WEB EXCLUSIVE

Would You Trade Your Password for Candy? Why You Should Pay Attention to Cryptography

Modern codes protect bank accounts and email, but human error puts all that in danger, say experts on a World Science Festival panel.

By Veronique Greenwood|Tuesday, June 07, 2011
enigmasmall
enigmasmall
The Enigma machine provided cutting-edge encryption. ell brown/flickr

We are all, whether we realize it or not, code freaks.

Every time we use email, check our account balances, and, of course, buy something online, we are using encryption to keep our information secret. The digital world depends utterly on the privacy afforded by encryption. But as a panel at the World Science Festival pointed out again and again, and as recent hacks have demonstrated, we are a long way from using it right and understanding its risks.

Modern cryptography was born during World War II, when the Axis and Alliesdesigned elaborate codes to keep their communiqués secret. The most famous ofthese cryptosystems is the German Enigma, which used a bespoke typewriter fitted with three rotors to convert messages into cipher text, using a different key every day. When used correctly, the code was hideously difficult to break, noted panelist Simon Singh, author of The Code Book, as he demonstrated the use of a real Enigma machine. But, he emphasized, the vast majority of code breaking happens because of human error. In the heat of battle, German officers sometimes reused keys or made other mistakes, and the patterns this produced gave the Allied cryptanalysts the handholds they needed to crack Enigma, changing the course of the war.

Fast forward to the future, where we use codes far more robust than Enigma in our transactions on the net. What we use now, explains Tal Rabin, head of the Cryptography Research Group at IBM, is public-keyencryption, which gets round a major barrier in Enigma-era cryptography, when the list of daily keys had to be delivered by hand and thus was vulnerable to spying or theft. With public-key encryption, information is encrypted with a key that everyone knows, but it can only be decrypted by a secret key possessed by the intended recipient. When you see that little padlock at the bottom of your browser, it means your computer has exchanged keys with Amazon, Gmail, or CitiBank and so on, and any information will now be encrypted.

But the old problem of human error compromising security still plagues modernencryption. As Orr Dunkelman, a cryptanalyst at the Weizmann Institute of Science, points out, people are incredibly lax when it comes to passwords. In 2004, researchers asked commuters at a British train station to trade their passwords for a chocolate bar, and more than 70% willingly made the trade. And how many of the audience uses the same password for multiple sites (a serious online security no-no)?, he asked. Almost everyone raised their hand.

“The rest of you, be honest! Do you even have a computer?” Dunkelman asked skeptically.

Fault doesn’t just lie with users—companies have made some astonishing gaffes in how they have set up systems based on encryption, said Brian Snow, the former tech head of the National Security Agency’s information assurance department, who is now a consultant. For example, the radio transmitters in the key fobs for many modern cars, including Priuses, do more than automatically open your car doors when you get close. They make it very easy for a pair of thieves equipped with pocket transmitters to steal the car. After you’ve walked away from your car, one thief follows you and stands nearby, picking up the (encrypted) signal from your key fob. His transmitter sends the (still encrypted) signal to his buddy, who is standing next to your car. Voila, the doors pop open, and, since the starter in a Prius is just a dashboard button that can be activated when the fob is nearby, away they go, all without having to break the encryption.

“Cars are being stolen this way today,” Snow said with a grim look at the audience. Another chink in our armor is the fact that what we think is secure today will not necessarily be secure in the future. As computers get faster and mathematicians explore the deeper realms of number theory, today’s codes will be broken. Thus, when you design a cryptosystem, explained Rabin, you have to keep in mind how long you’d like the information to remain secret. A lot of public-key encryption uses keys of 1024 bits, which are usually considered long enough to be secure, but computer scientists have already begun to break them, albeit with force rather than logic. It’s all a question of how much investment you’re willing to make in return for near-indefinite secrecy, she said.

While Singh took a more bullish stance on the state of modern cryptography, calling it “virtually unbreakable,” provided it’s used correctly, Snow made it clear that he thought complacency and a lack of understanding of encryption gives us a false sense of security. “90% of commercial crypto is crap, because of the usage parameters from humans,” he said. It is also possible, several of the panelists said, that there have been major advances in cryptanalysis in government laboratories that remain classified—after all, the Allies did not reveal the existence of their code-breaking factory, Bletchley Park, until three decades after the war. Furthermore, should quantum computers ever become commonplace, everything that’s currently secure could be compromised: such computers can consider many solutions to a problem at once and could quickly factor the prime numbers whose inscrutability lie at the root of modern encryption.

The future of secure codes may also be in quantum mechanics. Quantum cryptography is on everyone’s lips, Singh explained. In a quantum cryptosystem, particles such as photons would encode information in the directions of their spins and be shunted down a wire to a recipient. Because, on the level of quantum mechanics, observing something changes it, any eavesdroppers trying to intercept the photons on their way would destroy the information they carried. This means that as long as the recipient can tell from the scrambling of the photons that the message has been compromised, the channel is secure. It used to sound far-fetched, he said, but these days companies that offer some flavor of quantum encryption are popping up everywhere. (MagiQ Technologies, which offers quantum keys to be used along with otherwise normal encryption, is one of the major players.) It could herald a new era in secure communications, he said.

But at least one person on stage disagreed. “The Norwegians broke it two years ago,” Snow interjected, as the lights came down. “It just wasn’t sophisticated enough.”

Comment on this article
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

ADVERTISEMENT
ADVERTISEMENT
Collapse bottom bar
DSCOctCover
+

Log in to your account

X
Email address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it emailed to you.

Not registered yet?

Register now for FREE. It takes only a few seconds to complete. Register now »