Don’t believe it

The world’s first uncrackable security system, which even quantum computers could not hack, has finally been developed by researchers.

Computer scientists had feared that the dawn of quantum computing would allow even the most fiendishly-encrypted data to be easily decoded, causing a major headache for banks, government agencies and communications providers.

As far back as 1917, scientists had proposed that ‘perfect secrecy’ could be achieved if it was possible to change the key which encrypts a message each time, based on the message itself.

Now, the University of St Andrews and international partners, have done just that, creating a type of chip which effectively creates a one-time-only key from the data being sent, scrunching it all up before sending, in a way that could never be hacked.

I’m perfectly willing to agree that some forms of cryptography, of communication, can be made safe from certain sorts of hacking and decoding. But one from all? Don’t believe it.

We’ve got human beings involved here. There will always be a door somewhere in the system. And anyone who assumes that the system really is uncracked will likely get a rude surprise – Enigma worked out badly precisely ‘cuz the Krauts insisted it couldn’t be broken. Which, with the technologies they knew about, what true.

34 thoughts on “Don’t believe it”

  1. Sounds like a challenge to me.

    Or maybe I should say it sounds to me like a challenge. I’m smart enough to realise that I’m not smart enough to take up that sort of challenge.

  2. There is exactly one, mathematically proven ‘unbreakable’ encryption system. This is the “one time pad” used in the days before computers. It’s a list of random ( the difficult part is making them truly random) numbers that both ends have a copy of and they must be used once and then never again. US warships in the cold war used to put to sea with pallet loads of these on board.

    Computer-based systems are all capable of being cracked by computer, but they make use of (what are believed to be) ‘trap-door’ functions that are relatively easy to carry out, but require immense computer power to reverse – the classic example being factorisation of very large (many hundreds of digits) numbers.

    Quantum computers can carry out certain types of calculation much more rapidly than classical ones, and this includes factorisation, so computer encryption schemes that depend on this will become crackable in minutes rather than thousands of years. But we already have encryption algorithms that are not susceptible to this means of attack (the NSA and GCHQ are almost certainly using them already) – they just haven’t been through the full, lengthy process of being adopted as a public standard.

  3. Bloke in North Dorset

    Most people think about intercept when they think about breaking codes, probably because Enigma was all about intercepting German radio transmissions, but that is the easiest part to secure, as this story shows.

    Enigma was cracked because they managed to get hold of a machine and (1) find a flaw in the way it worked and (2) build a machine* to replicate how it worked, that reduced the number of possible combinations which reduced the time to crack. Without that most transmissions would have remained unbroken within the time period the information would be useful**.

    The one time paid is only secure until an operator loses a copy either deliberately or accidentally.

    *A visit to Bletchley Park is well worth the money, but needs two days to be done properly but as the ticket lasts a year it makes it good value.

    ** There’s no point wasting resources making something more secure than it needs to be or spending time cracking codes only to be told about events which have already happened.

  4. You can have an unbreakable door. But an unbreakable wall? Unbreakable floor? One person will be able to decrypt it, and there’ll need to be backup in case that person is incapacitated. And that person has family and friends. People are pretty fucking far from unbreakable when threatened with ultraviolence.

  5. They’re using photonics…. The thing is basically a very fast Enigma…
    I’d give it two to three months in the wild before the code is cracked.

  6. Any encryption can be broken, given enough time and information. The point of a one-time pad (with all its drawbacks) is that it’s used once, so doesn’t generate enough information to be cracked.

    Enigma always could be broken, and the Polish intelligence service had worked out how to do so in the 1930s: the issue was that the calculations to do so took weeks, and the key setting changed every day. So, even assuming you’d collected enough data, by the time you’d broken that day’s traffic, the U-boat it was referring to had put to sea, spent a month on patrol, attacked a convoy, and returned safely to base by the time you decoded the order telling it to leave Lorient.

    Bletchley Park’s success was in speeding up the process such that the code could be broken quickly enough to be useful, coupled to both excellent collection by the “Y” Service and human intelligence (to generate ‘cracks’ and ‘cribs’ like the way Hauptmann Scheisskopf of the 13th Luftwaffe Field Latrine Division always used his girlfriend’s initials as the ‘random’ three letters, or that if a U-boat was in a certain patch of ocean then its weather report would refer to grid square “JF” because that map had been captured earlier, or…) to find faster ways to break into Enigma.

    In some ways it was overstated, particularly since it was kept secret for thirty years then got a big reveal where claims like “ULTRA shortened the war by five years!” were thrown about, but it certainly didn’t hurt. It also allowed successes even when the codes weren’t being broken: for instance, shortly after D-Day the Y Service located a radio “hot spot” in Normandy, recognised some of the entities transmitting from it, and without needing to break Enigma identified it as HQ Panzer Group West for the RAF to bomb to cratered ruin (killing or wounding most of the staff and disrupting German command-and-control for a couple of critical weeks).

    Sometimes it’s not “can they decode my communications”, it’s “can I communicate at all?” or “how long does this need to remain secure for?” As we were taught back in the days of Clansman radios and BATCO wallets, there’s no need to encode a contact report – if the enemy are shooting at you, they know where you are already…

  7. “There will always be a door somewhere in the system.”

    System manager came to me ~1997 and told me my password needed to be changed. It took their software “only” 40 hours to guess it. Seems on weekends they tasked the system with trying to guess passwords.

    I told him he needed to change the system. Any repeated login failures should result in blocked access. Standard login to system would kick you out after 3rd failure. I assume a mass amount of processing was required to come up with my password. Figuring it out in 40 hours does not make the password weak; it shows system access was weak.

  8. I told him he needed to change the system. Any repeated login failures should result in blocked access. Standard login to system would kick you out after 3rd failure. I assume a mass amount of processing was required to come up with my password. Figuring it out in 40 hours does not make the password weak; it shows system access was weak.

    It’s not necessarily just preventing access to the login prompt that you need to secure against. Someone gaining access to the encrypted passwords could crack them offline, and 40 hours is no time at all.

  9. The weakest part of any system is the people.

    This week, I sent out my login details for one of the computer systems we use to someone who requested it, said he was admin, needed to run tests on the database client as it was passing though another company’s server causing issues.
    I also copied in about 30 people on a mailing list.

    Security? Don’t make me laugh.

  10. The thing about codes is that the people receiving the message have to have a way of decoding. Single use codes are harder to crack, not impossible though. The method of creating the code itself creates patterns Just may take decades and some improvement in training / computers.
    Humans can make intuitive leaps that computers cannot.

  11. Any encryption needs to be able to be broken by at least one person – the recipient. Otherwise it is useless. And once that one person it able to decypt it, any person can.

  12. “The weakest part of any system is the people.”

    Reminds me. Youtube videos on store security checks on people leaving stores, whether or not you really need to comply. One wag pointed out that inventory shrinkage was due almost entirely to employees, not customers. Harassing customers was accomplishing nothing but pissing them off.

    “Someone gaining access to the encrypted passwords could crack them offline”

    Not understanding what you are saying; our encrypted passwords existed only online.

    And what CD said. Why work hard to decrypt when you can probably find a human who will let you in?

  13. “Someone gaining access to the encrypted passwords could crack them offline”

    Not understanding what you are saying; our encrypted passwords existed only online.

    If I somehow gain access to the list of encrypted passwords, I don’t need to be connecting to your server to try to guess the unencrypted versions. I can simply feed them into my password hasher and see which plaintext values pop out.

    I then only need 1 attempt at your login prompt.

    Access to those passwords may not be as tricky as some may think: a 1997-era Unix system (for example) could easily still be storing password hashes in the world-readable file /etc/passwd. Shadow password files were a fairly recent innovation back then.

  14. The point being that relying on just one security mechanism (3 tries and you’re locked out) is not enough. You need in-depth layers of security, and another of those layers is insisting on passwords that can’t be cracked inside 40 hours over the weekend.

  15. Bullshit. We had no problems.

    Standard VAX-VMS operating systems.

    “If I somehow gain access to the list of encrypted passwords”

    “If” is doing a lot of work there.

  16. “If” is doing a lot of work there.

    It really isn’t, not in the slightest. But feel free to continue deluding yourself.

  17. Bloke in Costa Rica

    One time pads work (if the keystream is truly random) because all decrypts of the ciphertext are equally likely. Reusing a pad leaks information and can be used to break into the keystream.

    As a rule of thumb, assume all stories on crypto in the mainstream press are gibberish. Crypto is really hard to get right, and even people nominally good at turning specs into kit (i.e. engineers, both soft- and hardware) commit horrendous errors that are only caught years afterwards. The underlying ciphers are almost never at fault. The attack surface is the cryptosystem. The ways in are often incredibly non-obvious (e.g. Rowhammer, Dirty Cow, SPECTRE) and thus very hard to guard against and to mitigate.

  18. “If I somehow gain access to the list of encrypted passwords”

    “If” is doing a lot of work there.

    It really isn’t, not in the slightest. But feel free to continue deluding yourself.

    Yup, phishing emails can work.
    And software security is always up against people who just don’t care.
    It doesn’t help that the modern system and security types keep trying to make life harder and harder for the user.

    Example: spares where i work require the use of up to three systems, depending on what it is, where it is, stock levels, description accuracy, etc.
    This means using three different passwords.
    Which have to be changed regularly for security.
    On top of all the other logins, passwords etc i have to remember. So i do what almost everybody does.
    Password
    Need a number? Password1
    Need a special character? [email protected]
    (not actually this, but you get the point)

    So the extra secure system has now become less secure, because what are the first ones hackers will try.

    Make life easy for your users, otherwise the hard work is in vain.

  19. I tell prospective clients that the mathematics are impeccable, the computers are vincible, the networks are lousy, and the people are abysmal.
    Bruce Schneier (Secrets and Lies: Digital Security in a Networked World)

    Inevitable xkcd.

  20. @BiW

    You forget the important fact:

    Is it worth hacking Gamecock’s employer? Probably not
    Is it worth hacking Pete’s Gardening? No
    Is it worth hacking BAE? Yes

    Security must reflect value of what is being secured

    Costa points is a good example of excessive security for a free coffee:
    Pwd must be >=9 characters with upper & lower case, number and special character (eg=-.,’;\)

  21. “And software security is always up against people who just don’t care.”

    Or system managers who have actually placed software on a system to guess passwords.

    “But feel free to continue deluding yourself.”

    I ran PDP 11s and VAXes for 30 years. You are amusing me, Gomer.

    Gamecock, of limited privileges on a system, is told by the system administrator that he guessed my password. Well, golly. He has access, and he has infinite privileges. What is he going to do with my password? Why login as me when he can login as himself?

    “Is it worth hacking Gamecock’s employer? Probably not”

    This is a good point.

    However, the Sarbanes-Oxley auditors would soil themselves over it.

  22. Costa points is a good example of excessive security for a free coffee:
    Pwd must be >=9 characters with upper & lower case, number and special character (eg=-.,’;\)

    For which I use the catch all password “Bull5h1tPa55w0rd&Y0urA11Cunts”

    Works every time.

  23. Bloke in Costa Rica

    To span a 128-bit keyspace you need 20 truly random characters taken from the 95 printable ASCII symbols. If you’re restricting it to, say, the base64 range of A-Za-z0-9+/ then you need 22 (on a machine with a real OS you can do something like dd if=/dev/random bs=1 count=16 status=none | base64 | cut -c -22). It is possible to remember a password like that, but it’s inconvenient and so people don’t do it. Anything secure should require two- or even three-factor authentication.

  24. You forget the important fact:

    Is it worth hacking Gamecock’s employer? Probably not

    To me and you? sure. To Gamecock’s employer’s Russian competitor (assuming the employer is significant)? Well, the odds just changed.

    I ran PDP 11s and VAXes for 30 years

    I see you haven’t updated your security training since the 70s either

    Gamecock, of limited privileges on a system, is told by the system administrator that he guessed my password. Well, golly. He has access, and he has infinite privileges. What is he going to do with my password? Why login as me when he can login as himself?

    And now you’re just being cretinous.

  25. Ha ha ha!

    My cretinous self is living on a big fat pension. My employers must have been idiots.

    “It is possible to remember a password like that”

    A 5 character password is fine if you limit login attempts.

    I remembered this afternoon that I actually wrote login software for an application in the ’80s.

    The key function was QIO read after prompt no echo with timeout.

  26. Quantum computers don’t offer uncrackable encryption, or make decryption easier, but they do offer a way of detecting that your message has been intercepted (man in the middle attack).

  27. ‘I see you haven’t updated your security training since the 70s either’

    In my day of neolithic computing, we controlled access, making password protection (sic) irrelevant.

    In today’s enlightened environment, you grant access to all and password protect it. At least you think it’s protected.

    Elaborate passwords are a sign of bad design.

  28. In the 80s, I was responsible for computer security (just one of half-a-dozen hats) for a large UK financial services company, Like Gamecock, we used 5-character passwords with a lock-out after 3 failed attempts, which was perfectly fine back in the day, because there were no external network connections – only someone at one of our own physical screens could access our systems (which were all bespoke and needed at least a week’s training to use).

    But today’s systems are nearly all Internet facing and access is at least theoretically possible from anywhere in the world. And most systems are built from standard software components, the security holes in which are all publicly available on the web. It’s a very different ball-game, and 5-letter passwords wouldn’t last 5 seconds.

    But Gamecock‘s right that strong security demands more than just a password, no matter how complex you make it. The trick lies in correctly evaluating how strong you need your security to be.

  29. @Gamecock, Chris M

    +1

    @BiW

    -10 You sound like a Remainiac Project Fear scaremonger. Last time I looked, the sky hadn’t fallen down or WWIII started.

    Ah, Wales – you’re Neil Kinnock walt

  30. You have to differentiate between the theoretical and the practical.

    Some types of encryption are (theoretically) impossible to brute Force in the lifetime of the universe.

    Quantum computers bring the brute forceing of regular encryption within the realm of possibility.
    This affects everything from the encryption of information between websites and the protection when you send your credit card data to a website.
    The encryption for wireless communication and also for mobile communication as well as more or less everything else as currently implemented.

    To find algorithms which are immune to brute Force attacks by quantum computers are a big deal.

    But the devil is in the detail. Everything has to be implemented, and subtle errors can creep in which open up even the best security.

    Naturally people like the NSA and GCHQ are full of the smartest experts who’s sole duty are to find and exploit these weaknesses in implementation.

    If you want to see what clever things people can exploit, then take a look at this;

    https://en.m.wikipedia.org/wiki/Side-channel_attack

  31. @Gamecock No, no, no, no, no. Password-based logins are almost always the sole entrypoint following some sort of security breach. It is the single most important thing to get right. Trying to suggest that you can secure a computer system sufficiently that a 5 character password is OK if you restrict it to 3 attempts and then a lock is ringing the dinner bell for a skilled hacker.

    Even if there is no network access and no actions are possible without login at a specific terminal, sticking a battery-powered audio recording device under the desk which records the clicks as keys are pressed on the keyboard gives you a set of frequencies to analyse which you can use probabilistic methods to determine which frequency corresponds to which key, by working out which combination of click frequencies correspond, when mapped, to UNIX commands, for example. This hack has been successfully used many times, and your lockout policy does absolutely nothing to stop it. You’re also susceptible to a physical keylogger, or even something so simple as someone looking over your shoulder when you type the password. It is why security standards such as ISO27001 and PCI-DSS require every aspect, including password policy, physical access, firewalls, patching and so on, to be secured according to certain standards.

Leave a Reply

Your email address will not be published. Required fields are marked *