Encryption: Achy, Breaky Code

What every CSO needs to know about encryption

There are fundamentally two kinds of cryptographic systems. The first, called symmetric, uses the same key to encrypt and decrypt. Think of this key as a password: Anybody who knows the key can access the data. Probably the best-known symmetric system is the Data Encryption Standard (DES). Developed in the 1970s by IBM and the National Security Agency (NSA), DES is still widely used today.

The second kind of cryptography is called public-key cryptography. These systems generally have one key that encrypts and a second that decrypts. The best-known public-key system is the RSA algorithm, named after its inventors Ron Rivest, Adi Shamir and Len Adleman.

Both symmetric and public-key systems use keys, but they use the keys in different ways. With symmetric systems, the 1s and 0s in a binary key are like the metal ridges on a house key: To decrypt an enciphered message, each bit in the key must match perfectly. An attacker who doesn't know the key used to encrypt a message can attempt to "crack" the code by trying every possible combination. That approach, however, becomes increasingly unworkable as the key gets longer (there are roughly 4 billion different keys that are 32-bits long; increase the key to 40-bits long, and you get 250,000 timesor millions of billionsas many keys that need to be searched).

Public-key systems are based on mathematical problems such as factoring large numbers. These problems give the systems their two-key properties; they also leave the systems open to attacks other than an exhaustive key search. As a result, keys used for public-key systems have to be much larger than symmetric keys to get the same level of security.

A few examples can quickly illustrate how this all works. The DES encryption algorithm uses a 56-bit key, which means that there are roughly 72 millions of billions of keys available. If you tried to crack a message encrypted with DES by searching a billion keys a second, it would take 72 million seconds to try them allroughly two and a half years. As it turns out, modern computers can do much better: In 1999, a network of computers found a DES key in about 22 hours, crunching 245 billion keys per second.Recently, DES was retired in favor of the Advanced Encryption Standard (AES). Instead of a 56-bit key, AES can run with a 128-, 192- or 256-bit key. How long will it be until AES is obsolete? Possibly never. There are 340 billion billion billion billion 128-bit keys; if you had a billion computers, each one of which could crack a billion keys a secondit would still take more than 10 trillion years to try all 128-bit keys. (The sun will turn into a red giant and destroy the earth in 4 billion years or less, so 128-bit keys are probably safe.)