Public Key Cryptography: Q&As from your peers

In this edition of Executive Security Briefing, Fred Avolio answers your questions on public key cryptography.

Public Key Cryptography: Q&As from your peers
By Fred Avolio

This column is a bit different. On May 31, 2001, I gave a searchSecurity audio chat entitled Introduction to Public Key Cryptography. There were more questions than there was time to answer them. I've selected a few to address this month.

Q: How long would it take someone to crack 128-bit encryption?

When the press talks about "cracking" or "breaking" an encryption algorithm, they always seem to mean this: The "attacker" decrypted a message by guessing the secret key that was used for the encryption. This is not breaking or cracking a particular algorithm. But it does demonstrate the importance of key size. The key size -- the number of bits used to store the key, which is an integer number -- determines the size of the key space, the number of possible keys that can be used. If you knew that to decrypt a message you needed to guess a number between 1 and 10, would you feel challenged? How about between 1 and 1,000? How about 1 and 1^38 (1 followed by 38 zeros). That is (roughly) the key space using a 128-bit key. For comparison purposes, let's use a (so far) non-existent computer that can guess 1 trillion (1 followed by 12 zeroes) keys a second. On average, it would take around 2 million-million-million (2 followed by 18 zeroes) years to guess the key.

Q: Didn't a research lab just break 128-bit encryption in the past month in a little more than three hours?

Not that I can find. But this brings us to the other way someone can "break" crypto. They can break it if the algorithm is faulty (which is why making the algorithm public, available and subject to examination is so important), or the implementation of the algorithm is flawed. This has, for example, happened with the SSL implementation in Netscape Communicator in the past.

Q: I've recently read an article that claimed an encryption algorithm has been developed that is 'unbreakable' because of randomization, but the article also downplayed the importance of that fact. Why would the fact that it's 'unbreakable' be unimportant?

It would be an incredible breakthrough. It would be too good to be true. And it probably is. It sounds like "marketing speak" to me. I can find no such report.

Q: Is public key cryptography under threat, seeing the success of distributed computing in cracking cryptography?

Not just public key crypto, but secret key as well. Such systems will always be targets for attack. But the formula is much more complicated. You have to first look at the key size and algorithm so that you know how vulnerable it is to an attack. 128-bit AES looks pretty good so far. Then you have to combine that with how likely it is someone will target you or your company. Are you securing military secrets or e-mails to your aunt in Minneapolis? It makes a difference. And two million-million-million years, or half of that, or a tenth of that, or even a millionth of that, is still a long time.

Q: What are the limitations on a key size?

Algorithms are written to support a certain key size. Also, the larger the key the longer the encryption or decryption will take. You don't want to use crypto that takes an hour to encrypt your e-mail before you send it. That's one example of what crypto-mathematicians have to deal with and get right.

Q: With the public/private key system, would our messages be safe from the government's Carnivore monitoring system?

If you mean the content of your e-mails, it certainly should be, assuming a strong enough key-size. The address fields are not encrypted and therefore not confidential.

Q: Is it best to have your own Certificate or Key server or to depend on an independent third party?

Whichever you can afford, where cost is measured in the price of the solution and the people and training required to get it to work. There really is no difference in the security provided.

Q: My PGP Key has expired. What I can do with it? It is also located on the certificate server.

This is an example of the sorts of trouble we can get into with these systems. A good PKI automates this sort of thing so that as keys are changed, certificates get updated. In this particular case, there is not much you can do except get a new certificate.

Q: When I send encrypted e-mail, does the receiver have to use the same software that I have, and do they need to have my public encryption key to be able to open my e-mail?

Yes, the receiver has to use the same underlying protocols. One can secure e-mail with the popular S/MIME and PGP protocols, the less popular but older MOSS and PEM, or proprietary implementations, such as ZixMail or A-Lock. You do need to have the same type of encryption supported on both or all platforms. So, for example, e-mail encrypted with PGP will work where there is PGP. It doesn't matter what the Mail User Agent is (Outlook, Eudora, etc.), nor does it matter the platform (Linux, Unix, Windows, Mac, Palm). And there are products that will work across these platforms. Certainly, PGP is the most famous and, perhaps, popular.

Fred Avolio is the president and founder of Avolio Consulting, Inc., a Maryland-based corporation specializing in computer and network security and dedicated to improving the state of corporate and Internet security through education and testing.

This was last published in July 2001

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

SearchCloudSecurity

• Ownership of cloud risks gets lost in many cloud computing scenarios

CISOs ensure that cloud services comply with IT security and risk management policies. But who has executive oversight of ...

• Cloud incident response: What enterprises need to include in a plan

A cloud incident response plan can be difficult to assemble. Expert Rob Shapland discusses the basics of what to include in a ...

SearchNetworking

• From Sonnet 18 to SD-WAN technology: An unlikely networking career

From teaching Shakespeare's Sonnet 18 to taking on a major SD-WAN technology deployment: Senior engineer Phil Gervasi shares the ...

• Integrate UC platform with business-critical SaaS for competitive edge

By one current estimate, the average business operates across six different clouds. With many software-as-a-service platforms ...

• Advanced machine learning lends a helping hand to network security

Advanced machine learning can help distinguish between false alarms and real network threats, creating valuable time for IT ...

SearchCIO

• Record-busting online holiday sales and the rise of the omnishopper

Record online holiday sales foretell the arrival of conversational commerce, digital humanism and the omnishopper. Also: AWS all ...

• Will AR and VR tech revolutionize digital business management?

In this issue of CIO Decisions, we explore how virtual reality and augmented reality technologies could quickly become integral ...

• AR, VR tech poised to revolutionize digital business management

We've all seen footage of astronauts being trained for space travel in virtual environments, and many of us were sucked into the ...

SearchConsumerization

• Android, Windows tablets from HP take aim at business users

HP released a new line of tablets targeting business users. The HP Pro Slate 8 and Pro Slate 12 run Android and cost \$449 and ...

• Microsoft to lay off 18,000, Nokia X moves to Windows Phone

Microsoft will lay off 18,000 people over the next year while the Nokia X line of Android smartphones, which was unveiled earlier...

• Microsoft Surface Pro 3 vs. Microsoft Surface Pro 2

Surface Pro 2 and Surface Pro 3 are different enough that Microsoft is keeping both on the market as competing products. Which ...

SearchEnterpriseDesktop

If admins notice any issues with tasks running on Windows, they can turn to NirSoft's TaskSchedulerView to pinpoint the culprit ...

• Four ways to squeeze more juice into the Windows 7 lifecycle

Windows 7 is not dead. There are many reasons IT keeps it around. To make the OS perform well, admins must modernize it and make ...

• Close Windows security gaps with third-party software patching

Hackers target third-party software on Windows workstations because they know the patches are often out of date. Admins can ...

SearchCloudComputing

• Multicloud computing bliss not yet a reality for all IT shops

Experts predict that multicloud computing will be a top enterprise trend in 2017, but some cloud users question whether the ...

• Perform a PaaS pricing comparison for public cloud

When choosing a platform, enterprises need to focus on features and prices for Azure, Google and AWS. Take a look under the hood ...

• Cloud orchestration tools become a must-have for hybrid IT

Some IT shops try to force-fit legacy orchestration tools to cloud -- but that can backfire. Instead, evaluate new orchestration ...

ComputerWeekly

• Security Think Tank: Cyber security must be recognised as a fundamental component of business

How can information security professionals help organisations to understand the cyber risks across increasingly digital ...

• The myth of email as proof of communication

Increasingly, there is a need for organisations to be able to prove the content of communications between themselves and other ...

• Security veteran urges firms to prioritise spear phishing defence

UK firms should prioritise defence against spear phishing as a key component of cyber attacks, according to security veteran ...

Close