The Myth of Invincible Encryption Gideon Samid Without encryption, e-commerce would have been impossible. Yet even the most sophisticated encryption systems are vulnerable, and getting more so by the day. So what can banks and other key players in electronic transactions do to protect themselves? This article describes the virtual entity called Fraud Inc., and how it attacks your financial institution. It also explains how you can fight back by being smarter with your encryption choice and by treating fraudsters as highly intelligent and well-motivated adversaries, akin to your handling of a rather vicious competitor. The Internet works by passing information from hand to hand. Between the sender and the receiver the data are exposed to a random list of interim stations. And the only protection of data privacy is encryption. Without encryption there would have been no commerce on the Internet. None. Hackers are quite tempted to lay their greedy hands on precious financial information. All they have to do is to crack the encryption. Security experts and well-paid cryptographers would eagerly quote how many thousands of years are needed to crack an encrypted financial record. What they are saying is that if you tried all possible keys using today’s fastest computers, it would take too long to find the key that was used to encrypt your data. That’s the brute force approach. But hackers are smart. They know encryption can be compromised in three modes: 1) exploiting implementation vulnerabilities; 2) breaking encryption without possession of the key; 3) smart brute force. The first mode is specific to particular circumstances, and more common. The second mode is like a tsunami. It might never happen, but if it does, it is a catastrophe. The third is an exhaustive but smart search for the key. Let’s look at these in more detail. Implementation Attacks These are attacks based on the specific way data are processed for encryption. The methods range from tricking victims into surrendering the key unwittingly to submitting special data for a party to encrypt, so that from the encrypted message of the known plaintext the key can be extracted. In general, encryption systems involve complex protocols, which are often vulnerable to exploitation. This usually requires a great deal of investment on the part of the fraud enterprise, so the target must warrant the effort. One particularly potent attack is called “man-in-the-middle,” where two parties think they run a secure conversation, but in fact each of them talks to a hacker. The hacker would present himself to the bank, or financial institution, as a customer, and simultaneously present himself to the customer as the bank. The hacker would use the information from each to convince the other. Breaking Encryption Imagine a hacker grabbing encrypted financial records as they flow through the Internet and feeding them to a computer program that spits out the plain unencrypted data. All that the hacker needs to know is the encrypted version, which flows freely through the Internet. He does not need the secret key. Is there such a computer program that can do that—decrypt without possession of the key? None is published. What else is not published is a proof that such a clean way to void the protection of encryption does not exist. The best that cryptographers can do is to say: “We looked for such a program and could not find one. Now, since we are smarter than our adversaries, we must assume that they failed to write such a program.” The nightmare scenario today is that one individual, a mathematical genius, has written such a program, and made it available to “Fraud Inc.” The people in possession of the program would probably be very careful in how they used it. With such a program, they have the power to bring a major bank to its knees. Most of us failed to notice how we grew into a strategic dependence on encryption. Billions are wire-transferred, and accounts are filled and emptied through encrypted orders. We are fully electronic, and dreadfully vulnerable to a program that reads our private and secret financial mail. So if Fraud Inc. destroys one bank, it loses its advantage. If, on the other hand, it applies this powerful program sparingly, it can, and some say it already does, defraud banks and customers on a continuous basis. What makes this scenario so disturbing is that what is needed to write such a program is just one smart mathematician. One genius somewhere might hold the fate of digital transactions worldwide. What is more amazing is the fact that this nightmare scenario can be completely and easily wiped out. Yet, very few take the necessary steps. The mathematics of encryption dictate that every encryption system that uses a short key is vulnerable to such a mail-reading program. If the key is sufficiently large, such a devastating program cannot be written. That is simply a mathematical fact. The science of encryption, like everything else, is a product of its past. Until recently, encryption was a tool for spies and covert operations. The encryption key had to be memorized, and never written down anywhere. And so the challenge for cryptographers was to find a secure system that works with a short key. That trend prevails today, when keys are electronically safeguarded and can be as lengthy as needed. Security vendors, making money with their short-keys ciphersystems, brush under the carpet the potential for a program that voids their protection. Financial institutions too, are disposed to exalt the soundness of their cybersecurity, so as not to hinder the public from electronic access. And so, most financial institutions today use short-keys encryption, and offer themselves as ready prey for that mail-reading program wielded by Fraud Inc. The reason that all the purveyors of today’s encryption solutions hold on to short keys is that if they use a longer key they slow down computation to the point where it’s too slow for Internet pace. Some institutions do make use of encryption systems that can handle large keys without being slowed down. Two examples are the Vernam Cipher (US Patent No. 1,310,719), and a quite recent one, the Samid Cipher (US Patent No. 6,823,068), which offer complete and proven immunity against the nightmare scenario of total exposure to Fraud Inc. Smart Brute Force This category is very common and very successful. Sometimes ridiculously so. When I visit my son in Manhattan, my laptop computer gives me a choice among 10 wireless networks from his high-rise neighbors. Usually eight of them are accessible using the venerable password “default.” Hackers offer a free password file that lists all the common passwords, like names of people, places, dates, songs, etc. Today’s computers are fast enough to try every entry on such file in a flash. The cryptographic literature is filled with clever schemes for using a fast brute-force strategy, and thereby cracking an encrypted financial record. It is the reality that all the prevailing encryption systems undergo constant erosion, and one by one these short-keys ciphersystems become useless. It’s due to a combination of faster computers and smarter searches for the key, or password. As computers become faster, they can go through all possible keys or passwords in a shorter time. As more and more transistors are packed into a single chip, the speed inches up, but such an increase is incremental and predictable. By contrast, computer science is toying these days with a new beast called a quantum computer. While today’s computers are based on Newtonian physics, quantum computers exploit quantum mechanics. Once operational, their speed would be several orders of magnitude better than the fastest computer today. And at that speed all the encryption systems in use today would have to be decommissioned overnight. Only the long-keys ciphersystems would survive this onslaught. Fighting Back In light of the ultimate vulnerability of encryption systems, business has to adopt a zero-tolerance policy to fight electronic fraud. The longer Fraud Inc. is in business and thriving, the more money it accumulates in its coffers, the more muscle it gains, the more sophisticated it becomes. In the extreme, it could call the shots, and use financial institutions as a money hose. It is not enough to budget an expensive “security review” after the papers announce a major heist. It does no good to cast security issues as something that enough money will take care of, surrendering security thinking to a consultant. And it is definitely dangerous to think of fraud as inevitable. Fraudsters must be prosecuted and thrown in jail. Too often today, hackers are hired as security consultants, with their crime hushed up and their ability and temptation to keep stealing and bilking only improved. But that’s the endgame. One first has to catch the criminals. In our experience two strategies work best: 1. entrapment 2. role playing Along with a strategy, we need to establish some metrics. How do we know how secure we are? Entrapment Hackers wield a huge advantage over their victims. The latter are sitting ducks, waiting to be had. The hackers and fraudsters lurk in the recesses of their living rooms across the globe, undetected. They sniff around, find an opening, and attack the weakest link. Entrapment is the strategy that says, Let’s fake an opening. The hacker fakes the identity of a customer, or the identity of the bank, so the bank would respond by faking a weak link to attract the criminal mind. At times entrapment is ridiculously easy. I once walked into the office of a suspected employee by some pretense, and then left my laptop there while I went out to lunch. The laptop had an icon called “personal” where my access password was clearly visible. The next morning “someone” used my name and the password from the icon trying to enter the network. That afternoon the suspected employee broke down and confessed. Since the icon featured a password that was devised just for this entrapment, there was no doubt who tried to defraud the system. The sad ending of that story is that the employer allowed the perpetrator to resign without a blemish on his record in exchange for his silence, to protect the security image of the employer. For all I know, that person, now more careful, is defrauding someone else. At other times, entrapment is more sophisticated, but the point is the same. Entrapment is effective because the criminal mind can hardly withstand the temptation to exploit what seems to be a juicy scheme. And if they do suspect entrapment, that’s useful too. They might stop short of exploiting a real vulnerability, fearing it is an entrapment. Role Playing Entrapments (sometimes called honey pots) have the universal effect of rattling the fraudsters. It makes them nervous. Nervousness leads to mistakes, and mistakes lead to capture. All that is needed is for capture to lead to prison. That, as I mentioned before, is a sore point. Every good chess player role-plays his opponent. Every successful football coach does the same. Business asks: What would I do, were I in charge of my competition? The very same strategy is effective vis-à-vis fraud. You ask the potential victims of fraud to play the role of an executive in Fraud Inc. How would you bilk someone like yourself? What is the most cost-effective way to achieve your fraudulent goal? The more time you spend in that role, the better your security. Role playing achieves two things: 1) You discover vulnerabilities you can patch in time; 2) You become securityminded and develop alertness to some clever schemes you have not been specially prepared for. The result of role-playing is one, or several, most-likely attack scenarios. These are the perceived best ways to achieve the fraudulent goals. Once the scenarios are identified, we have found that the best way to detect and protect against them is a methodology called BiPSA: Binary Polling Scenario Analysis. The bank boasts a computer network. The hackers boast a brain network. Guess who has the upper hand? Hackers don’t work alone. They build on each other’s ideas, they cross-fertilize each other’s schemes. And the single or few security officers in the bank are no match for them. BiPSA changes that. It’s a methodology that enlists a large number of security-minded individuals to bear upon a security issue. Since it is not practical to run a detailed role-playing exercise with a large number of people, the solution is as follows: Once the role-playing team has identified a most-likely attack scenario, they then issue a statement saying that within, say, the next six months, the bank will be attacked through this scenario. This statement, including a detailed description of the attack scenario, is then rushed to a large number of security experts, or even half experts. Each recipient is asked to answer the following: Is the statement herein more likely to be true, or more likely to prove itself false? A binary call. After six months, the statement has either proven itself true or proven itself false. This reality check would now distinguish between those who took the correct binary choice and those who answered incorrectly. After several rounds of such reality checks, the operator of BiPSA knows whose opinions should carry more weight. BiPSA features a sophisticated neural network that aggregates the individual answers into a highcredibility summary answer. And in the wake of these binary responses, the BiPSA respondents come to think about the issue. They think hard because they know that reality will either credit or discredit them. A typical memo by a security consultant would be studded with hedges so that he or she can never be embarrassed. By contrast, the binary call has no room for ambiguity. This state of affairs is a great stimulus for security people to think long and hard. And this community thinking produces ideas and solutions that would have never surfaced in the mind of the lone chief security officer at the bank. Metrics I thoroughly enjoy the puzzled countenance of a client when I say: “I am only good against hackers who are dumber than I am. I am useless against fraudsters who are smarter than I.” Then I add: “But before you rush to fire me, be mindful that this statement is equally true for my competition... “ It’s a reality we all have to face. If our adversary has more imagination, more creativity, and more ingenuity to think of a threat scenario that we were too limited to think of, then he has won. And that’s why we need to stress the moral aspect of fraud, intrusion, and hacking. We need to keep the smart guys and gals in our camp. Every fraudster behind bars is a fraudster who can no longer spread his craft, let alone practice it. This attitude also breeds the method to rate security. The underlying premise is that every security wall can be brought down. It is just a question of effort and time. And thus we should rate security measures the way we estimate a research-and-development effort. When researchers ask for grants to fund their research program, they issue an estimate of what it would take, including dollars and the time to achieve their R&D goal. We believe that the effort to break through our security should be regarded as an R&D project conducted by Fraud Inc. So apply the same tools you use in appraising a project to appraise the time and the dollars needed to compromise your security defense. The measure of how good your security is is your estimate of what it takes to crack it. Gideon Samid, Ph.D., is chief technology officer at AGS Encryptions Ltd., with offices in Tel Aviv, Israel, and Rockville, Md. The Mystery of the Body in Room 4103 A suspicious character is stopped by hotel security agents. In his shirt pocket they find a magnetic key placed in a key-envelope marked Room 4103. They check the room, and, alas, find a dead body. The man is arrested on the spot. This case is analogous to sending sensitive information over the Internet—unencrypted. It implicates the sender. A little twist: Security finds the magnetic key on that person, but the envelope is missing, and the man is not talking. Since the hotel complex has thousands of rooms and suites, the guard is discouraged from checking the magnetic key on every door in the hotel, and releases his suspect. This case is analogous to sending sensitive information over the Internet—conventionally encrypted. The hope for the key holder is that the difficulty (intractability) of testing every door in the hotel will protect him from being implicated. The more rooms in the hotel, the better his protection. This is exactly the hope of today’s security vendors. Their encryption theoretically can be broken. Just so the persistent guard who takes the trouble to check every room in the hotel will eventually find the lock that the key will open. A second twist: The security guard contacts reception and is told that they have a card-reader and can read the room number that corresponds to the captured magnetic key. Room 4103 flashes green on the readout screen, the body is found, and the suspect is arrested. This is analogous to the fear that somewhere, someone is in possession of a device to break the encrypted file, and can read the concealed plaintext. Twist number three: The stubborn security guard tries the captured key on several rooms. Surprise: The key opens all the doors it is tried on! He rushes to reception, where the machine glows: “master key.” Even if by chance the guard enters room 4103, he does not have the evidence to link the suspect to that room. The suspect could have come from any room in the hotel! This case is analogous to next-generation cryptography: security by equivocation. Guard persistence would not break it, card readers would not unlock it. Only the suspect would know if he used his master key to enter room 4103.