Important News:SafeLogic's CryptoComply Achieves FIPS 140-3 Validation for 28 OEs and Receives Certificate #4781! Read the blog post!
The SafeLogic Blog
MIT and the Effectiveness of Brute Force Attacks
August 22, 2013 •Walt Paley
Researchers have asserted that current cryptographic systems are not as secure as we have believed.
That’s a daunting statement.
When you hear that an MIT professor is publishing a paper that attacks the fundamental premises of your career, it’s only natural to get the mental equivalent of biting into a sour lemon.
Luckily, the headlines are mostly sensationalistic and the research, while interesting, is no threat to the security industry, let alone the way of life in the developed world. Let’s read more into this and figure out what exactly Professor Muriel Médard and her team are trying to say.
The concept in question is that of the level of uniformity in the compressed source files. Information theory demands that we assume the highest level of entropy and uniformity, even if the algorithm failed to quite meet that level. Médard says that it is a reliance on Shannon Entropy that creates the issue. Shannon’s 1948 paper was focused on communication, and advanced the idea that data traffic as a whole would average out any imperfections in the uniformity of individual pieces of data. This is a fair assessment, but not the ideal approach for cryptography.
Average uniformity is not the goal of encryption. Rather, it is the simple understanding of the weakest link that explains the conceptual error. When encrypted data is under fire from a codebreaker, we do not worry about the 99.99% of the data that is properly encrypted. It is the weakest link, that did not reach the highest level of uniformity and entropy, that is vulnerable and puts the entire data cache at risk.
“We thought we’d establish that the basic premise that everyone was using was fair and reasonable, and it turns out that it’s not,” says Ken Duffy, one of the researchers at National University of Ireland (NUI) at Maynooth, who worked alongside Médard.
Essentially, these slight deviations in the uniformity of the data open the door for a brute force attacker to test a series of assumptions. For example, an assumption that a password was in English, or even was based on an actual word, could accelerate the codebreaking process. “It’s still exponentially hard, but it’s exponentially easier than we thought,” Duffy says.
The good news? (Yes, there is still good news.)
We are still very much talking about theoretical gains and the security is still very much intact. Brute force attacks have always had a projected success window, but it was so astronomical that it was considered to be effectively moot. This paper is simply saying that it is slightly less astronomical, but likely still effectively moot.
As Matthieu Bloch of Georgia Tech states, “My guess is that [the paper] will show that some [algorithms] are slightly less secure than we had hoped, but usually in the process, we’ll also figure out a way of patching them.”
That’s a great attitude, Bloch! Now let’s clear up a few misconceptions that this news has created.
- We are suddenly vulnerable.
You really believe this? I can guarantee that hackers have recognized this anomaly long before MIT announced it to the world. It’s not a skeleton key for the world’s data, it’s just something we can improve. - Shannon Entropy is useless and we’ve been wasting our time since 1948.
No, not exactly. Shannon had the right idea when it came to data traffic. The theory has just been misapplied to encryption. - Our entire system of cryptography is now in question.
Definitely not. In fact, it is research like this that proves more than ever that it is crucial to stick with cryptography that has been properly tested, validated, and integrated. Encryption is not something that should be improvised or cobbled together.
So stay tuned for more news from MIT and we’ll keep you updated in this space. If you’re using low level, unvalidated encryption, please only do so with the understanding that it is no impediment to a motivated hacker. And if you need encryption at the highest levels, you’re already at the right place. Don’t hesitate to reach out.
Walt Paley
Walter Paley is the VP of Communications for SafeLogic. He is responsible for strategy, content, marketing, and outreach. Walt has worked with a series of start-ups and companies in growth stages, including Nukona (acquired by Symantec), Qubole, Bitzer Mobile (acquired by Oracle), and TigerText, among others. An Alumnus of the psychology program at UC San Diego, Walt lives in Southern California with his wife, kids, and their black lab, Echo.
Popular Posts
Search for posts
Tags
- FIPS 140 (111)
- FIPS validation (85)
- Encryption (70)
- cryptography (68)
- NIST (62)
- CryptoComply (60)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (41)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (23)
- FIPS 140-3 (18)
- OpenSSL (16)
- government (14)
- FedRAMP (13)
- CryptoCompact (12)
- Cryptology (12)
- DoD (12)
- RSA (12)
- healthcare (12)
- partners (12)
- NSA (11)
- post-quantum cryptography (11)
- Cloud (9)
- PQC (9)
- security (9)
- CMMC (8)
- Suite B (8)
- testing (8)
- whitepaper (8)
- Approved Products List (APL) (6)
- HITECH (6)
- ICMC (6)
- lab (6)
- CEO (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- iOS (5)
- procurement (5)
- C3PAO (4)
- Common Criteria (4)
- HITECH Act (4)
- deadline (4)
- encrypt (4)
- innovation (4)
- procure (4)
- public sector (4)
- Air Force (3)
- BSAFE (3)
- DFARS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- OpenSSL 1.1.1 (3)
- OpenSSL 3.x (3)
- POA&M (3)
- TLS 1.3 (3)
- magazine (3)
- queue (3)
- transition (3)
- 3PAO (2)
- ACVP (2)
- BAA (2)
- CIO (2)
- CSP (2)
- Cyber Defense Magazine (2)
- Defense Industrial Base (2)
- HIPAA security controls (2)
- Historical Status (2)
- MFA (2)
- OpenSSL 1.0.2 (2)
- SPRS (2)
- StateRAMP (2)
- entropy (2)
- excellence (2)
- finance (2)
- founder (2)
- gold (2)
- leader (2)
- maturity (2)
- overlap (2)
- pilot (2)
- rsa conference (2)
- solution (2)
- sponsors (2)
- sunset (2)
- vendor (2)
- year (2)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Android (1)
- CIO Prime Views (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DOJ (1)
- DoDIN APL (1)
- Entropy Source Validation (1)
- FCA (1)
- FIPS Compliance (1)
- FISMA (1)
- GSA (1)
- HITRUST (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Maturity Model (1)
- NCCoE (1)
- OMB (1)
- SLED (1)
- SP800-131A (1)
- SP800-90A (1)
- TLS 1.1 (1)
- background (1)
- best (1)
- co-founder (1)
- codies (1)
- congress (1)
- cybertech (1)
- education (1)
- elliptic curve cryptography (1)
- extended (1)
- faq (1)
- fintech (1)
- fiscal (1)
- fiscal year (1)
- fraud (1)
- globee (1)
- hill (1)
- interview (1)
- kratos (1)
- libgcrypt (1)
- national cybersecurity strategy (1)
- opportunities (1)
- parallel (1)
- profile (1)
- public (1)
- representatives (1)
- reseller (1)
- senate (1)
- senators (1)
- simplify (1)
- state (1)
- stealth mode (1)
- story (1)
- terminology (1)
- trophy (1)
- whistleblower (1)
- whistleblowing (1)