& cplSiteName &

What if Encryption Just Stopped Working?

Mitch Wagner
8/7/2015
50%
50%

The next segment of our science fiction serial is up:

Silence Like Diamonds – Episode 5: Circular Trail

Need to catch up? Read from the beginning: Silence Like Diamonds – Episode 1: Family Business

When you're up-to-date, come back here and we'll talk about encryption and how it's turned upside down in the world of "Silence Like Diamonds."

Over on his own blog, the author, John Barnes, calls out a key passage from Friday's episode: Silence Like Diamonds – Episode 3: Principle One

    Ever since the Yan-Dimri fast factorization algorithm had flipped the advantage from the encryptors to the cryptanalysts, only isolated systems could be really secure (at the cost of being really useless).

That sentence is cryptic (so to speak), but Barnes explains on his blog what he means -- and it's exactly what I thought he meant. (See Predictions Are Hard, Especially About the Future)

For the entire history of the public Internet -- call it 20 years or so -- we've enjoyed an asymmetry in encryption. It is far, far easier to encrypt a signal than it is to break the encryption.

How much easier? So easy that any $150 Chromebook or $100 smartphone can encrypt information so robustly that the most powerful and expensive supercomputer in the world can't break it.

That's very peculiar. We're not used to cheap computers being able to out-do expensive computers.

But we don't really think about it. We take it for granted, as if it's natural law.

In his blog, Barnes explains that this situation is only about 40 years old, dating back to the 1970s. Previous to that, encryption and codebreakers were in an arms race, with codebreakers breaking encryption nearly as fast as the codes were created.

Now here's where things get really interesting: Nobody has ever proven that it's impossible to quickly break a code created with the strong encryption we rely on.

And nobody's proven that it's possible, either.

We just don't know.

We know that it hasn't been done in the 40 or so years these codes have been around.

Well, probably not.

All of global commerce depends on these encryption algorithms, and the trust that they're practically impossible to break.

In the near future of "Silence Like Diamonds," someone has figured out a way to break the best encryption algorithms. Two someones, named Yan and Dimri.

What would that world be like?

So far at least, the Yan-Dimri breakthrough hasn't figured much into the main story of "Silence Like Diamonds."

My first thought when I read the story, and John's follow-up post, was, "Wow! The world would be completely different! We'd have no privacy, and no secrets!"

And yet isn't that the situation we live in now? We live in the world after Edward Snowden, and countless other data breaches. For millions of us, our privacy is already broken. If attackers could break encryption, they'd just have new tools. It wouldn't be a fundamental change for privacy.

The breakthrough John imagines would mean big changes for business, because encryption is how we enable e-commerce. How could anyone do credit card transactions or funds transfers if they knew that criminals were likely eavesdropping over the the wire, and collecting credit card numbers and bank information?


Find out more about the New IP on Light Reading's The New IP Channel


You wouldn't be able to trust the Internet for financial transactions anymore. You wouldn't be able to trust any means of electronic communications. You'd have to go back to transmitting funds and other private transactions by hand, using couriers, like in the 19th century and earlier. Instead of carrying documents, these couriers would carry portable disk drives and USB sticks, but otherwise the procedure would be the same.

Meanwhile, network managers would have to find new ways to innovate and do business on their networks. But that part isn't science fiction -- it's happening right now, part of the New IP revolution.

Read Light Reading every day to find out more about the New IP, and come back Tuesday for the next installment of "Silence Like Diamonds."

— Mitch Wagner, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profileFollow me on Facebook, West Coast Bureau Chief, Light Reading. Got a tip about SDN or NFV? Send it to wagner@lightreading.com.

(18)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
J Thomas
50%
50%
J Thomas,
User Rank: Light Beer
8/27/2015 | 9:20:14 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
Authentication doesn't require encryption.


Maybe I missed the point here. If someone can successfully pretend to be you, they can do transactions in your name with your money.


If they have access to  your traffic, then they can see the tokens etc that you send. Is that enough for them to imitate you, given the skills to appear to send from your ISP etc?


But if your messages are encrypted and they can't read them, then access to the messages doesn't help them pretend to be you.

If you have access to a code that no one  else can break, the very fact that you know the code is pretty good evidence that it's you. Or at least that it came from your own software, that they had access to more than just your packets.

The big point is that our current encryption systems were set up to allow anybody to do encrypted stuff with anybody else on the net. You don't have to exchange secret keys over a public system, or find an alternative medium to send them. It just works, for everybody. If we lose that, we'll have to fall back on secret communication only between entities that have actually exchanged secret keys some other way.

Unless I misunderstand.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/27/2015 | 8:40:31 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
There are two separate problems here: Authentication and payment. 

Authentication doesn't require encryption. You might use a token, something like the way Google and other sites now handle two-factor authentication.

Payment can be managed by the bank and amazon -- as it is now. The new system might require exchange of one-time pads. They can figure it out. 
J Thomas
50%
50%
J Thomas,
User Rank: Light Beer
8/27/2015 | 7:24:41 AM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
Your bank has an incentive to work out an arrangement with you. They might for example hand you a read-only data packet of some sort when you visit your bank. It can serve as a one-time pad. The intermediate entity makes money from banks and such, who each trade one-time pads with it. This is easier for them than each of them sharing one-time pads with each other.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/26/2015 | 6:28:13 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
J Thomas - How does an entity like Amazon make money on immediate purchases, though? 

For exmple, last night I was lying in bed at 11 pm and decided I needed a new computer bag (to go with my new MacBook Air, which replaced my MBP), and some other little travel and consumer electronics doodads. Total purchase came to about $65. I hit the check out key immediately, and the entire transaction was done in about 15 minutes. How would that work in an era where encryption could no longer be trusted?

Bear in mind that if I wait a day I might remember that I already have a room of the house devoted to computer bags and electronic gadgets I'm not using, and don't need anymore.

Hmmm... answering my own question here: I think the answer is credit. Amazon extends credit to me as a customer, and I only have to pay my bill monthly. That bill-payment can be done over a period of however long time it takes to transmit and receive a one-time pad. 

Whew! We've saved Amazon! Jeff Bezos will be relieved! :)
J Thomas
50%
50%
J Thomas,
User Rank: Light Beer
8/25/2015 | 3:22:55 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
"Similarly, how could Amazon sell sweatsocks?"

You can have a known mailing address. It might take, say, a week for you to change it if you move.

Amazon sends your sweatsocks to your address. If someone ordered them for you with your money, then you return the sweatsocks and they return your money. The somebody who pretended to be you did not get the sweatsocks. Amazon can do this if it doesn't happen so often that they lose more than they can afford on mailing.

Harder version: Somebody says he sold you sweatsocks and takes your money. The sweatsocks never arrive, you didn't order them anyway, and your money is gone. The account was closed out and the mony sent through some complicated laundering operation. What can anyone do about it?

One possibility -- You send the money to a professional escrow organization that verifies to the seller they have it. They send you the product, you then validate payment. You don't get your  money back. If you don't send the money on then you claim what happened, the other guy claims what happened, and anybody who wants to do business with either of you gets to review the record if they want to. Now the big trust issue isn't between you and everybody, it's mostly between you and your trusted escrow agency.

Better -- you have a trustworthy link with your bank. Your bank has a trustworthy link with your vendor's bank.

Instead of needing a trusted communication link with every entity in the system, you only need a path of trusted links, between pairs of entities that can presumably afford one-time pads or couriers to physically transfer private keys.

 
brooks7
50%
50%
brooks7,
User Rank: Light Sabre
8/14/2015 | 11:56:11 AM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
"Yes, it is breakable -- but it takes billions or trillions of years to do it through compute. So instead attackers use man-in-the-middle attacks, social engineering, or exploiting software bugs. Those things can be be protected against."

I think you have the timescale wrong.  Just ask the NSA.  Try more like a year not billions of years.  The problem is that most people don't have the compute resources of the NSA.  That is just one reason why hackers try to take over machines (to assign them work).

And it is impossible to defend against Social Engineering attacks.  Imagine that I give Light Reading's IT head $1B to let me break in.  Think he would let me?  It is all a question of resources - not of technology.

So let me ask a question.  You ever gotten a Flash Drive at a trade show?  Ever plug it in?  How do you know that it does not have a Root Kit that the person that gave it to you did not know was there?

seven

 
John Barnes
50%
50%
John Barnes,
User Rank: Blogger
8/14/2015 | 3:27:41 AM
A little historical perspective on this over at my blog...
... as in what do a message wrapped in cigars, the Dreyfuss affair, and the history of shinplasters have to do with fast factorization?


Mosey on over to my blog announcing Episode 7 for things in a bit more detail.  Sure hope there are a lot of cigar and shinplaster aficionados out there ....
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/11/2015 | 10:31:28 AM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
brooks7 - "Here is the thing...again it is completely breakable right now.  There is no new tech required to break things.  But it takes say a year.  So, you can change your password before it becomes decrypted."

Yes, it is breakable -- but it takes billions or trillions of years to do it through compute. So instead attackers use man-in-the-middle attacks, social engineering, or exploiting software bugs. Those things can be be protected against.

Decryption can't be protected against, so instead you rely on couriered messages, or one-time pads as described in the next installment of "Silence Like Diamonds." 
brooks7
50%
50%
brooks7,
User Rank: Light Sabre
8/10/2015 | 12:59:23 PM
Re: Brooks7 has put his finger on both the problem and why I don't think it's as much of a problem
Mitch,

Here is the thing...again it is completely breakable right now.  There is no new tech required to break things.  But it takes say a year.  So, you can change your password before it becomes decrypted.

Multi-factor Auth is much better than changing the sign on procedures.  You just need an out of band comms mechanism.

seven

 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
8/10/2015 | 10:52:13 AM
Re: Biometrics
brooks7 - You are technically correct. Today's encryption is indeed breakable, just not in a "reasonable time frame."

But that unreasonable time frame is longer than the known life of the universe
Page 1 / 2   >   >>
More Blogs from Wagner’s Ring
IBM and Cisco are working with Europe's largest port to reduce fuel consumption and other costs and improve safety.
In which we receive an alarming email from Oracle.
SD-WAN is about more than saving money – it also provides application delivery, insights and reliability. Find out more in this podcast sponsored by Citrix.
Platform is designed to enable enterprises to build big data analytics apps that move easily between public and private clouds.
Buying Evident.io extends Palo Alto's portfolio with API-based security capabilities and compliance automation.
Featured Video
From The Founder
John Chambers is still as passionate about business and innovation as he ever was at Cisco, finds Steve Saunders.
Flash Poll
Upcoming Live Events
June 26, 2018, Nice, France
September 12, 2018, Los Angeles, CA
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 17, 2018, Chicago, Illinois
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
NFV Is Down but Not Out
Iain Morris, News Editor, 5/22/2018
Trump Denies ZTE Deal, Faces Senate Backlash
Dan Jones, Mobile Editor, 5/22/2018
What VeloCloud Cost VMware
Phil Harvey, US News Editor, 5/21/2018
5G in the USA: A Post-BCE Update
Dan Jones, Mobile Editor, 5/23/2018
Vanquished in Video, Verizon Admits OTT Defeat
Mari Silbey, Senior Editor, Cable/Video, 5/23/2018
Animals with Phones
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed