Cryptographic Science vs. The Virtual Force of Evil

Several of the computer scientists and mathematicians who brought forth public key cryptography recently put their brains and computers back to work on the vexing question of how airtight their techniques really are.

They came up with a good news-bad news answer that seems about par for the course as business people begin to assess the risks of commerce and financial transactions on the Internet.

In short, let the seller beware.

The good news is that data encryption - the scrambling of messages so that they are unintelligible except to a recipient who has the key to decipher them - has long and successfully protected sensitive transmissions such as bank electronic funds transfers. Even better, interbank networks tend to have several layers of security in addition to data encryption. Breaches have reportedly been extremely rare, and almost never due to an encryption weakness.

The bad news is that public on-line networks are inherently insecure, considerably more so than private money-transfer networks. Moreover, encryption-based security is never going to be forever.

The ever-growing power and lower cost of computers makes the encryption- decryption keys - strings of ones and zeros, known as bits, in computer code - increasingly vulnerable to what are called brute-force attacks. In theory, a hacker would be able to program a computer - assuming it were powerful enough - to test every combination of bits, at the rate of thousands or potentially millions of sequences per second.

The length of the key and the frequency with which it is changed determine the likelihood of a break-in.

The degree of raw calculating power, usually a function of money in hand or the cost of a system that an unauthorized party has use of, determines how quickly a code can be cracked.

It didn't require a committee of encryption scientists - people of the stature of RSA Data Security Inc. co-founder Ronald Rivest and Sun Microsystems distinguished engineer Whitfield Diffie - to prove the hazards in a key length of 40 bits. It was that type of key, embedded in the Netscape Internet-browsing software, that a French student compromised last summer. It came as small comfort that it took more than 100 computer workstations over eight days to find the answer.

The encryption experts estimated that an amateur hacker with a $400 hardware budget could break a 40-bit key in just five hours.

Promoters of more secure encryption are frustrated by the fact that 40 bits is the longest key authorized for export by the U.S. government, a vestige of Cold War-era controls meant to prevent enemies from getting too much computer sophistication.

The team of encryption scientists saw a 56-bit key as a vast improvement. This is the length specified in the national Data Encryption Standard, or DES, and typically used in bank and government networks. The study said a hacker with a $400 system would need 38 years to apply all of its brute force.

But someone with $10 million of computer hardware - a large corporation or organized crime - might smash through a DES barrier in as little as six minutes. An intelligence agency with $300 million in dedicated hardware, the experts said, could beat DES in 12 seconds. (Which is said to explain why the national security and law enforcement establishments are wary of longer keys: They need to do their jobs by breaking codes when necessary.)

"DES may be ... a commonly cited benchmark (but) calculations show that DES is inadequate against a corporate or government attacker committing serious resources," wrote the authors of the encryption study. "The bottom line is that DES is cheaper and easier to break than many believe."

Mr. Diffie, speaking for the team that produced the report on "encryption assurance" for the Washington-based Business Software Alliance, suggested a move to longer keys would be prudent.

Mr. Diffie told the RSA Data Security conference in San Francisco early this year that 75 bits would be safe today, but factoring in anticipated advances in computing and ingenuity, he suggested 90 bits "if you want a 25-year lifetime."

Therefore, the 128-bit keys that Netscape and others are lobbying for, let alone the 256-bit and "triple DES" variations - the latter would involve three data-scramblings instead of one - would seem more than adequate.

But such conclusions raise questions about banks' aging DES hardware and software, and the industry's near-term ability to keep a step ahead of the code breakers.

Some banking security experts think DES, created by IBM and the National Security Agency in the 1970s, is currently adequate but will have to be replaced in five to 10 years. Cryptography experts estimate it would cost $1.5 billion to change all the systems that were designed around DES.

"Banks have deployed hundreds of thousands of DES devices with chips in them that can't be replaced," said Kawika Daguio, an electronic banking expert at the American Bankers Association. "The systems are good, but they're really expensive and can't just be upgraded."

To move to the higher-level encryption systems that Mr. Daguio and others say will be required, "they may have to pull all their hardware."

"Everything until now has been theoretical, but at some point computing power will be so cheap that people will break the (DES) key," said Fred J. Rica, a data security consultant for Price Waterhouse.

The software industry study, by cryptographers from seven organizations including Massachusetts Institute of Technology, where Mr. Rivest is a professor, AT&T Corp., and the San Diego Supercomputer Center, envisioned a near future of "big money" criminals' and spying governments' breaking into thousands of DES-protected transactions and diverting money or information in small, undetected amounts before further security measures kick in.

"Think of it as picking up pennies in front of a steamroller," said study participant Bruce Schneier, author of "Applied Cryptography" and president of Counterpane Systems, a computer security consulting firm in Minneapolis. "Even minimal gains become substantial after a few million iterations."

Mr. Schneier deemed DES "completely inadequate" for protecting against this type of automated financial fraud.

Even more ominous, the software study's authors said, is the possibility that governments would devote vast resources to breaking DES.

"There is ample evidence of ... government agencies seeking to obtain information ... for commercial advantage," said the report, citing evidence from U.S. congressional hearings in 1993 that the French and Japanese governments had spied on their own business communities.

"The investment required is large (about $300 million), but not unheard of in the intelligence community," the study added. "It is ... far less than the cost of many spy satellites. Such an expense might be hard to justify in attacking a single target, but seems entirely appropriate against a cryptographic algorithm, like DES, enjoying extensive popularity around the world."

But most bank security experts think they are safe from espionage and electronic robbery, at least in the short term.

"Naive implementations of DES may be susceptible to brute-force attacks, but bankers provide additional protections" that make encrypted transactions safe, said Mr. Daguio at the ABA.

"The industry is well aware that encryption security is not foolproof," said Mark Hardie, a bank technology analyst at the Tower Group in Wellesley, Mass. "Any encryption standard technology can be breached with the right amount of horsepower. It's a question of whether or not the criminals of the world can have or can apply that horsepower without being noticed."

He said banks manage closed electronic banking systems, such as automated teller networks, well enough to detect and stop criminal activity before it gets to the DES-encrypted transactions. And digital money is still such an oddity that criminals would be hard-pressed to launder large amounts without being noticed.

"If it remains easier to dig through the garbage and find credit card numbers, then (computerized fraud) won't happen," Mr. Hardie said.

Finding a reliable, more powerful alternative to DES could take the banking industry several years, said Rich Ankney, a member of an American National Standards Institute committee that deals with banking encryption.

"DES hasn't been withdrawn," said Mr. Ankney, chief scientist for Fischer International, a commercial software company. "We realize the need for stronger standards, but we're not telling everyone to replace their equipment overnight," which is widely agreed to be "too expensive."

But a new encryption standard could save banks money in the long run, Mr. Ankney said, because theft insurance rates would probably drop.

The standards committee is looking at triple DES as at least a short-run solution. It would require a hacker to break three DES codes before gaining illegal access to a transaction.

Triple DES has a life expectancy of 20 to 25 years, said George Soerheide of Security Dynamics in Cambridge, Mass., and chairman of a standards institute committee on home banking security.

But triple DES is an interim measure and "we want a brand new algorithm," Mr. Ankney said. "Banks recognize the need to phase over to something else. There's no real urgency, but we'll certainly need something within the next three to four years."

Mr. Duchemin is a writer with Northwestern University's Medill News Service. American Banker senior editor Jeffrey Kutler contributed the reporting from the RSA Data Security conference.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER