Security is an Illusion

No encryption algorithm is provably secure.

That’s something of a shocker to people who depend on security features built into their browsers to shop, bank, and play online. We assume that because our account balances remain untouched and because our social media accounts aren’t posting stuff we don’t want them to post, we’re safe and good to go. Nothing could be further from the truth. Let’s take a quick look at three points at which an attack is likely to occur with reference to an encryption scheme.

The Scheme

Cryptography experts don’t like the notion that it’s impossible to prove that an encryption scheme is secure. To get around this, they speak of things like difficulty assumptions, attack vectors, and complexity. A lot of what they say is perfectly valid. For example, assuming that factoring large (in the range of 100+ decimal digits) highly composite numbers remains a difficult task for cutting edge computer hardware, RSA encryption (the basis of most online communication at some level) will remain equally difficult to crack. The problem is that the difficulty of the factoring problem is not guaranteed to remain as it is today. In fact, it could change overnight with any number of potential discoveries in mathematics, and there is literally nothing out there that could potentially replace RSA if it gets taken down.

If you remove all assumptions from the hypothetical situations used to define the security of encryption algorithms (i.e. put them out in the real world), you quickly find that it is simply impossible to provide any assurance of security whatever. For now, we depend on encryption for virtually everything that happens online, but just because things are going okay now doesn’t mean that someone hasn’t or won’t figure out some ingenious way of cracking the strongest of encryption schemes like the shell of a hollow egg.

The Implementation

Recent events have brought to our attention that some implementation recommendations by government agencies like the NSA are riddled with back doors and dirty hacks. The result is that, even if we did have a perfectly secure encryption algorithm, we’re still screwed because of something in the implementation of it.

An example of this is Heartbleed, a bug that was discovered in OpenSSL that left millions of machines open to attack. An attacker could retrieve the secret keys necessary to decrypt messages sent between machines. This was a serious problem, and the reputation of OpenSSL was severely damaged for a while. It is hard to imagine that similar problems don’t exist in virtually every piece of encryption software out there.

The Human

The weakest part of every security system is the human element. There are psychological and cultural holes we all have that can easily be taken advantage of to gain access to privileged places or information. Most of the time, we never know what hit us until it is far too late.

Some common things to look out for include passwords that are too simple (like “password”, your birthday, a favorite line from a movie, or anything else that contains whole words from your native language), lack of password protection on mobile or other computing devices, and the desire to be helpful to others when we sense there is a need.

Conclusion

Even if you do choose good passwords, keep everything password-locked, and watch your back, chances are that eventually, someone, somewhere, is going to get the best of you. The only real advice I can give beyond the obvious is this:

Don’t be stupid.

Adam Nickle

About Adam Nickle

I'm a total nerd, intellectual explorer, number theory enthusiast, and computer science nut. I'll write about anything from math and programming to religion and science fiction, all of which play central roles in my life.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *