How secure is an encryption algorithm?

Triple DES was an early success story in American encryption. It is now (somewhat infamously,) broken. It is has been reported that skilled cryptanalysts broke 3DES, on a purpose built machine, in 6 hrs.

What should that mean to the security consumer? A common misconception is that it means you remain protected by 3DES, if you change your password at least every 6 hrs. In fact, you do not remain protected.

An attacker would collect the data exhaustively and subject it to offline analysis later. For example, if your Mastercard transaction was secured by 3DES, then an attacker would collect not a single transaction, but every transaction at the store where you bought that new tie. Six hours later, the password would change, and the attacker (being knowledgeable about the capability – he has a working model of the computer in question,) would move over to a new collection file.

S/he would then take the collected data, and brute force at least one entry, yielding a single transaction. While Mastercard might no longer honor the temporary authentication nonce, the attacker would have a valid card number, replete with expiration date and customer name. He might possibly even have the PIN and/or the secure ID from the back of the card.

The application of this kind of skulduggery is largely limited by interest and aptitude, in conjunction with the degree of profitability.

A vault provides peace of mind because the work required to break in, is either greater than the value of the contents, or takes longer than the item is to be stored there unattended.

The encryption algorithm is the vault, not the password. Changing passwords doesn’t change vaults.

When we change passwords, we break the uninterrupted chain of data that can be compromised by a single password. Any attacker has to renew his or her efforts, to compromise newer material.

Online attacks are different, when they are subjected to the “three try rule.” This is the same thing as consumers experience at an ATM, when they enter the wrong PIN number three consecutive times. This is how we prevent miscreants from profiting from stolen credit cards.

The three try rule has the same inconvenience associated, and the same potential for harassment, Your email handle, or online account username would be analogous to the credit card, for purposes of securing it.

Offline attacks can be slowed down, by using procedures such as repeated hashing, to add to the time required to generate the key from the password. If the key = the password, then an offline attacker can try as many keys per second as he can generate passwords. However, if it takes 8 milliseconds to derive the key from the authorized password, then an attacker can only try about 125 passwords per second.

This improves the passwords, but not the original choice of encryption algorithms.

Advertisements

About James Johnson

I am an amateur mathematician & political theorist who enjoys (occasionally cerebral) humor.
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s