Page 1 of 3
1
2
3
LastLast
  1. #1

    Toshiba creates cryptographic scheme even the NSA can't break.

    http://qz.com/121143/toshiba-has-inv...nsa-cant-hack/

    I look forward to the day when things like this are ubiquitous.

  2. #2
    Moderator Endus's Avatar
    Join Date
    Feb 2010
    Location
    Waterloo, ON
    Posts
    21,565
    Sounds like the tech's pretty limited.

    What should be more interesting is the other side of the coin; quantum computing itself. If we crack that nut (and we're damn close), wave goodbye to standard encryption. The most complicated encryption methods we have, that would withstand brute force methods for longer than the heat-death of the universe, would fall very quickly before a quantum computer, due to the same concepts.

  3. #3
    Titan Synthaxx's Avatar
    Join Date
    Feb 2008
    Location
    Rotherham, England/UK
    Posts
    13,116
    Quantum cryptograhy: Kerckhoffs's principle assumes it's ultimate form.

    The thing is, you still need some sort of standard on either end. QC simply ensures it can't be intercepted between source and destination, but there's some things it doesn't protect against, such as injection. You should always assume someone knows the private key (even if it's not the case). Theoretically, you could intercept the original message, decrypt it, and send out a false message using the same principles as used to construct the original message. The actual fingerprint of the message will have changed with the contents, but injection attacks in this sense are still a concern that'd need addressing. Kerckhoff's principle does state that even if everything about a system is known except the key, the system should still be secure.

    However, it's good practice to assume that someone else does know the key, and this is what encourages people to build secure systems. If the key is known, but entire details of the system are not (such as the IV/Init. Vector [used in several different cryptographic standards], or the actual encryption method [which is often easy to discovered based upon a few identifying features of the messages]), then you've still maintained some of your security, but it still relies on the system itself being secure. That does imply security through obscurity, which isn't a good standard on it's own, but is a good standard when used in conjunction with other principles (e.g. "keep it simple", "don't invent your own security", "maximize processing time of hashing and encryption functions", etc).

    Verifying someone is who they say they are is still going to be the biggest challenge even with QC. Biometric ID is probably the most secure (it's not infallible though), while passwords are the least secure. Actually, I'd say keycards are more insecure (physical object, could be stolen with relative ease), but that's another discussion entirely. As long as you can verify that someone is who they say they are without any doubt, then the details of your system are much less relevant. That's not to say you should have an insecure or badly designed system, just that you've defeated the chance that someone unauthorized will access it (again, 'without doubt' is the major clause there). Then again, if you could verify without doubt, there would be no need for cryptography.

    As I said above, even biometric isn't truly secure. I recall reading a horror story of a fingerprint scanner where the actual material covering the sensor... actually 'trapped' fingerprint marks (and so dusting it off and lifting the print meant the system was defeated at the first stage), I'll try and find a link to the story if possible. If ever there was a facepalm moment in security, that was it. However, there's still the chance (albeit a very low chance, and on the extreme end) that someone could kill you and steal your eyes or cut off your hand, or even hold you at gunpoint to 'break into' the system.

    Regardless, it's still good to see that progress is being made. I do believe QC will be a major breakthrough when it's actually extended, but I figure that even that isn't infallible.
    Ex-coder, gamer - Stepped away from dev.
    Done/Planned: Leedsfest 2014, Mallory Knox (Nov 2014), Some surprises | Upcoming: Soundwave (Feb 2015)
    Awaiting UK/EU tour dates: Of Mice and Men, Jimmy Eat World, Architects (>Mar. 2015)
    Quote Originally Posted by George View Post
    If NSA is building my profile from tonight's "browsing habits", they're in for a treat: women with three breasts, men with two penises, fake nipples...

  4. #4
    Quote Originally Posted by Synthaxx View Post
    Quantum cryptograhy: Kerckhoffs's principle assumes it's ultimate form.

    The thing is, you still need some sort of standard on either end. QC simply ensures it can't be intercepted between source and destination, but there's some things it doesn't protect against, such as injection. You should always assume someone knows the private key (even if it's not the case). Theoretically, you could intercept the original message, decrypt it, and send out a false message using the same principles as used to construct the original message. The actual fingerprint of the message will have changed with the contents, but injection attacks in this sense are still a concern that'd need addressing. Kerckhoff's principle does state that even if everything about a system is known except the key, the system should still be secure.

    However, it's good practice to assume that someone else does know the key, and this is what encourages people to build secure systems. If the key is known, but entire details of the system are not (such as the IV/Init. Vector [used in several different cryptographic standards], or the actual encryption method [which is often easy to discovered based upon a few identifying features of the messages]), then you've still maintained some of your security, but it still relies on the system itself being secure. That does imply security through obscurity, which isn't a good standard on it's own, but is a good standard when used in conjunction with other principles (e.g. "keep it simple", "don't invent your own security", "maximize processing time of hashing and encryption functions", etc).

    Verifying someone is who they say they are is still going to be the biggest challenge even with QC. Biometric ID is probably the most secure (it's not infallible though), while passwords are the least secure. Actually, I'd say keycards are more insecure (physical object, could be stolen with relative ease), but that's another discussion entirely. As long as you can verify that someone is who they say they are without any doubt, then the details of your system are much less relevant. That's not to say you should have an insecure or badly designed system, just that you've defeated the chance that someone unauthorized will access it (again, 'without doubt' is the major clause there). Then again, if you could verify without doubt, there would be no need for cryptography.

    As I said above, even biometric isn't truly secure. I recall reading a horror story of a fingerprint scanner where the actual material covering the sensor... actually 'trapped' fingerprint marks (and so dusting it off and lifting the print meant the system was defeated at the first stage), I'll try and find a link to the story if possible. If ever there was a facepalm moment in security, that was it. However, there's still the chance (albeit a very low chance, and on the extreme end) that someone could kill you and steal your eyes or cut off your hand, or even hold you at gunpoint to 'break into' the system.

    Regardless, it's still good to see that progress is being made. I do believe QC will be a major breakthrough when it's actually extended, but I figure that even that isn't infallible.
    I encourage reading the actual article. The way this proposed network is set up, no fancy engineering, mathematics or anything can break the encryption.

  5. #5
    This type of cryptography is only really useful for protecting state secrets and high value information. Most traffic you don't want spied on is already encrypted in a way that is computationally infeasible for the NSA to break. Instead, the NSA just forces the company (who owns the encryption keys) to reveal the content they are interested in. All the network level encryption in the world won't stop that.
    Quote Originally Posted by RICH8472 View Post
    In North Korea Dog eats man!

  6. #6
    Scarab Lord Rixis's Avatar
    Join Date
    Feb 2010
    Location
    Hyrule
    Posts
    4,598
    Didn't the NSA not reall hack most of the encryption so much as bypass it/make the companies give them a door?

  7. #7
    Quote Originally Posted by Rixis View Post
    Didn't the NSA not reall hack most of the encryption so much as bypass it/make the companies give them a door?
    Pretty much. Though this would be useful for helping defend against state sponsored cyber snooping type stuff.
    Quote Originally Posted by RICH8472 View Post
    In North Korea Dog eats man!

  8. #8
    Scarab Lord Rixis's Avatar
    Join Date
    Feb 2010
    Location
    Hyrule
    Posts
    4,598
    I actually saw a snippet of this story on the BBCs red button about an hour ago. (page 154, science/tech news)

  9. #9
    I'm not an expert of QC so I am not sure how applicable this is, but I think I read that the NSA ordered one of the first of these: http://www.dwavesys.com/en/dw_homepage.html
    Quote Originally Posted by RICH8472 View Post
    In North Korea Dog eats man!

  10. #10
    Warchief PRE 9-11's Avatar
    Join Date
    Sep 2013
    Location
    New England, USA
    Posts
    2,058
    Who needs to hack information when you have a court order to retrieve it?

  11. #11
    The NSA doesn't need to "hack", they can just order Toshiba to tell them how to access it (as they've done with everything else).

  12. #12
    Quote Originally Posted by time0ut View Post
    I'm not an expert of QC so I am not sure how applicable this is, but I think I read that the NSA ordered one of the first of these: http://www.dwavesys.com/en/dw_homepage.html
    That's not a "real" quantum computer, though. It can't run the quantum algorithm for factoring products of pairs of primes, for example.
    "There is a pervasive myth that making content hard will induce players to rise to the occasion. We find the opposite. " -- Ghostcrawler
    "Almost every time I have gotten to know a critic personally, they keep up with the criticism but lose the venom." -- Ghostcrawler

  13. #13
    Toshiba announces their cryptographic scheme will only be available on new Toshiba Satellite laptops...geeks everywhere collectively groan.
    "No more 1966. Lets splurge! Bring us some fresh wine! The freshest you’ve got, this year! No more of this old stuff."
    On Parole from Retard Rehabilitation since August 11, 2014.
    Quote Originally Posted by Helden View Post
    Tradewind isn't helping.

  14. #14
    How is this better than 128 or 256 bit AES encryption already available?
    Quote Originally Posted by Wells View Post
    This is frankly, really god damn fucking stupid.
    Potato.

  15. #15
    Warchief Meteoria's Avatar
    Join Date
    Jul 2012
    Location
    Space Walrus
    Posts
    2,027
    Quote Originally Posted by belfpala View Post
    How is this better than 128 or 256 bit AES encryption already available?
    Because those can be cracked with enough time, Quantum Computing can't be because of the laws of physics.
    Quote Originally Posted by simsumre View Post
    I'm a Conservative American. I'm not able to peacefully protest my Government without being pepper sprayed. Liberal Democrats control my country and I'm being politically persecuted. Where's my asylum?

  16. #16
    Quote Originally Posted by Meteoria View Post
    Because those can be cracked with enough time...
    How long do you need your data to be secret? I'm pretty sure 256 bit AES will survive brute force for much much much much much longer than the building you're currently sitting in.
    Quote Originally Posted by Wells View Post
    This is frankly, really god damn fucking stupid.
    Potato.

  17. #17
    Moderator Endus's Avatar
    Join Date
    Feb 2010
    Location
    Waterloo, ON
    Posts
    21,565
    Quote Originally Posted by belfpala View Post
    How is this better than 128 or 256 bit AES encryption already available?
    If they crack the last couple hurdles on quantum computing, neither of those encryption protocols will be worth the time to set up.

    Quantum computers can solve algorithms that would take traditional computers an immense amount of time to brute-force. Like, longer than the heat-death of the universe longer. And they solve those problems in seconds.

    Quantum encryption is basically going to end up being the only way to defend against that. That's why it's important, since the breakthroughs we need to develop quantum computing are well-defined and we can see possible solutions; the trick is more about finding a way that works than figuring out what needs to be done.

  18. #18
    I understand that it's important.

    I also understand that methods of attack (in more than just the computer sense) almost always outpace defenses. There's always a weakness in the wall, so to speak, even if it just involves social hacking.
    Quote Originally Posted by Wells View Post
    This is frankly, really god damn fucking stupid.
    Potato.

  19. #19
    Quote Originally Posted by Endus View Post
    If they crack the last couple hurdles on quantum computing, neither of those encryption protocols will be worth the time to set up.
    I don't think you understand quantum computing.

    There's an algorithm for factoring large composite numbers that runs on a quantum computer. The general problem of inverting polynomial time computable functions has not been shown to be capable of being accelerated by a quantum computer.

    So, the RSA algorithm could fall, but encryption itself could still be ok.
    "There is a pervasive myth that making content hard will induce players to rise to the occasion. We find the opposite. " -- Ghostcrawler
    "Almost every time I have gotten to know a critic personally, they keep up with the criticism but lose the venom." -- Ghostcrawler

  20. #20
    Legendary! Reg's Avatar
    Join Date
    Sep 2009
    Location
    Manhattan
    Posts
    6,666
    Good. I need new encryption for my porn. Apparently putting it in a folder on the desktop named "N64" wasn't a strong enough defense.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •