Programming hints and tips

The Only Unbreakable Code

Last time I talked about using credit cards on the internet, I compared it to playing a game of 'telephone' to pay your tab in a restaurant. Basically, passing your credit card around the internet will work fine, as long as everybody who might be listening is honest.

Is it really that bad? After all, people have been thinking about this for some time. Surely by now they have come up with a safe way of passing your credit card information! Often, when I tell people about the dangers of using their credit cards on the internet, they respond that it's safe now because they are using the latest version of their browser, which supports encryption. Actually, since that incident a few years ago when Netscape's security system was cracked, they no longer talk about browsers supporting encryption; now they talk about 'strong encryption'.

People believe that with strong encryption, we now have the security necessary to pass information securely. They believe we have found the unbreakable code. But have we?

There is only one unbreakable code, and that is the most recent code developed. This has been true for a long time. It was true when Caesar was expanding the Roman Empire, and it was true when Netscape released their earlier encryption scheme. It is true, not because the most recent code is actually unbreakable, but because the most recent code has not actually been broken. When it is, all the experts will examine how it was broken, go away and work on a new code which does not exhibit that particular weakness, and declare that now, at last, they have an unbreakable code.

Modern encryption techniques are based on sophisticated mathematics and use a special number, called a 'key', which allows you to encode a message so that only the intended recipient can read it. The idea of keys goes all the way back to Caesar, whose code consisted of replacing each letter of the alphabet by a later letter. The key was how many letters to move for the replacement, so the key was a number between 1 and 26. In modern systems, the key is a number with at least 64 bits, or about 20 digits. For strong encryption, the key gets even larger, with typically 128 bits, or about 40 digits.

The security of these systems is based on the fact that there are so many possible keys that the attacker has almost no chance of finding which key corresponds to your message. The code is designed to make it hard (in a mathematical sense) to determine the key from the publicly available information. Each time the key gets two bits longer, it is supposed to take (roughly) twice as long to crack it, so cracking strong encryption should take billions of times longer than cracking 'weak' encryption.

Of course, all this assumes that the people cracking the code are using the attack that you expect. Throughout history, most codes have been cracked by some smart person finding a new way of looking at it, and finding an easier way to extract the coded information. And even if the attackers are using brute force, computers are getting faster all the time. And with computers getting cheaper all the time, an attacker can now use more computers in the attack.

To make matters even worse, several governments now want to be sure that there are no unbreakable codes. They are worried about criminal activity being carried out and hidden by these unbreakable codes, so they want to force all new codes to be breakable. Of course, for the average consumer, that would mean that no matter how recent your security system, you would be guaranteed to have a security hole.

Think of it like the locks on your house. Locks are a good idea. They will keep the neighbourhood punks from breaking into your house and stealing everything. However, it is generally accepted that no lock or security system is good enough to stop a skilled professional from taking what he wants without getting caught. With cryptography, it's the same situation. Modern cypto-systems will easily keep out the casual snooper, but they are now being designed so that the government can always get in. And if your government can get in, who's to say that no other government can get in, or that there are no other organizations with the skill necessary to get in through the government's door.

So, have we found the unbreakable code? Probably not. If you want to be sure that your information is safe, then handle it carefully. Don't trust anyone else to provide your security.

Want to:
Read more from the soapbox
- Read Awk Words.
- Look at my AWK scripts.
- Read Robert's Rules Of Coding.
- Go back to the front gate.
- Visit another wagon.

Page maintained by Rob.