FEATURES & COMMENTARY
San Diego, CA — Since the recent breaking of an RSA 512-bit encryption key, the kind used by many banks, IT managers should think longer-term about how to protect data with a long shelf-life, said one of the team that won the latest RSA challenge.
Sun senior staff engineer Alec Muffett told an audience of developers at Sun’s “.com” conference and exhibition in London on Thursday that businesses using strong encryption, such as RSA, had to be aware of developments like this and cycle their keys often, especially banks that adopted 512-bit crypto in the 1980s to protect long-term information such as mortgage databases.
At the time, breaking 512-bit keys “wasn’t something a band of mere mortals could do,” Muffett said, but things had changed. The self-described “band of like-minded geeks” took just a few days to crack the required 155-digit number using Cray supercomputers and spare capacity on an Amsterdam university’s PCs.
“You must think ahead,” he said. “Use cryptography not only against people like me, here and now, but people who come after me in 10, 15, 20 years time.”
A Giga Information Group spokesman said many banks used outside technology experts to look after certain aspects of their security, but there was a range of different levels of awareness.
“It’s a constant game of using advances in technology to stay ahead of advances in technology,” the spokesman said. “Not everyone is up to speed.”
As well as foresight, IT decision makers also needed the support of thoughtful programmers, Muffett said. They had a responsibility to not program “silly things” into software in the first place when it came to security.
“Passwords of only one to eight characters are very silly,” he said, and have been since the 1970s.
“How many of you still have 1234 as the password for your voice mail?” said Geoffrey Baehr, Sun’s chief networking engineer, sharing the stage with Muffett. “We as engineers have done a terrible job.”
“I’ve definitely heard complaints on that from experts,” the Giga Information Group spokesman said.
The panel, including Sun’s chief scientist John Gage, took the opportunity to attack rival Microsoft.
“The best thing you can do is run a secure OS,” Baehr said. “No one system can be stronger than the weakest point.”
“‘That’s it,’ some countries say. ‘We cannot accept black box OSes that feed back information,” said Gage, referring to the key labeled “NSA KEY” discovered in Windows, which Microsoft denied was a backdoor for the U.S. National Security Agency.
“If you want a solid place to stand, it’s good to be able to see everything,” Muffett said.
The Giga Information Group spokesman said the IT research company had found that “regardless of whether it’s an espionage key, it definitely has harmed Microsoft overseas.”