Tuesday, September 18

The End of Encryption?

OK, I realize it's not the end of encryption, but this is a big deal. Separate groups of researchers in Australia and China have independently used quantum computers to factor the large numbers used for much of today's asymmetric encryption. Asymmetric encryption is used for PKI which is the underlying concept behind SSL -- probably the most fundamental component of security on the web.

Here's how SSL works (simplified):
  1. persons 1 & 2 agree on a base number (x)
  2. person 1 raises x to the power of a large secret key (y1) = z1
  3. person 2 raises x to the power of a large secret key (y2) = z2
  4. persons 1 & 2 exchange values z1 & z2
  5. person 1 raises z2 to the power of y1 = k
  6. person 2 raises z1 to the power of y2 = k
They now both have k as a secret key that nobody else knows.

The security of the process hinges on the fact that an eaves dropper wouldn't be able to take x and z1 (which are both passed openly) and quickly figure out y1 (the secret key) -- or do the same for y2. If that were possible, they would be able to listen in on SSL transactions. And that's pretty much what these researchers are now able to do.

The article suggests that "For the moment, enterprise computers seem pretty secure, since you'd have to be a quantum physicist to crack today's codes." But, one might speculate that if a secret is worth enough to a would-be attacker, quantum physicists or their tools may become purchase-able. It's probably not a big deal for joe consumer, but for governments, large defense contractors and the like, it's probably time to take a look at their use of certain algorithms in asymmetric encryption. That analysis of course should be and probably is a continuous, on-going process. Interesting stuff.

No comments: