20 February 2012

Cryptography has been "broken"...or has it...

A new year started and why change good habits - or maybe this is a New Years resolution? I’m just back from the second New York Metro ISSA Chapter meeting of 2012. Here is my quick wrap-up.

Pushing a strong line up the meeting was geared up to discuss the not so interesting topic of cryptography, as well as the challenges of PKI deployment. With many research papers appearing stating to have "broken" various hashing and encryption ciphers the first speaker, John Callas from Entrust, put this into perspective.

Currently one of the finalists in the NIST's SHA3 competition, John's 45min slot covered a top level of view of threats to cryptography - hence Quantum Computing. John reassured the audience the current suite of encryption ciphers are pretty solid despite the recent exposures found in the popular AES cipher. Where a biclique attack was found to disclose 2 bits faster than traditional brute forcing attacks (http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf). "Broken" in cryptography is the result of any attack that is faster than brute force. The biclique technique described allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it's broken nonetheless.

Conclusion

With weaknesses starting to appear what can we do to protect ourselves? Encryption should be looked on as another layer of security. We all know Defense in Depth is a staple part of any good secure system design and we must not loose sight of the fact that anything that has been encrypted can be decrypted so key management is really where attention to detail is crucial.

For those of you that are unaware The Information Systems Security Association (ISSA)® is a "not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members."

This is my first experience of the ISSA New York Metro Chapter and of the ISSA, having only joined the ISSA in November 2011. I can honestly say this is one of the most informative events I have found in New York and look forward tot he next event.


No comments:

Post a Comment