The apps we use every day ensure our personal data doesn't get into the wrong hands through a process called encryption
With an escalation in hackings over the past decade, breaches in our private data are ubiquitous meaning now, more than ever, encryption is key. Home secretary Amber Rudd recently made headlines for suggesting that end-to-end encryption was "unacceptable" and governments should be allowed access to data as and when it sees fit. This came under fire from privacy campaigners who said if you weaken encryption for one, you weaken encryption for all.
Encryption prevents unauthorised access to your data, from emails to WhatsApp messages and bank details, by keeping communication secure between the parties involved.
This is done by 'scrambling' the information sent from one person to another into a lengthy code making it unreadable for anybody else attempting to access it.
When the data is encrypted, the sender and the receiver are the only people that can decrypt the scrambled info back to a readable condition. This is achieved via ‘keys’, which grant only the users involved access to modify the data to make it unreadable and then readable again.
On messaging app Whatsapp, for example, every message sent has its own unique lock and key and only the sender and receiver have access to these keys. This prevents prying eyes from seeing the information in messages. For the rest of the world, and even Whatsapp itself, the relayed information is unintelligible gibberish because no-one else has the key to decrypt the content. This is referred to as ‘end-to-end encryption’.
Put more simply, imagine encryption to be like translating your information into a language only you and your recipient know, and more importantly which a cybercriminal can’t translate.
Most popular apps make use of encryption to retain user safety, whether that’s for storing data, or for data in transit.
Tony Anscombe, senior security evangelist from Avast told WIRED that encryption in apps is imperative as it makes using safer, but at the same time, those that don’t practise common sense can still fall victim to hacking.
“Many apps offer encryption of data, however if a user doesn’t lock the app with a password or PIN, then anyone who gets hold of the device has access to your apps and will be able to see the unencrypted data,” Anscombe explained. “That said, many operating systems offer encryption of everything stored on the device. This helps combat theft of the device to access the data.”
When implemented properly, encrypted data could take a hacker billions of years to crack based on sheer brute force attacks. This is because encryption codes use complex mathematical algorithms and long numerical sequences that are difficult to decrypt.
A brute force attack is a method used by a hacker to try as many combinations of passwords or encryption keys until the correct one is found. It is usually carried out using software to scan through the combinations.
However, there are different types of encryption, each with varying levels of effectiveness. This is measured in “bits”. The higher the number of bits an encryption, the harder it is - in theory - for a hacker to crack it.
A low-bit key is one with fewer combinations, so would be fairly easy to crack for a hacker with dedicated computer resources. The larger the key, the harder this becomes, exponentially. For example, a 5-bit key has 32 possible combinations, a 6-bit key has 64 combinations, a 7-bit key has 128 combinations, and so forth. A 10-bit key has a thousand combinations, a 20-bit key has a million combinations, a 30-bit key has a billion combinations.
The more complex the encryption, the more difficult it becomes for a cybercriminal to reverse engineer the encryption key and access the data. This doesn’t mean the codes are uncrackable, but that the time taken to find the right combination would be far too long to ever be feasible in one lifetime, even with the help of powerful supercomputers.
Let's say a hacker has a computer that can test a billion keys per second, trying to brute force all combinations. That means they can break a 30-bit key in just one second. At that speed, though, it will take you a billion seconds (or 34 years) to break a 60-bit key because every 30 bits added makes it a billion times more difficult. A spy agency like the NSA can crack 60-bit keys using supercomputers, but a 90-bit key is a billion times more difficult to crack, and a 120-bit key would be a further billion times more difficult to crack than that.
Considering most Android, Apple and Windows apps have at least 128-bit Advanced Encryption Standard (AES) - the standard US Government encryption algorithm for data encryption - you can imagine that a 128-bit key, which has more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations, is exceptionally safe. Same goes for 192 or 256-bit AES encryption keys that the US Government requires for highly sensitive data.
Bharat Mistry, cybersecurity consultant at Trend Micro puts this into perspective. “It would take fifty supercomputers an estimated 3.4 x 1,038 years to break the commonly used 256-bit encryption key,” he told WIRED. “As you can imagine, most hackers will be hard pressed to find time for that.”
That doesn’t mean all encryption is of the highest standard as it is still prone to human error. Poorly developed encryption is not hackerproof; if it is hard and complex to develop, mistakes in the coding can easily lead to users believing they are secure when they're not. For example, homegrown encryption methods have rarely been vetted to the extent supported standards have.
“If a hacker has the right level of time and resources, it’s difficult to say that any encryption is completely immune,” Mistry explained.
The challenge in keeping encryption as tight as possible is therefore checking it is properly implemented and kept secure over time.
Human error, insider attacks and poor implementations are the challenges that IT teams have to face in developing increasingly sophisticated encryption technology.
“The biggest problem with encryption is that the key itself needs to be shared between the sender and the recipients,” added Mistry. “Although this is hard to locate within the information, it could still pose a potential problem.”
“Security research is currently focused on techniques that do not require the key to shipped or sent to all parties, otherwise known as zero knowledge proof protocol. It isn’t widely used now, but we expect it to grow. For the more distant future, some researchers are even looking at ways to hide data within DNA.”
Source: wired.co.uk
No comments:
Post a Comment