Encryption decrypted?...

SSL, TLS, and PKI are very important tools for security on the internet. SSL is an abbreviation for Secure Socket Layer, TLS means Transport Layer Security.

Both of these are application layer encryption protocols. PKI means Public key infrastructure. PKI is a various assortment of implementations, such as software, hardware, and people.  PKI is used mainly to identify and certify legitimate users based on a key that has been assigned. Essentially, PKI uses Certificate and Registration Authorities (CA & RA) to digitally sign the user into the database, and assign a key that is generated pseudo-randomly and encrypted with cryptographic protocols, such as SSL for example.

As seen in the previous picture above, a cryptographic protocol is essentially a viable means to encapsulate data and commands with encryption before it is sent across the internet , or other mediums, and then decrypting it once arriving at it's intended destination. These protocols were once very vulnerable and flawed, but over the years of development they have become highly regarded for the security the encryption provides.


Recently in the news there were a few stories of note that I found both very interesting, and to be honest, a bit paranoia inducing. The first is that a team of American and European math and cryptographic geniuses discovered flaws in systems such as SSL, PKI, TLS. Their research was reported to have produced only small amounts similar outcomes, but nonetheless the flaw was there. The scientists say that it is possible (it may not be practical yet) for attackers to unscramble the data that has been encrypted with random number generators.

Now I won't even get into the amazing science of pseudo-random number generators (PRNGs), for there are entire systems, comprised of both hardware and software, entirely dedicated to the lifelong task of producing a 'random' number. The way that this particular system works is to generate two prime numbers, and one other random number, to generate a key. The only way to decrypt the data, in theory, is to have access or knowledge of the two original prime numbers.

The problem that I, and others, discerned is that prime numbers, once they reach lager quantities, are few and far between, and one can essentially determine these numbers with simple arithmetic. For example Greatest common factor, and greatest common divisor.

My thoughts are that an attacker could essentially guess with all the larger prime numbers in a brute force method, and eventually would get lucky.

Random number generators, what a joke?

“The researchers employed the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, to examine those public key numbers. They were able to produce evidence that a small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.”

The research was so in depth, it amazed me. Even though only a small amount of the 7.1 million keys were found to be “not so random”, it still poses a threat to the security of the internet. I would love to get into this field in the future, and expand my knowledge behind encryption, obfuscation, and cryptography in general. I will try to keep the updates rolling in as I learn more in this area.   My next post will be alluding to something similar, so keep your eyes out!

NYTimes Article: http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=1