How Secure is Encryption?

How Secure is Encryption? 07O8oQz

The cryptosystems in wide utilize today have their birthplaces in the 1970s, as current electronic PCs came into utilization. The Data Encryption Standard (DES), was planned and institutionalized by the American government in the mid 1970s for industry and government utilize. It was expected for execution on computerized PCs, and utilized a generally long succession transposition and substitution tasks on binary strings.

But DES suffered a major problem: it had a relatively short secret key length (56 bits). From the 1970s to the 1990s, the speed of computers increased by orders of magnitudes making "brute force" cryptanalysis –- which is a simple search for all possible keys until the correct decryption key is found –- increasingly practical as a threat to this system.

Its successor, the Advanced Encryption Standard (AES), uses minimum 128-bit keys by contrast, and is currently the most popular cryptosystem used to protect internet communications today.

Key length is the crudest method for deciding to what extent a cipher will take to break. It is the raw number of ones and zeros used in a cipher. Thus, the crudest type of attack on a cipher is known as a brute force attack (or exhaustive key search). This involves trying every possible combination to find the correct one.

For a brute force attack:

  • A 128-bit key cipher has 3.4 x10(38) possible keys. Going through each of them would thousands of operations or more to break.

  • The Fujitsu K computer located in Kobe, Japan was capable of an Rmax peak speed of 10.51 petaflops. Based on this figure, it would take Fujitsu K 1.02 x 10(18) (around 1 billion) years to crack a 128-bit AES key by force.

  • In 2016 the most powerful supercomputer in the world is the NUDT Tianhe-2 in Guangzhou, China. Almost 3 times as fast as the Fujitsu K, at 33.86 petaflops, it would “only” take it around a third of a billion years to crack a 128-bit AES key. That’s still a long time, and is the figure for breaking just one key.

  • A 256-bit key would require 2(128) times more computational power to break than a 128-bit one.

  • The number of years required to brute force a 256-bit cipher is 3.31 x 10(56) –  which is about 20000….0000 (total 46 zeros) times the age of Universe (13.5 billion or 1.35 x 10(10) years!


    Note
US government uses 256-bit encryption to protect ‘sensitive’ data and 128-bit for ‘routine’ encryption needs.


If and when quantum computing becomes available, all bets will be off. Quantum computers will be exponentially more powerful than any existing computer, and will make all current encryption ciphers and suites redundant overnight.

An encryption key is a random string of bits created explicitly for scrambling and unscrambling data. Encryption keys are designed with algorithms intended to ensure that every key is unpredictable and unique. The longer the key built in this manner, the harder it is to crack the encryption code.

Ciphers are the mathematics used to perform the encryption.

By far the most common ciphers that you will likely encounter are those OpenVPN uses: Blowfish and AES. In addition to this, RSA is used to encrypt and decrypt a cipher’s keys. SHA-1 or SHA-2 are used as hash functions to authenticate the data.

The Advanced Encryption Standard (AES), also known by its original name Rijndael is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is generally considered the most secure cipher. Its adoption by the US government has increased its perceived reliability, and consequently its popularity.

AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen, who submitted a proposal to NIST during the AES selection process. Rijndael is a family of ciphers with different key and block sizes.

For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.

One of the disclosures in the data gave by Edward Snowden is that "another program, code-named Cheesy Name, was gone for singling out SSL/TLS encryption keys, known as ‘certificates,’ that might be vulnerable to being cracked by GCHQ supercomputers.”

That these certificates can be “singled out” strongly suggests that 1024-bit RSA encryption (commonly used to protect the certificate keys) is weaker than previously thought. The National Security Agency (NSA) and GCHQ could therefore decrypt it much more quickly than expected.

In addition to this, the SHA-1 algorithm widely used to authenticate SSL/TLS connections is fundamentally broken. In both cases, the industry is scrambling fix the weaknesses as fast as it can. It is doing this by moving onto RSA-2048+, Diffie-Hellman, or  Elliptic Curve Diffie-Hellman (ECDH) key exchanges and SHA-2+ hash authentication.

What these issues (and the 2014 Heartbleed Bug disaster) unmistakably feature is the significance of utilizing perfect forward secrecy (PFS) for all SSL/TLS connections.

This is a system whereby a new and unique (with no additional keys derived from it) private encryption key is generated for each session. For this reason, it is also known as an ephemeral key exchange.

Using PFS, if one SSL key is compromised, this does not matter very much because new keys are generated for each connection. They are also often refreshed during connections. To meaningfully access communications these new keys would also need to be compromised. This makes the task so arduous as to be effectively impossible.

Unfortunately, it is common practice (because it’s easy) for companies to use just one private encryption key. If this key is compromised then the attacker can access all communications encrypted with it.

The most widely used VPN protocol is OpenVPN. It is considered very secure. One of the reasons for this is because it allows the use of ephemeral keys.

It is also worth mentioning here that the HMAC SHA-1 hashes routinely used to authenticate OpenVPN connections are not a weakness. This is because HMAC SHA-1 is much less vulnerable to collision attacks than standard SHA-1 hashes.

To think little of the NSA's desire or capacity to compromise all encryption is an oversight. In any case, encryption remains the best resistance we have against it (and others like it).

To the best of anyone’s knowledge, strong ciphers such as AES and OpenVPN remain secure.

Remember too that the NSA is not the only potential adversary. However, most criminals and even governments have nowhere near the NSA’s ability to circumvent encryption.


The United States National Institute of Standards and Technology (NIST) developed and/or certified AES, RSA, SHA-1 and SHA-2. NIST works closely with the NSA in the development of its ciphers.

Given the NSA’s systematic efforts to weaken or build back doors into international encryption standards, there is every reason to question the integrity of NIST algorithms.

NIST has been quick to deny any wrongdoing (“NIST would not deliberately weaken a cryptographic standard”). It has also has invited public participation in a number of upcoming proposed encryption-related standards in a move designed to bolster public confidence.

The New York Times, however, has accused the NSA of introducing undetectable backdoors, or subverting the public development process to weaken the algorithms, thus circumventing NIST-approved encryption standards.

News that a NIST-certified cryptographic standard – the Dual Elliptic Curve algorithm (Dual_EC_DRGB) had been deliberately weakened not just once, but twice, by the NSA destroyed pretty much any existing trust.

That there might be a deliberate backdoor in Dual_EC_DRGB had already been noticed before. In 2006 researchers at the Eindhoven University of Technology in the Netherlands noted that an attack against it was easy enough to launch on ‘an ordinary PC.’  Microsoft engineers also flagged up a suspected backdoor in the algorithm.

Despite these concerns, where NIST leads, industry follows. NIST-certified cryptographic standards are pretty much ubiquitous worldwide throughout all areas of industry and business that rely on privacy (including the VPN industry). This is all rather chilling.

Perhaps because so much relies on these standards, cryptography experts have been unwilling to face up to the problem.

End-to-end (e2e) encryption means that you encrypt data on your own device. Only you hold the encryption keys (unless you share them). Without these keys, an adversary will find it extremely difficult to decrypt your data.

Numerous administrations and products don't utilize e2e encryption. Rather they encrypt your data and hold the keys for you.This can be very convenient, as it allows for easy recovery of lost passwords, syncing across devices, and so forth. It means, in any case, that these outsiders could be constrained to hand over your encryption keys.

A case in point is Microsoft. It encrypts all emails and files held in OneDrive (formerly SkyDrive), but it also holds the encryption keys. In 2013 it used these to unlock the emails and files of its 250 million worldwide users for inspection by the NSA.

Strongly avoid services that encrypt your data on their servers, rather than you encrypting your own data on your own machine.

The websites have been using strong end-to-end encryption for the last 20 years. After all, if websites were not secure, then online shopping or banking wouldn’t be possible.

The encryption protocol used for this is HTTPS, which stands for HTTP Secure (or HTTP over SSL/TLS). It is used for websites that need to secure users’ communications and is the backbone of internet security.

With HTTPS, a cryptographic key exchange occurs when you first connect to the website. All subsequent actions on the website are encrypted, and thus hidden from prying eyes. Anyone watching can see that you have visited a certain website, but cannot see which individual pages you read, or any data transferred.

There are issues relating to HTTPS, but in general it is secure.

What Is Encryption?

Encrypt Your Local Files, Folders, and Drives

Did you find this tutorial helpful? Don’t forget to share your views with us.