Today's secure code cracked tomorrow

The faster computers become, the harder it is to protect data

The faster computers become, the harder it is to protect data. Encryption keys, the main method of protecting data from unauthorised access, rely on the length of time it takes to unravel them. Every bit that is added to the key, doubles the time taken to crack it.

Thus, the longer the key, the more computer power it takes to break it. But, as computer power increases and proliferates, the actual time taken to break a key becomes shorter.

In January 1999, RSA Security laid down a challenge to break a 56-bit data encryption standard (DES) key. More than 100,000 networked computers were used and completed the task in 23.5 hours, says Mr Graham Welch, RSA Security vice-president for the UK, Ireland, France and Benelux. "They used what is called the `brute force method' - trying keys out to see if they work - and they were fortunate to hit the right one early on. It could have taken much longer," he says.

"For many years, 40-bit keys were seen as quite strong enough - say, as difficult as finding a single drop in a glass of water. Only a year ago, a 56-bit key - equivalent to finding a drop of water in a swimming pool - was good enough. Now we are talking about 128-bit keys - which is like trying to find a specific drop of water in all the oceans of the world."

READ MORE

Using today's techniques it could take until the end of time to find the right key for a 128-bit encryption. But with Moore's law - computer power doubles every 18 months - applicable for at least another decade, it is conceivable that today's "unbreakable" encryption will be inadequate tomorrow.

This assumes, of course, that the highest levels of encryption are available for use. Government sensitivity to the misuse of encryption, by criminals or subversive elements, puts a large question mark over the its use for commercial transactions.

The French government, for example, has effectively banned public use of encryption except for some financial transactions. The US and British governments want a system whereby authorities - such as the police, the internal revenue and customs and excise - would have access to encryption keys. Ireland's proposed legislation eschews this approach.

This system of so-called "key escrow", where an organisation hands over the keys to the authorities, is not favoured by the industry or commercial users on the basis that it will hold back introduction of electronic transactions and prejudices commercial confidentiality.

At the same time, the US - the source of most encryption technology - has banned the export of "strong" encryption on the grounds that it could be a threat to national security.

The export ban was relaxed early this year, but meanwhile strong encryption is reaching the market from other sources.

"We have developed encryption beyond the US export limit which is limited only by the hardware," says Mr Frankie Blaskovitch, group managing director of Intensiti Technologies.

"With our SecureWeb product, we are using encryption to spin off into other security products so companies can set up business-to-consumer and business-to-business electronic commerce. It gives you strong encryption, realtime authentication and prevents denial of service and domain stealing," he says.

Proprietary encryption technology is not everyone's preference. Mr Graham Wheeler, director of research and development at the South African-based security specialist, Cequrux, says: "Relying on proprietary technology could be dangerous. We prefer to stick to well-known technology, such as RSA or DES, both of which are quite adequate for the time being. And the Advanced Encryption Standard is due to be published at the end of 2000 which will replace these."

Developments in software and hardware technology will lead to even greater improvements in encryption. "The use of `quantum computers', for example, is going to mean quite a few orders of magnitude improvement."