& cplSiteName &

What if Encryption Just Stopped Working?

Mitch Wagner
8/7/2015
50%
50%

The next segment of our science fiction serial is up:

Silence Like Diamonds – Episode 5: Circular Trail

Need to catch up? Read from the beginning: Silence Like Diamonds – Episode 1: Family Business

When you're up-to-date, come back here and we'll talk about encryption and how it's turned upside down in the world of "Silence Like Diamonds."

Over on his own blog, the author, John Barnes, calls out a key passage from Friday's episode: Silence Like Diamonds – Episode 3: Principle One

    Ever since the Yan-Dimri fast factorization algorithm had flipped the advantage from the encryptors to the cryptanalysts, only isolated systems could be really secure (at the cost of being really useless).

That sentence is cryptic (so to speak), but Barnes explains on his blog what he means -- and it's exactly what I thought he meant. (See Predictions Are Hard, Especially About the Future)

For the entire history of the public Internet -- call it 20 years or so -- we've enjoyed an asymmetry in encryption. It is far, far easier to encrypt a signal than it is to break the encryption.

How much easier? So easy that any $150 Chromebook or $100 smartphone can encrypt information so robustly that the most powerful and expensive supercomputer in the world can't break it.

That's very peculiar. We're not used to cheap computers being able to out-do expensive computers.

But we don't really think about it. We take it for granted, as if it's natural law.

In his blog, Barnes explains that this situation is only about 40 years old, dating back to the 1970s. Previous to that, encryption and codebreakers were in an arms race, with codebreakers breaking encryption nearly as fast as the codes were created.

Now here's where things get really interesting: Nobody has ever proven that it's impossible to quickly break a code created with the strong encryption we rely on.

And nobody's proven that it's possible, either.

We just don't know.

We know that it hasn't been done in the 40 or so years these codes have been around.

Well, probably not.

All of global commerce depends on these encryption algorithms, and the trust that they're practically impossible to break.

In the near future of "Silence Like Diamonds," someone has figured out a way to break the best encryption algorithms. Two someones, named Yan and Dimri.

What would that world be like?

So far at least, the Yan-Dimri breakthrough hasn't figured much into the main story of "Silence Like Diamonds."

My first thought when I read the story, and John's follow-up post, was, "Wow! The world would be completely different! We'd have no privacy, and no secrets!"

And yet isn't that the situation we live in now? We live in the world after Edward Snowden, and countless other data breaches. For millions of us, our privacy is already broken. If attackers could break encryption, they'd just have new tools. It wouldn't be a fundamental change for privacy.

The breakthrough John imagines would mean big changes for business, because encryption is how we enable e-commerce. How could anyone do credit card transactions or funds transfers if they knew that criminals were likely eavesdropping over the the wire, and collecting credit card numbers and bank information?


Find out more about the New IP on Light Reading's The New IP Channel


You wouldn't be able to trust the Internet for financial transactions anymore. You wouldn't be able to trust any means of electronic communications. You'd have to go back to transmitting funds and other private transactions by hand, using couriers, like in the 19th century and earlier. Instead of carrying documents, these couriers would carry portable disk drives and USB sticks, but otherwise the procedure would be the same.

Meanwhile, network managers would have to find new ways to innovate and do business on their networks. But that part isn't science fiction -- it's happening right now, part of the New IP revolution.

Read Light Reading every day to find out more about the New IP, and come back Tuesday for the next installment of "Silence Like Diamonds."

— Mitch Wagner, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profileFollow me on Facebook, West Coast Bureau Chief, Light Reading. Got a tip about SDN or NFV? Send it to wagner@lightreading.com.

(18)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
J Thomas
50%
50%
J Thomas,
User Rank: Light Beer
8/27/2015 | 9:20:14 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
Authentication doesn't require encryption.


Maybe I missed the point here. If someone can successfully pretend to be you, they can do transactions in your name with your money.


If they have access to  your traffic, then they can see the tokens etc that you send. Is that enough for them to imitate you, given the skills to appear to send from your ISP etc?


But if your messages are encrypted and they can't read them, then access to the messages doesn't help them pretend to be you.

If you have access to a code that no one  else can break, the very fact that you know the code is pretty good evidence that it's you. Or at least that it came from your own software, that they had access to more than just your packets.

The big point is that our current encryption systems were set up to allow anybody to do encrypted stuff with anybody else on the net. You don't have to exchange secret keys over a public system, or find an alternative medium to send them. It just works, for everybody. If we lose that, we'll have to fall back on secret communication only between entities that have actually exchanged secret keys some other way.

Unless I misunderstand.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/27/2015 | 8:40:31 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
There are two separate problems here: Authentication and payment. 

Authentication doesn't require encryption. You might use a token, something like the way Google and other sites now handle two-factor authentication.

Payment can be managed by the bank and amazon -- as it is now. The new system might require exchange of one-time pads. They can figure it out. 
J Thomas
50%
50%
J Thomas,
User Rank: Light Beer
8/27/2015 | 7:24:41 AM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
Your bank has an incentive to work out an arrangement with you. They might for example hand you a read-only data packet of some sort when you visit your bank. It can serve as a one-time pad. The intermediate entity makes money from banks and such, who each trade one-time pads with it. This is easier for them than each of them sharing one-time pads with each other.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/26/2015 | 6:28:13 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
J Thomas - How does an entity like Amazon make money on immediate purchases, though? 

For exmple, last night I was lying in bed at 11 pm and decided I needed a new computer bag (to go with my new MacBook Air, which replaced my MBP), and some other little travel and consumer electronics doodads. Total purchase came to about $65. I hit the check out key immediately, and the entire transaction was done in about 15 minutes. How would that work in an era where encryption could no longer be trusted?

Bear in mind that if I wait a day I might remember that I already have a room of the house devoted to computer bags and electronic gadgets I'm not using, and don't need anymore.

Hmmm... answering my own question here: I think the answer is credit. Amazon extends credit to me as a customer, and I only have to pay my bill monthly. That bill-payment can be done over a period of however long time it takes to transmit and receive a one-time pad. 

Whew! We've saved Amazon! Jeff Bezos will be relieved! :)
J Thomas
50%
50%
J Thomas,
User Rank: Light Beer
8/25/2015 | 3:22:55 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
"Similarly, how could Amazon sell sweatsocks?"

You can have a known mailing address. It might take, say, a week for you to change it if you move.

Amazon sends your sweatsocks to your address. If someone ordered them for you with your money, then you return the sweatsocks and they return your money. The somebody who pretended to be you did not get the sweatsocks. Amazon can do this if it doesn't happen so often that they lose more than they can afford on mailing.

Harder version: Somebody says he sold you sweatsocks and takes your money. The sweatsocks never arrive, you didn't order them anyway, and your money is gone. The account was closed out and the mony sent through some complicated laundering operation. What can anyone do about it?

One possibility -- You send the money to a professional escrow organization that verifies to the seller they have it. They send you the product, you then validate payment. You don't get your  money back. If you don't send the money on then you claim what happened, the other guy claims what happened, and anybody who wants to do business with either of you gets to review the record if they want to. Now the big trust issue isn't between you and everybody, it's mostly between you and your trusted escrow agency.

Better -- you have a trustworthy link with your bank. Your bank has a trustworthy link with your vendor's bank.

Instead of needing a trusted communication link with every entity in the system, you only need a path of trusted links, between pairs of entities that can presumably afford one-time pads or couriers to physically transfer private keys.

 
brooks7
50%
50%
brooks7,
User Rank: Light Sabre
8/14/2015 | 11:56:11 AM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
"Yes, it is breakable -- but it takes billions or trillions of years to do it through compute. So instead attackers use man-in-the-middle attacks, social engineering, or exploiting software bugs. Those things can be be protected against."

I think you have the timescale wrong.  Just ask the NSA.  Try more like a year not billions of years.  The problem is that most people don't have the compute resources of the NSA.  That is just one reason why hackers try to take over machines (to assign them work).

And it is impossible to defend against Social Engineering attacks.  Imagine that I give Light Reading's IT head $1B to let me break in.  Think he would let me?  It is all a question of resources - not of technology.

So let me ask a question.  You ever gotten a Flash Drive at a trade show?  Ever plug it in?  How do you know that it does not have a Root Kit that the person that gave it to you did not know was there?

seven

 
John Barnes
50%
50%
John Barnes,
User Rank: Blogger
8/14/2015 | 3:27:41 AM
A little historical perspective on this over at my blog...
... as in what do a message wrapped in cigars, the Dreyfuss affair, and the history of shinplasters have to do with fast factorization?


Mosey on over to my blog announcing Episode 7 for things in a bit more detail.  Sure hope there are a lot of cigar and shinplaster aficionados out there ....
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/11/2015 | 10:31:28 AM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
brooks7 - "Here is the thing...again it is completely breakable right now.  There is no new tech required to break things.  But it takes say a year.  So, you can change your password before it becomes decrypted."

Yes, it is breakable -- but it takes billions or trillions of years to do it through compute. So instead attackers use man-in-the-middle attacks, social engineering, or exploiting software bugs. Those things can be be protected against.

Decryption can't be protected against, so instead you rely on couriered messages, or one-time pads as described in the next installment of "Silence Like Diamonds." 
brooks7
50%
50%
brooks7,
User Rank: Light Sabre
8/10/2015 | 12:59:23 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
Mitch,

Here is the thing...again it is completely breakable right now.  There is no new tech required to break things.  But it takes say a year.  So, you can change your password before it becomes decrypted.

Multi-factor Auth is much better than changing the sign on procedures.  You just need an out of band comms mechanism.

seven

 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/10/2015 | 10:52:13 AM
Re: Biometrics
brooks7 - You are technically correct. Today's encryption is indeed breakable, just not in a "reasonable time frame."

But that unreasonable time frame is longer than the known life of the universe
Page 1 / 2   >   >>
More Blogs from Wagner’s Ring
AppViewX extending its toolkit for app deployment and orchestration to automate manual processes and help network operators save time.
Apple CEO Tim Cook signals a new enterprise push in a joint appearance with Cisco CEO Chuck Robbins, presenting possible new enterprise business opportunities for service providers.
Hungry for attention as a public cloud provider, Oracle lands a major customer in AT&T.
Comcast is looking to a private cloud based on Cloud Foundry to turn around record bad customer satisfaction scores.
Facebook is building out its networking infrastructure to provide for the needs of nearly 2 billion active users.
Featured Video
From The Founder
Light Reading founder Steve Saunders grills Cisco's Roland Acra on how he's bringing automation to life inside the data center.
Flash Poll
Upcoming Live Events
February 26-28, 2018, Santa Clara Convention Center, CA
March 20-22, 2018, Denver Marriott Tech Center
April 4, 2018, The Westin Dallas Downtown, Dallas
May 14-17, 2018, Austin Convention Center
All Upcoming Live Events
Infographics
SmartNICs aren't just about achieving scale. They also have a major impact in reducing CAPEX and OPEX requirements.
Hot Topics
Project AirGig Goes Down to Georgia
Dan Jones, Mobile Editor, 12/13/2017
Here's Pai in Your Eye
Alan Breznick, Cable/Video Practice Leader, Light Reading, 12/11/2017
Verizon's New Fios TV Is No More
Mari Silbey, Senior Editor, Cable/Video, 12/12/2017
Ericsson & Samsung to Supply Verizon With Fixed 5G Gear
Dan Jones, Mobile Editor, 12/11/2017
Juniper Turns Contrail Into a Platform for Multicloud
Craig Matsumoto, Editor-in-Chief, Light Reading, 12/12/2017
Animals with Phones
Don't Fall Asleep on the Job! Click Here
Live Digital Audio

Understanding the full experience of women in technology requires starting at the collegiate level (or sooner) and studying the technologies women are involved with, company cultures they're part of and personal experiences of individuals.

During this WiC radio show, we will talk with Nicole Engelbert, the director of Research & Analysis for Ovum Technology and a 23-year telecom industry veteran, about her experiences and perspectives on women in tech. Engelbert covers infrastructure, applications and industries for Ovum, but she is also involved in the research firm's higher education team and has helped colleges and universities globally leverage technology as a strategy for improving recruitment, retention and graduation performance.

She will share her unique insight into the collegiate level, where women pursuing engineering and STEM-related degrees is dwindling. Engelbert will also reveal new, original Ovum research on the topics of artificial intelligence, the Internet of Things, security and augmented reality, as well as discuss what each of those technologies might mean for women in our field. As always, we'll also leave plenty of time to answer all your questions live on the air and chat board.

Like Us on Facebook
Twitter Feed