Many of our assumptions about the security of cryptography are based on the belief that people will share all of their knowledge of vulnerabilities -- but there is no guarantee anyone will do this. The spy agencies, for instance, routinely keep their knowledge to themselves. And rumors circulate about an amazing cryptographic breakthrough in 2010 that's still classified. Why should the rest of us act any differently?
Encryption's weak link No. 3: The chain is long and never perfect
There are a number of excellent mathematical proofs about the security of this system or that system. They offer plenty of insight about one particular facet, but they say little about the entire chain. People like to use phrases like "perfect forward security" to describe a mechanism that changes the keys frequently enough to prevent leaks from spreading. But for all of its perfection, the proof covers only one part of the chain. A failure in the algorithm or a glitch in the software can circumvent all this perfection. It takes plenty of education to keep this straight.
Encryption's weak link No. 4: Cloud computing power is cheap and massive
Some descriptions of algorithms like to make claims that it would take "millions of hours" to try all the possible passwords. That sounds like an incredibly long time until you realize that Amazon alone may have half a million computers for rent by the hour. Some botnets may have more than a million nodes. Big numbers aren't so impressive these days.
Encryption's weak link No. 5: Video cards bring easy parallelism to cracking
The same hardware that can chew through millions of triangles can also try millions of passwords even faster. GPUs are incredible parallel computers, and they're cheaper than ever. If you need to rent a rack, Amazon rents them too by the hour too.
Encryption's weak link No. 6: Hypervisors -- the scourge of the hypervigilant
You've downloaded the most secure distro, you've applied all the updates, you've cleaned out all the cruft, and you've turned off all the weird background processes. Congratulations, you're getting closer to having a secure server. But let's say you're still obsessed and you audit every single last line of code yourself. To be extra careful, you even audit the code of the compiler to make sure it isn't slipping in a backdoor.
It would be an impressive stunt, but it wouldn't matter much. Once you have your superclean, completely audited pile of code running in a cloud, the hypervisor in the background could do anything it wanted to your code or your memory -- so could the BIOS. Oh well.
Encryption's weak link No. 7: Hidden layers abound
The hypervisor and the BIOS are only a few of the most obvious layers hidden away. Practically every device has firmware -- which can be remarkably porous. It's rarely touched by outsiders, so it's rarely hardened.
Sign up for CIO Asia eNewsletters.