As we get used to the long dark Winter nights it seems like a good time to talk about Crypto Sunsets. 'Crypto Sunsets' refers to the finite useful lifetime of specific cryptographic technology (notice I very specifically didn't say “cryptographic algorithms” here. That's important, as we'll see later). It reminds us that security is a constant exercise, and we need to keep refreshing our defences in order to stay ahead of the enemy.
Very few things in this world are impossible and cracking the math behind cryptography is no exception: we merely aim to make it “very hard” or “impractical”. As advances in research (or just raw computing power) are made, things that used to be strong enough become vulnerable and you have to move along in order to keep the same amount of ‘security’ that you had before.
Take DES encryption: when it was first invented it was reasonably assumed that to crack a key in less than a day you would require a $20M computer (and those are 1976 dollars: that’s around $85M in today’s money). Even at the time some folks recognised that this wasn’t great – some secrets are worth that much – but still $20M was quite a lot of money for your average attacker, and as long as the secrets you were protecting were worth a fraction of that it was OK. All but the most determined Nation States were accounted for. It was “good enough”.
Fast forward to 1999 and through Moore’s Law alone (plus some effort on the part of the EFF), cracking the same single-DES system cost less than a quarter million dollars and became widely accessible. No longer “good enough”. The sun had set on Single DES.
So we moved on to Triple DES and later to AES, each time making the cracking problem harder.
That’s Encryption. There’s a similar story in Digital Signature where digests (or ‘hashes’) and signing are the core ingredients. For signature we had (and still have, in some circumstances) DSA. For the longest time we had RSA and now we’re starting to go over to Elliptic Curves. Within the RSA family we’ve gone from 512-bit keys to 768 to 1024 to 2048 to the current recommended standard of 3072-bit keys (with many people jumping straight to 4096 because they don’t like odd numbers). And why did we move in these small steps rather than going straight for ‘the big one’? Because it takes computer effort to make a signature as well as to break it, so we’ve gone through a series of trade-offs where we make sure that we make life hard for the attacker but still leave our own work achievable at a reasonable effort and cost. In the world of Crypto Sunsets we are effectively choosing the length of our day.
That’s why sunsets are important to recognise explicitly: we can’t just go straight to using huge keys that will be unbreakable forever because it would be too hard to generate, store and use them. The sunsets on key sizes allow us to plan transitions, to take control. So above when I said I specifically didn’t mention algorithms, this is why: sometimes we only sunset specific combinations of technology: like an algorithm with a specific key length. For example we have sunset RSA with 768 bit keys because they are trivial to crack, but we haven’t sunset the RSA algorithm altogether because most people expect 3072 bit keys to be good until at least 2030.
So far so good. Computers get faster, hacks get faster. So-called “brute-force” attacks (where you simply try every single key ‘combination’ until you guess right) get cheaper. That’s easy to manage. But that’s not the only way to break crypto. Sometimes the algorithm – the math, the process – has weaknesses that were not expected when it was designed. Sometimes an attacker doesn’t need a faster computer: they need advanced math, technology or insight. Of all our 3 primary technologies, nowhere is this more clear that on the hashing side.
Essentially hashing serves only one purpose (although that can then be applied to many nuanced problems): Turn any message into a unique, non-reversible, fixed-length digest. We need the digest to be fixed length (and relatively small) in order to make it practical to handle, we need it to be non-reversible so that confidential messages can be handled safely, and we need it to be unique so that we can be sure of the integrity of the message is intact (ie: “am I definitely dealing with the same message now as the one I started with?”). If any of those promises is broken then the system fails, and typically in hashing people are looking for ways of breaking the uniqueness property (known as “finding collisions”). Imagine how useful it would be to be able to present a valid digital signature from someone else that says whatever you want it to…
So. Early success in hashing was found with MD4 – it was used extensively in password security systems in Windows, for example – but this was quite early days and before long MD4 was found to have quite significant weaknesses. MD5 was built as a replacement until it, too, became unreliable and was replaced by SHA-1, and SHA-1 remained our friend for many years. But for some time now SHA-1 has also been suspect, weakened not so much by throwing more powerful computers at the problem (although this helped) but by finding problems with the design itself. In the worst case, effectively the time needed to break the algorithm is related not so much to Moore’s Law as to the number of interested people looking at the problem.
Fortunately many (but not all!) of the researchers trying to break crypto do so with the best of intentions. Finding a weakness allows us to improve, and so using this new knowledge on the hashing side we’ve gone through MD5 and SHA-1, we’re currently on SHA-2 (a bit like SHA-1 but much ‘bigger’) and we have already defined SHA-3 (which is nothing like SHA-1 or SHA-2 at all, and not many people use it yet, but it’s there for when we need it).
So what do Crypto Sunsets mean for you? For the fatalist the sunset is simply the date by which people should stop using a crypto technology because it’s no longer deemed ‘good enough’, and you hope like crazy that there’s something already there to replace it when the sun rises the next day. But for the proactive among us crypto sunsets are an opportunity to plan and take control of our security.
Happily we at Thales are working hard every day to provide the support you need to keep your crypto infrastructure safe now and tomorrow.