Researchers find security holes in present encryption tech

Date: 14/08/2013
In this connected world, much of the devices and systems use data encryption for security. How safe is this data encryption? Well, researchers found it is not so secure as we thought. Researchers at MIT and the National University of Ireland (NUI) at Maynooth finds the present encryption technology is not as secure as we thought, the wireless card readers used in many keyless-entry systems may not be that secure.

“We thought we’d establish that the basic premise that everyone was using was fair and reasonable,” says Ken Duffy, one of the researchers at NUI. “And it turns out that it’s not.” On both papers, Duffy is joined by his student Mark Christiansen; Muriel Médard, a professor of electrical engineering at MIT; and her student Flávio du Pin Calmon.

The Shannon entropy used in information-theoretic analysis of secure systems is said to be wrong notion of entropy. Shannon entropy, which is based on the average probability is alright for use in communications system, where the characteristics of the data traffic will quickly converge to the statistical averages. But in cryptography, the real concern isn’t with the average case but with the worst case, as per the researchers. The hacker/code-breaker needs only one reliable correlation between the encrypted and unencrypted versions of a file to deduce further correlations. Information theorists have developed other notions of entropy giving greater weight to improbable outcomes, which offer a more accurate picture of the problem of codebreaking, according to MIT researchers.

Médard, Duffy and their students used these alternate measures of entropy and found slight deviations from perfect uniformity in source files, which seemed trivial in the light of Shannon entropy, suddenly loomed much larger. The upshot is that a computer turned loose to simply guess correlations between the encrypted and unencrypted versions of a file would make headway much faster than previously expected, said in the release.

“It’s still exponentially hard, but it’s exponentially easier than we thought,” Duffy says. One implication is that an attacker who simply relied on the frequencies with which letters occur in English words could probably guess a user-selected password much more quickly than was previously thought. “Attackers often use graphics processors to distribute the problem,” Duffy says. “You’d be surprised at how quickly you can guess stuff.”

The researchers consider a case in which the hacker from a distance access the password stored in a credit card with an embedded chip or a Keyless entry card by analysing noise of the signal of the security system.

"In this case, rather than prior knowledge about the statistical frequency of the symbols used in a password, the attacker has prior knowledge about the probable noise characteristics of the environment: Phase noise with one set of parameters is more probable than phase noise with another set of parameters, which in turn is more probable than Brownian noise, and so on. Armed with these statistics, an attacker could infer the password stored on the card much more rapidly than was previously thought.", explained in the release.

In e-security systems, however robust they become, attackers keeping trying out ways to break into the system, The solution is to continuously offer new layers or redesigned layers of security. Hackers keep guessing patterns, so keep changing patterns, in improbable manner.

Author: Srinivasa Reddy N
Header ad