Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The clock is ticking for encryption

The clock is ticking for encryption | March 21, 2011
In the indictment that led to the expulsion of 10 Russian spies from the U.S. last summer, the FBI said that it had gained access to their encrypted communications after surreptitiously entering one of the spies' homes, where agents found a piece of paper with a 27-character password.

Timing Issues

When will quantum computing threaten the status quo? "We don't know," says Mosca. To many people, 20 years seems a long way off, but in the world of cybersecurity, it's right around the corner. "Is that an acceptable risk? I don't think so. So we need to start figuring out what alternatives to deploy, since it takes many years to change the infrastructure," Mosca says.

SafeNet's Moorcones disagrees. "DES lasted for 30 years, and AES is good for another 20 or 30 years," he says. Increases in computing power can be countered by changing keys more often -- with each new message, if necessary -- since many enterprises currently change their key only once every 90 days, he notes. Every key, of course, requires a fresh cracking effort, as any success with one key isn't applicable to the next.

When it comes to encryption, the rule of thumb is that "you want your messages to provide 20 years or more of security, so you want any encryption that you use to remain strong 20 years from now," says IDC's Kolodgy.

For the time being, "code-breaking today is an end-run game -- it's all about snatching the user's machine," says Kolodgy. "These days, if you pull something out of the air, you can't decrypt it."

But the biggest challenge with encryption is making sure that it's actually used.

"All business-critical data should be encrypted at rest, especially credit card data," says Richard Stiennon at IT-Harvest, an IT security research firm in Birmingham, Mich. "The Payment Card Industry Security Standards Council requires that merchants encrypt it -- or, better yet, not store it at all. And data-breach notification laws don't require you to disclose your lost data if it was encrypted."

And, of course, leaving your encryption keys lying around on slips of paper can also turn out to be a bad idea.

Quantum key distribution technology could be the solution

If quantum technology jeopardizes the methods used to disseminate encryption keys, it also offers technology -- called quantum key distribution, or QKD -- by which such keys can be simultaneously generated and transmitted securely.

QKD has actually been on the market since 2004, with the fiber-based Cerberis system from ID Quantique in Geneva. Grégoire Ribordy, the firm's founder and CEO, explains that the system is based on the fact that the act of measuring quantum properties actually changes them.

At one end of an optical fiber, an emitter sends individual photons to the other end. Normally, the photons will arrive with the expected values and will be used to generate a new encryption key.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.