Quantcast
Channel: Symantec Connect: Agile Data Center
Viewing all articles
Browse latest Browse all 43

What if AES fails?

0
0
In the data security world, having a backup plan is important
Twitter カードのスタイル: 
summary

eggsbasket_0.jpeg

In the data security world, having a backup plan is important, especially for vendors protecting enterprise big data. Having a living list of data encryption ciphers could save a lot of time for cryptanalysts in the event that AES ever fails.Consider for a moment how much sensitive information is in your Enterprise. How much of it is encrypted: is it Gigabytes, Terabytes or more?

Now, what would happen if someone told you that all of it was vulnerable - that the encryption didn’t mean anything? Think - for a moment - what would happen if the sky fell and Advanced Encryption Standard (AES) was suddenly found to be critically broken. What then?

If you could then snap your fingers and push a button and simply move the data - the sheer amount of data to move would be enormous, but so is all the stuff that happens during the time it takes for a figurative snap of the fingers.

To further illustrate how much critical information can change in a flash, take this hypothetical scenario as an example: A cryptanalyst finds a critical break against AES and publishes the findings. The cryptographic community vets this in short order and confirms it. Someone tips off the media and it goes viral. Enterprises begin to respond, and what do you think they will do? They will call the vendor, who originally supplied the protection (us, for instance). What follows is not an actual conversation (AES is still secure!) but is possible:

Angry customer: What are we going to do with all of this “encrypted” data? How can we be secure?
Vendor: We will start to look into it.
Angry customer: When will you have an answer?
Vendor: As soon as possible.
Angry customer: That’s not good enough.
Vendor: What’s your alternative?

Instantly, there is pressure on vendors to scramble and find a suitable alternative. Some vendors may be able to dust off existing IP and provide proprietary answers to their customers – interoperation is low in this scenario.  The urgency of the need coupled with the existing diversity of requirements by varying institutions quickly drives down interoperability as everyone works to get something that works for them or for their community.  Worse still, the desperate urgency acts as a siren call to all: including the ethically dubious or technically inept.  Interoperation is driven out and snake oil rears its ugly head.  The standards bodies and security agencies work towards a solution, but that takes time (AES took 3-4 years).

In this scenario, the bottom fell out of our AES basket and all of our data eggs dropped on the floor.

This is a long-winded argument for algorithm diversity, for a suite of algorithms* of similar/identical security levels so that Enterprises can have multiple baskets within which to place the data they are entrusted with guarding. However, back to the question - what if AES fails? What *is* the next algorithm? What encryption tool works seamlessly, operates with today’s performance parameters, potentially on low-power or low-complexity devices, etc..? What are the alternatives? What ciphers are even out there?

This author had trouble finding such a list for data-encrypting ciphers. Cryptography is an active field: Any such list would quickly be out of date. A useful list would be dynamic and would be updated periodically - a human would curate it and make it a “living” document. Such an activity might just reduce the research time by weeding out “known bad” algorithms and providing at least some basis for support or further investigation.

It is proposed that we do it. A draft is below. Expect an “expires by” date to accompany the linked document.

Such a list begins to take on additional utility. Cipher designers may be able to use a gathered list of cryptanalytic techniques to not represent a cipher “secure against known cryptanalytic attacks”, but “secure against known cryptanalytic attacks  (see footnote for list)”. Cryptanalysts could use this to either wield a new cryptanalytic tool against previous ciphers or to expand the applicability of a specific cryptanalytic technique to more ciphers. Those studying the field could hone their cryptanalytic skills on new and interesting ciphers. Some analytics could estimate historical longevity of ciphers (is it 10 years or 20 years?), the graduated death of a cipher as it is abandoned, estimates of risk around a mono-cultured symmetric encryption algorithm, probably lots more by starving grad students.

For now, here is a living list of data encryption ciphers. If AES ever fails, maybe we can look here and answer some of those questions (or at least save time). Download below.

* - eSTREAM, for instance.


Viewing all articles
Browse latest Browse all 43

Latest Images

Trending Articles





Latest Images