grade information. The main reason is that “low-grade information” will not attract other forms of protection (e.g. physical security), meaning that it is likely to be leaked, which provides the potential for a “known plain-text” attack against the encyphering systems and the key(s) used. The daily key for the WW2 German five-rotor Enigma machine was broken by Bletchley because U-boat captains sent weather reports using the system and the British, through radio direction-finding coupled with their own observations, could largely determine the weather for the area in which the submarine was operating.

    Some commercial information will require high-grade protection even though it is “tactical”, for example, embargoed information such as the consolidated annual accounts data prior to Market announcement.

    In commercial organisations, though, singular systems and keys are not uncommon. In many organisations these are seldom changed. All data that are encrypted use the same systems/keys, regardless of value or duration of protection.

    A simple equation to remember is: Value X Lifetime = Strength; where “Strength” is a combination of the robustness of the algorithm and its implementation, and the length and change frequency of the key(s), and some other ‘stuff’.

    The implementation of the algorithm is vitally important, but difficult to check. I have seen systems that generated and used weak keys; I have seen systems where the advertised (and reviewed by my team) algorithm was not the one actually implemented, and I have seen implementations that had back-doors built in enabling “others” to read the clear-text in real time.

    For a long time, the most acceptable measure of the strength of an encryption system is how “computationally secure” it is. In other words, how many processor cycles are needed to conduct a successful brute-force attack. The Colossi and Bombes used to break the German coding machines in WW2 were roughly equivalent to a 70MHz PC. In a recent experiment, a coded message was broken by a rebuilt Colossus in a little over three and a half hours. Joachim Schueth broke it on a 1.4GHz PC in around 10 seconds … a ratio of 1:21 improvement. On the PC I am using (all other factors being equal), it would take less than five seconds. By many observers, that wouldn’t be considered “computationally secure” even for tactical information.

    [Reply]

    Greg Reply:

    Michael,

    Thanks for sharing your expertise.

    - Greg

    [Reply]

  3. Peter permalink
    December 15, 2009

    Excellent, thought provoking piece of work, especially in the same week that the DVLA announced that all of its records are now shared across the whole of the EU. Since several of these countries don’t even have laws about use of data, expect all sorts of phishing etc. from that.

    Some of this is overblown, however. Sort of: Lists of names, telephone numbers and addresses of everyone in the neighbourhood left on a doorstep – shock. Oh – it’s the phone book.

    People like to think their data is private but very little is either private or unique. Customer names of the big stores, for example, could probably be guessed from a demographic of the local area. We love to publish lots of data on web sites which are regularly trawled and copyrighted material “repurposed”.

    What is actually unique is the data and methodology in people’s heads – something we call skill and experience.

    So what does this mean for the marketer?
    We must move away from data driven systems which neglect human input and educate, train and trust people more.
    We must leverage things which stop people copying our business model such as barriers to entry.
    We must work like spies or terrorists with data kept in cells, rather than centralised where a breach could give someone everything.

    Last but not least is that data tells where someone has been, not where they’re going. Copying is never the way to success – innovation is.

    [Reply]

    Greg Reply:

    Peter,

    I understand where you’re coming from, but think that the bigger problem is with secure transactions.

    - Greg

    [Reply]

  4. December 16, 2009

    Peter’s commment about EU member countries not having data protection legislation is incorrect. In compliance with Directive 95/46/EC, all EU members have enacted data protection legislation.

    Personal Data obtained by a Data Controller within the EU can be processed in any EU or EEA country and in countries which have “adequate” Data Protection legislation, or where an approved “Safe Harbour” arrangement is in place, or by a Data Processor anywhere under the terms of the Model Contract.

    Peter’s point about the telephone directory is noted, but ever-increasingly the issue is that of “other information in the possession of”. The telephone book is not Google. It reveals only limited information based upon indexing by subscriber name. It is not practical to “reverse search” such indexed material (as a printed book containing hundreds of thousands of entries) for a subscriber’s name by their address or telephone number.

    For interest, an interesting Gallop survey of attitudes towards data protection legislation (January 2008) in EU countries is available here: http://ec.europa.eu/public_opinion/flash/fl_226_sum_en.pdf

    [Reply]

    Greg Reply:

    Michael,

    Thanks for the information. Information security is a confusing topic, especially for non specialists and encryption is only one part of it.

    - Greg

    [Reply]

  5. January 5, 2010

    Thanks for your discussion.
    I AM so interested in all informations about your question.
    I look forward to great successes from you in 2010.

    Sami

    [Reply]

    Greg Reply:

    Sami,

    Thanks. Best of luck in the new year to you as well.

    - Greg

    [Reply]

  6. January 6, 2010

    Greg,

    I understand you that the bigger problem is with secure transactions.

    In my http://www.card4net.com you can see my prototype, my solution is based in
    your believe.

    sami

    [Reply]

    Greg Reply:

    Sami,

    Thanks. Good luck with it.

    - Greg

    [Reply]

  7. January 18, 2010

    Greg,

    Encryption alone will not secure data, warns expert after code cracks
    http://www.out-law.com/page-10659

    Information security.
    sami

    [Reply]

    Greg Reply:

    Sami,

    Thanks for the info.

    - Gerg

    [Reply]

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS

CommentLuv badge