Here’s a headline sure to rattle anyone concerned about keeping data safe: “Encryption is less secure than we thought.” According to a recently presented paper from researchers at the Massachusetts Institute of Technology and the National University of Ireland at Maynooth, cryptographic systems turn out to have been built on an unsound mathematical assumption.
You can read the whole paper here. It’s filled with formulas that look like this and will make your head hurt:
We’ll save you the trouble and cut to the chase: The bottom line of the research and a follow-up paper to be presented this fall, according to MIT’s news office, is that what you thought was impenetrable might not be nearly as safe as you think.
The papers serve as a reminder and a wakeup call to organizations and their IT managed services that network security is an ongoing battle to be fought on several fronts.
One Bad Assumption
MIT professor Muriel Médard, one of the researchers, explains that the logic of classic cryptography breaks down in its reliance on so-called “Shannon entropy.” which is based on the average probability that a given string of information (O’s and 1’s) will occur in a digital file. However, Claude Shannon, who founded information theory, was concerned mostly with communications, not cryptography.
In the age of super-computing “average probability” simply won’t cut it. Computers need only the slightest correlation to crack a code, and encryption might be more vulnerable to attackers than previously thought. Ken Duffy, an Irish researcher on the project, described it this way:
“It’s still exponentially hard, but it’s exponentially easier than we thought.”
Moral of the Story: Multiple Security Measures Needed
The lesson to be learned here is that IT security is a constantly evolving issue. Staying one step ahead of the bad guys requires a detailed plan and execution of the plan. And, yes, despite the hole researchers have found in the logic of cryptography, encryption remains an important part of the plan.
However, it’s only part of the plan. Sound IT security strategies include human elements too, such as employee screening and training programs to ensure strong password practices. It includes physical elements, such as tracking and controlling your inventory of hardware devices and securing your physical premises. And you should be using things like firewalls and virtual private networks to create “moats” around your network.
Importantly, the plan also should include vigilant, around-the-clock, automated network monitoring that can detect malicious code or unwanted intrusions.
Many organizations think they’re winning the battle, but research indicates there’s a false sense of security.
According to the 2013 Global State of Information Security Survey from PricewaterhouseCoopers, under 55 percent of organizations use intrusion detection tools. Only 40 percent have automated systems for account provisioning and deprovisioning.
“Too often—and for too many organizations—diminished budgets have resulted in degraded security programs,” PwC says. “Risks are neither well understood nor properly addressed.”
That help explains why nearly 70 percent of respondents reported having some kind of security incident in the previous year, with a litany of bad outcomes resulting. Here’s the chart from PwC:
The new MIT research questioning the bulletproof nature of encryption is further proof of our vulnerability. Indeed, the battle never ends.