26 March 2002 Keys used for the vast majority of encryption systems – including ecommerce – are no longer secure. A paper by Daniel Bernstein, an associate professor at the University of Illinois at Chicago, has shown that it is possible to build a computer that could break the vast majority of encryption keys in minutes.
Most publicly-used encryption technology, such as that used in secure web traffic, logon accounts for servers, Internet protocol (IP) traffic, Pretty Good Privacy (PGP) encryption and signed emails, relies on “keys” – very large numbers – one of which is privately held and one which is available to the public.
Someone sending a message to someone else encrypts the message using the recipient’s public key, the recipient using his or her private key to decipher the original message.
The system relies on the largeness of the public key, which can often contain as many as 128 digits, for its integrity. In order to break the key, a computer must be able to calculate the prime factors of the public key, a task which was previously regarded as impractical for large numbers.
However, Bernstein’s analysis has shown that it is possible to build a computer capable of performing the task in only a few minutes, meaning that encrypted traffic that uses such systems could be deciphered.
Security expert Bruce Schneier says that although using commercially available parts to build the computer would push the price of fabrication to between $100 million (€114m) and $1 billion (€1.14bn), the costs would drop with access to custom-built chips.
“The inescapable conclusion is that the NSA [National Security Agency], its major foreign intelligence counterparts, and any foreign commercial competitors provided with commercial intelligence by their national intelligence services have the ability to break on demand any and all 1024-bit (128-digit) public keys,” said security advocate Lucky Green.
He also pointed out that security agencies regularly launch intelligence satellites costing $2 billion (€2.28bn), so the price of building such a computer would not be so daunting to them.
Separately, a group of security specialists have announced that they have built software that can break 64-digit keys in only six weeks using hardware commonly found in the average office.