Just what security executives wanted for the holidays -- something new to worry about.
This ComputerWorld story details a distressing discovery by Adi Shamir, the "S" in RSA Security and now a professor at the Weizmann Institute of Science in Israel. The story is about reaction to a paper Weizmann wrote detailing a microprocessor flaw that could enable a corrupted message to undo Public Key Encryption and render a host computer helpless.
The paper, the piece says, was meant to be circulated among experts. Instead, The New York Times covered the issue, which is hardly the best way to keep something quiet. The growing complexity of processors makes such mistakes more likely, and this isn't the first time that a processor glitch created potential problems. At the end of the piece, security expert Bruce Schneier suggests that the flaw deserves attention, but doesn't represent an immediate crisis.
Encryption gets complicated very quickly, but the basic concept isn't too difficult. This explanation of public key encryption at Terry Zink's Anti-Spam Blog is great for those of us who barely passed math. Zink offers an illustration:
- Alice picks two keys and makes one public and keeps the other private.
- Bob wants to send a message to Alice.
- Bob asks Alice for her public key, and Alice gives it to him.
- Bob encrypts the message with Alice's public key and transmits the message to Alice.
- Alice receives the message and decrypts it with her private key. Alice is the only one that can decrypt the message with her private key.
The subject of encryption is a bit more complex than the tale of Bob and Alice. This Tech Republic piece performs quite a feat: It describes the heart of encryption in easy to understand language. Encryption -- the mixing up of data that can only be undone using a key -- relies on something called pseudorandomness.
Pseudorandomness, as the name implies, refers to a number that appears random but is not. The strength of the algorithm -- the number of numbers in a cycle -- is the "period." The start point for each period is a "seed," which is a truly random number. The piece goes into some detail about the generation of these numbers and some of the issues in the creation of solid encryption systems.
Slashdot highlights another danger to public key encryption, perhaps one more serious than Shamir's calculations. Two teams have made quantum computers capable of a mathematical procedure called Shor's algorithm, which can break public key encryption. The two teams are from the University of Queensland in Brisbane, Australia, and the University of Science and Technology of China, which is in Hefei. The story has links to three items: a password-protected story on the research and two items about Shor's algorithm, which has to do with prime number factoring.
This InformationWeek piece, thankfully, focuses more on the business side of encryption. The challenge is that various laws and regulations -- not to mention common sense -- is driving the use of encryption. From an operational standpoint, however, it is a bit of a headache: It generally slows down the way in which various tasks are performed while adding nothing to the bottom line. The piece focuses on the experience of Voltage Security, which offers what the posting calls an "identity-based encryption" algorithm to protect e-mail and other data. The CEO argues that savvy companies can use the strength of its encryption as a competitive differentiator and thereby generate revenue.
Encryption is a imposing and complex topic. It's also increasingly central to the way data is protected, and threats to it -- from flawed processors to advanced computers -- are a serious matter that IT and security planners should keep on their radar screens.