It's Already Here, Folks...
At the 2013 Black Hat conference, researchers declared that the math for cracking encryption algorithms could soon become so efficient that it will render the RSA crypto algorithm obsolete. This, coupled with recent allegations that the NSA tampered with ECC, is the basis for an impending Cryptopolypse.
To my knowledge, there isn’t a single crypto algorithm being deployed on a wide-scale that doesn’t have significant integrity questions. For an industry that emphasizes defense in depth, our single-point-of failure situation is painfully ironic.
Let me briefly describe the facts of the case:
- RSA Is A 40-Year Old, Feeble Crypto: The majority of data transactions are being secured by a 40 year old piece of technology (RSA PKI crypto) that was created before Windows, a general purpose PC, the Internet, etc. It was good in its time but wasn’t built for our needs today. It has known attacks and is a bandwidth hog, rendering it almost useless when trying to do full end to end encryption at recommended strength keys (2048 in January 2014 according to NIST
- ECC Is Compromised: The second and only other PKI crypto widely deployed today, Elliptic Curve Crypto (ECC), was financed by the US Federal government (NSA paid Certicom, now Blackberry, $25M for patent rights in 2003) and has had recent allegations that the NSA tampered with and created backdoors for it’s use in spying on whomever uses it. Many organizations (RSA included) are recommending that anyone that uses ECC not use the NIST-provided curve because the NSA has the ability to decrypt messages sent using the same.
- The Quantum Threat: Finally, while less of a concern today, quantum computing will be a major concern in the near future. Every crypto expert agrees that both RSA and ECC will be broken when a usable quantum computer is released, which is not a matter of if, but when. And the when is counted in years, not decades.
There is ample blame to go around – some are prime suspects, some served as accessories, some tampered with the evidence, and some should only have civil infractions. It’s a colossal failure as an industry and community, and we (the security and crypto vendors) share blame as well.
- Cryptographers: Sure, I acknowledge that the crypto community can be highly suspicious and it takes ages to get a new crypto algorithm adopted and accepted. I also further acknowledge that the crypto community has been talking about post-quantum threats for some time; however, they’ve only been talking to themselves. It’s time to make this mainstream. For decades, RSA has been free and good enough for most PKI applications. As a result, it became ubiquitous and was integrated into web browsers and Secure Sockets Layer (SSL)very early on. Both ECC and NTRU (the only other viable alternative crypto algorithm) are patent-protected (RSA is not) and that makes people very wary to use them. NSA hitched its wagon to ECC when it paid Certicom the $25M. Now it is clear why -- they (allegedly) back-doored a spying mechanism into ECC and forced the use of NIST-supplied curves that made ECC easier for them to decipher.
NTRU is now open-source and available to use in any project. It has also been adopted in several large-scale commercial projects. So why not use NTRU in more broadly impactful projects? Web browsers and mobile applications would be a great start. They are (mostly) non-commercial programs for which a fee is not charged, which means NTRU is free to use.
- Technology Community
Do you remember Y2K? People overreacted getting ready for that and it turned out to be a total non-issue (and no, it wasn’t because of the prep work companies did in anticipation thereof.) In this case, we have a genuine IT apocalypse ready to happen – a cryptopolypse – and no one seems to get it, other than a select few in the crypto industry. We have a single point of failure for “The Internet of Things” which has become a very popular topic. In the near future, RSA will crumble – no one really denies that. In the short and mid-term, people will move away from ECC due to its compromised integrity. In the long-term, when quantum computers are released, ECC will break (no one disagrees with that either). So why isn’t anyone writing about this?
- Crypto Vendors
It’s incredibly difficult to make money licensing crypto. RSA learned this years ago when they made their PKI algorithm free and open. We (Security Innovation, owners of NTRU) learned a similar lesson, thus our decision to open source NTRU. However, this does not absolve us from blame. We should have known for years that RSA and ECC would be broken and we didn't solicit NIST to get NTRU adopted as a FIPS certified algorithm. We also didn't pursue our Transport Layer Security (TLS) spec to have NTRU included as part of the crypto ciphers that a browser can speak to (until recently; we have since re-opened this.) Yes, we got NTRU adopted as an IEEE and X9 (for financial transactions) standard; but, it really makes a difference when it’s in a consumer product like a web browser or Microsoft/Symantec auto-update clients.
- Industry Groups
I don't think browser companies have failed here. They can only use the crypto algorithms that are specified in the TLS and SSL. Refer to the previous paragraph where crypto companies, similar to Security Innovation, have failed. We could have filed/lobbied for NTRU to be included therein. Now that NTRU is GPL open-source, we are hopeful that organizations such as Mozilla Firefox will include it as a viable PKI algorithm.
Next question: why isn't the state of encryption today being talked about more? Do people not understand the gravity of the problem? I believe it’s an awareness issue.
If consumers were aware of the poor state of encryption today, I suspect they would be more hesitant to submit their credit card information online, send personal information over a mobile application (which often is not even encrypted at all), or use voice recognition to access financial accounts. This is happening every day with major banks, retailers, entertainment providers, etc. Consumers are blindly trusting technology vendors and Internet providers to secure their information. They assume that these organizations must be being responsible. Many users would be horrified if they realized they were actually sending data unencrypted or using 40-year old technology with known attacks to secure their info. If consumers were aware, there'd be more of an uproar, however they assume that we in the software and Internet business are doing our jobs.
Lessons Learned: How Did We Allow This Crime To Happen?
A single point of failure is never a good thing. It is especially bad when that failure point is old, weak, slow, bloated, and under increasingly successful attacks. And we need to consider carefully which algorithm(s) we choose for the future. Who knows what the world looks like 40 years from now (or even 20) but think about the fact that 20 years ago the Internet was barely used by anyone. Will quantum computers exist that break RSA and ECC? Probably.
We need to think long-term and re-plumb the crypto of ‘The Internet of Things,’ and choose algorithm(s) that are future-proof, as best we can imagine what the future will hold.
How Can We Change Things?
Set specific policies and standards that new algorithms be adopted or updated. These policies should come from the crypto industry and governments to ensure that they are accurate, comprehensive, and lacking future threats. This should be done so companies can stay in business, but also to protect privacy information around the world, avoid the cryptopolypse should RSA fall (which is inevitable), and secure the world's critical infrastructure which is increasingly IP enabled (cars, industrial control systems, houses, etc.)