Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

11 reasons encryption is (almost) dead

Peter Wayner | May 6, 2014
Massive leaps in computing power, hidden layers, hardware backdoors -- encrypting sensitive data from prying eyes is more precarious than ever

One research "hardware backdoor" called Rakshasa can infect the BIOS and sneak into the firmware of PCI-based network cards and CD drivers. Even if your encryption is solid and your OS is uninfected, your network card could be betraying you. Your network card can think for itself! It will be a bit harder for the network card to reach into the main memory, but stranger things have happened.

These hidden layers are in every machine, usually out of sight and long forgotten. But they can do amazing things with their access.

Encryption's weak link No. 8: Backdoors aplenty
Sometimes programmers make mistakes. They forget to check the size of an input, or they skip clearing the memory before releasing it. It could be anything. Eventually, someone finds the hole and starts exploiting it.

Some of the most forward-thinking companies release a steady stream of fixes that never seems to end, and they should be commended. But the relentless surge of security patches suggests there won't be an end anytime soon. By the time you've finished reading this, there are probably two new patches for you to install.

Any of these holes could compromise your encryption. It could patch the file and turn the algorithm into mush. Or it could leak the key through some other path. There's no end to the malice that can be caused by a backdoor.

Encryption's weak link No. 9: Bad random-number generators
Most of the hype around encryption focuses on the strength of the encryption algorithm, but this usually blips over the fact that the key-selection algorithm is just as important. Your encryption can be superstrong, but if the eavesdropper can guess the key, it won't matter.

This is important because many encryption routines need a trustworthy source of random numbers to help pick the key. Some attackers will simply substitute their own random-number generator and use it to undermine the key choice. The algorithm remains strong, but the keys are easy to guess by anyone who knows the way the random-number generator was compromised.

Encryption's weak link No. 10: Typos
One of the beauties of open source software is that it can uncover bugs -- maybe not all of the time but some of the time.

Apple's iOS, for instance, had an extra line in its code: goto fail. Every time the code wanted to check a certificate to make sure it was accurate, the code would hit the goto statement and skip it all. Oops.

Was it a mistake? Was it put there on purpose? We'll never know. But it sure took a long time for the wonderful "many eyes" of the open source community to find it.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.