August 14, 2013
The Foundation Of Encryption Based On An Old Assumption
Michael Harper for redOrbit.com - Your Universe Online
Following last year’s numerous password dumps and this year’s Twitter hacks, website Ars Technica recently posed a challenge to a trio of hackers: How long does it take to unlock even the most secure passwords?In that challenge, the slowest of the three cracking experts was able to unlock 62 hashed and encrypted passwords in one hour, all while being “peppered” with questions from the Ars journalist. The resulting article painted a bleak picture for those concerned with digital security and essentially claimed that anyone who wants to get into your stuff can and probably will.
Though not associated with the Ars Technica piece, a group of researchers from MIT and the National University of Ireland (NUI) Maynooth are providing more answers as to why encryption isn’t as secure as many may have previously assumed. According to these researchers, the problem stems back to the earliest days of computer science and some unfortunate assumptions made in the beginning.
In 1948 former MIT professor Claude Shannon wrote a paper in which he created what’s known as information theory. In this paper Shannon posited that when computers or electronics are communicating with one another, they must speak in generally the same language or use a language that the other understands. Though this isn’t entirely true 100 percent of the time, it appeared to be true often enough that researchers assumed the mathematical principles behind it held.
“We thought we’d establish that the basic premise that everyone was using was fair and reasonable,” said Ken Duffy, one of the NUI researchers, in a statement.
“And it turns out that it’s not.”
In other words, most systems assume they’ll be dealing with a certain kind of language and are prepared to communicate within it. The problem comes, then, when other systems begin using other languages, or noise, to more or less confuse these systems. In some ways it’s similar to the British soldiers encountering the guerrilla warfare of the colonialists in early American history. The most secured systems operate on the assumptions that any attacker will operate under a certain set of rules. It’s not prepared to guard itself against something it’s never assumed to be possible.
In their paper, the researchers discuss a situation wherein an attacker can use “noise” to hide his/her attack. With a proper understanding of noise and what kind of electromagnetic noise is in a certain environment, an attacker could theoretically leach passwords stored on an embedded credit card chip or gain entry keys stored on keyless-entry cards. If an attacker operates outside of the common assumption of information theory and takes advantages of the statistical inaccuracies therein, he/she could theoretically wreak havoc on even the most secure systems.
The researchers do say, however, that while it may be easier than they thought for such a hacker to circumvent secure systems and encrypted passwords, it’s still rather difficult to do.
“It’s still exponentially hard, but it’s exponentially easier than we thought,” said Duffy.
Plus, when these hackers utilize graphics processors to help them churn through data to find these statistical inaccuracies, they’re able to make quick work of a long problem.
The hacker in the Ars challenge who cracked 62 passwords in less than an hour, for instance, used only one graphics processor to crack the codes.
“You’d be surprised at how quickly you can guess stuff,” Duffy said.