It’s been a rough time for cryptography. As we noted last week, two major email encryption services opted to shutter themselves in the face of possible and actual government pressure to disclose user information.
But there may be something more fundamental about the insecurity of encryption. According to new research from MIT, the basic information-theory assumption on which the idea of secure information schemes was originally based has come under academic scrutiny, as a post on MIT’s website on the findings noted. As such, encryption might not be as secure as we thought:
[M]ost information-theoretic analyses of secure schemes have depended on a common assumption.
Unfortunately, as a group of researchers at MIT and the National University of Ireland (NUI) at Maynooth, demonstrated in a paper presented at the recent International Symposium on Information Theory, that assumption is false. In a follow-up paper being presented this fall at the Asilomar Conference on Signals and Systems, the same team shows that, as a consequence, the wireless card readers used in many keyless-entry systems may not be as secure as previously thought.
Now, the reasons to question the security of encryption are complicated and relate to assumptions about entropy beyond the purview of these paragraphs (or this writer) to explain. But the upshot is this: Based on new notions of entropy, which reportedly offer a more accurate picture of code-breaking, the secure schemes carry more insecurity than was once thought (when a 1948 model of entropy was applied).
The upshot is that a computer turned loose to simply guess correlations between the encrypted and unencrypted versions of a file would make headway much faster than previously expected.
“It’s still exponentially hard, but it’s exponentially easier than we thought,” [researcher Ken] Duffy says. One implication is that an attacker who simply relied on the frequencies with which letters occur in English words could probably guess a user-selected password much more quickly than was previously thought. “Attackers often use graphics processors to distribute the problem,” Duffy says. “You’d be surprised at how quickly you can guess stuff.”
Now, it remains true that the greatest threat to secure information is not the technical and theoretical vulnerabilities inherent in cryptography, but the very real fact that the U.S. government is pressuring encryption services to hand over user information.
As Salon noted, Lavabit, an encrypted email service linked to NSA whistle-blower Edward Snowden, hinted at a U.S. government investigation as the reason for its closure.