Encryption: No Magic Bullet

Encryption: No Magic BulletEncryption is a powerful security tool. Properly used it can render sensitive information (nearly) impossible for outsiders to use, by turning it into what looks like gibberish unless and until decrypted. But take careful note of that parenthetical "nearly."

A team of cryptanalysts has shown the importance of "nearly" by demonstrating how to extract a secret key from RSA's SecureID 800, a widely used authenticator token. As reported in a paper due to be presented at the CRYPTO 2012 Conference in August, the team succeeded in breaking the key in just 13 minutes.

Several other token devices are also vulnerable to the attack, including electronic national ID cards issued to Estonians.

The successful cypher cracking was accomplished using a technique first demonstrated in 1998, called a "padding oracle attack." In this technique, the encrypted message is run though the import process thousands of times, each time with subtle changes. The resulting patterns eventually reveal the plaintext source message.

An initial test version required 215,000 oracle calls, too many to be an effective means of practical attack. But tweaks to the algorithm reduced the number of passes to 9400, taking only 13 minutes to execute.

This demonstration does not mean that encryption is not an effective security tool. But it does show that encryption alone is not a magic-bullet solution for protecting sensitive data. In fact, there is no single magic-bullet solution that will guard data from every form of attack.

Indeed, there is no such thing as perfect security. Period. But good security can be achieved, by implementing multiple layers of protection. The more difficult you make it for someone to steal your data, the more likely that would-be thieves will move on to some easier target.

Effective security comes not from any single tool, but from implementing a comprehensive security policy built around multiple tools.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."