enterprisesecuritymag

The Modern Wild West: The Rough-and-Tumble World of Encryption

By Justin Vermillion, Office of Counterintelligence, Los Alamos National Laboratory

Justin Vermillion, Office of Counterintelligence, Los Alamos National Laboratory

Encryption is a big deal, but it hasn't always been so. In the early 90s, it was solidly in the realm of governments, corporations, and what the general public might consider paranoid tech geeks. Encryption was used to protect documents containing classified information, sensitive financial data, trade secrets, or emails between a few people who met at a key-signing party. Today, people have been educated a bit more, and most understand the privacy implications of not using some form of encryption.

According to Google, 94 percent of internet traffic in July 2019 was encrypted, up from just 58 percent five years earlier. Free services, like Let's Encrypt, have made that type of encryption cheaper and much more accessible. At the same time, security practitioners such as Kevin Mitnick and Bruce Schneier have worked hard to educate laypeople, in order to increase adoption of all forms of encryption among the general populace.

Government-funded research has resulted in standards like the Data Encryption Standard (DES), which is now outdated, and the more modern Advanced Encryption Standard (AES). These standards have had a massive economic impact—some economists estimate that AES alone has injected approximately $185 billion into the US economy since its development. They have also greatly increased the level of security available to the general public. Private researchers have also developed algorithms which are just as powerful, such as the Rivest-Shamir-Adleman algorithm, commonly known as RSA. With these advancements in technology, encryption is no longer just a tool for protecting the government and financial services. It is no longer relegated to the paranoid. Encryption is there for anyone and everyone to use as they see fit.

There is no doubt that AES and RSA are among the strongest algorithms ever developed. Most estimates suppose that it will be several lifetimes before anyone can truly crack either algorithm. With our current level of computing power, it would take more than a billion years to reverse-engineer a single AES key. RSA, which is based on factors of very large prime numbers, is simpler (in theory) to crack, but requires very powerful hardware. Current implementations of RSA recommend using keys of between 2048 and 4096 bits in length, which would theoretically also take more than a billion years to crack. The only real contender in that space is a quantum algorithm called Shor's Algorithm, but estimates seem to indicate that a quantum computer with around 7500 qubits would be required to fully implement the algorithm. To put that into a bit of perspective, the most powerful true quantum computer today has only 75 qubits. To simplify: what all of this means is that our current encryption algorithms are incredibly strong, and likely don't stand a chance of being cracked any time soon.

The general availability of such strong encryption means that even the “bad guys” have access to unbreakable encryption algorithms. These people, often state-sponsored actors, can, and do, put that encryption to regular and steady use in the form of ransomware (among other things). These attacks often leave the victims with no choice but to pay the ransom, or risk losing their data permanently. In 2018, losses from ransomware attacks averaged around $32,000 per month, with the highest single payout being $930,000. That year, the City of Atlanta spent nearly $17 million to recover from an attack with a $52,000 ransom. In early 2019, the City of Baltimore was struck by an attack that left the government partially crippled for nearly a month. In this case, the attacker only demanded a $76,000 ransom, but the total estimate for the city to recover from the attack is around $18 million.

Despite the strength of modern algorithms, there are still flaws that can be exploited. This is because the algorithms have to be implemented in some fashion in order for people to make use of them. The flaws that we find are often in the implementation, whether that is hardware or software. This is good news for law enforcement officials who are dealing with ransomware (attackers very often use poorly implemented versions of these encryption algorithms), but also somewhat bad news for everyone else in the world. Flaws are not often easy to find, but well-funded researchers do a good job of poring over each new encryption implementation with a fine-toothed comb. Many of those researchers are what we call “whitehats,” people who attempt to break software for the good of humanity. On the other side are “black hats,” often state-sponsored entities, who arehell-bent on breaking encryption for political or financial gain. It only takes a single leak for some of these state-sponsored tools to be released into thewild, putting them in the hands of organized crime, petty criminals, and script kiddies out to make a few bitcoins.

While it may all seem like doom and gloom, with the “white hats” and “black hats” in a constantly escalating arms race to find flaws and developexploits or patches (or both), some scientists believe that there is a proverbial light at the end of the tunnel in the form of quantum encryption.This type of encryption often makes use of the quantum properties of photons, and the principle that the simple act of observing the quantumstate of a particle irreversibly alters that state, making eavesdropping or tampering attempts very obvious to the intended recipient. Practicalimplementations of this type of encryption are estimated to be years, if not decades, away. Additionally, there are outspoken skeptics who feel thatresearch in this area is wasteful. These individuals believe that effort would be better put to use researching improvements to classical cryptography,which they say is secure enough to meet all of our needs for the foreseeable future.

To sum it all up, encryption is still in its “Wild West” stage. We are currently, as a community, more secure digitally than we have ever been before, butat the same time, we are being exposed to more security risks, with the potential for large economic or political impacts. Current encryption technologywill likely keep us going for quite a while, and new types of cryptography on the horizon seem promising. We must simply remain vigilant in building ourdefenses against crypto-based attacks, and, more likely than not, everything will work out just fine. But, in the immortal words of The Dude: that's just,like, my opinion, man.

Read Also

Augmenting Cybersecurity in Healthcare Industry

Augmenting Cybersecurity in Healthcare Industry

Robert Napoli, CIO, Planned Parenthood of the Great Northwest and the Hawaiian Islands
Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Gregory Crabb, CISO, VP, United States Postal Service
Information Security: Your People, Your First Line of Defense

Information Security: Your People, Your First Line of Defense

Eddie Borrero, CISO, Robert Half [NYSE:RHI]

Weekly Brief