It’s Been a Tough Week for Darth Vader.
Not only did he lose his election bid for mayor of Kiev, Ukraine, he was not even allowed to vote. Darth ran as the candidate for the Internet party, which promised “fish for everyone.” Maybe he meant Phish for everyone.
In the last post we examined why jihadist ISIS terrorists prefer Toyota vehicles. But what about cyberterrorists? What do they drive? In turns out that cybercriminals may prefer Amazon’s EC2 Cloud Computing.
Most customers who buy a Christmas gift online on cyber Monday will be using RSA encryption to keep their credit card numbers private. The ecommerce industry depends upon consumers’ confidence in the security of the system.
RSA cryptography works for the same reason you hated algebra in high school. Multiplying two prime numbers together, like 5 x 3 = 15, is easy. Reversing that process, called factoring, — finding 3 and 5 from the number 15 — is harder because it is done by trial and error. It’s really difficult if the number is 512 zeros and 1s strung together, especially if this question is on the ACT exam and you’re using a No. 2 pencil. RSA encryption relies on the idea that it would take too long (often years) to guess the right answer.
In the past, code breaking of 512 bit RSA encryption has been the province of governments or well-funded organized crime organizations that could spend millions of dollars on supercomputers. For example, during the past year the government of China hacked into the U.S. Government’s Office of Personnel Management and stole the personal information of 20 million Americans.
But now there’s a different path for the lonely, underfunded cybercriminal. In “Factoring as a Service,” professors from the University of Pennsylvania detail how they used Amazon EC2 Cloud Computing to break 512 bit RSA encryption reliably in under four hours for less than a hundred dollars. The professors thus postulate that such “factoring,” the process of figuring out the private cipher key from a public one, could become just another internet service.
In theory, a cybercriminal could pay $100 to Amazon to discover your credit card number.
This ongoing war between hackers and professional IT departments is not new. What is striking, however, is that an estimated 30 percent of email servers are subject to this kind of attack and seven percent of so-called protected secure https sites.
If 512 bit RSA encryption is so vulnerable, why would anyone keep using it? After all, there is 1024, 2048 and even 4096 bit RSA encryption, all of which remain secure for the time being. Part of the answer may be the history of U.S. federal government regulation. Although most commercial software is now “unrestricted encryption”, complicated U.S. export control regulations still require a U.S. person exporting a product containing more than 512 bit encryption to file an encryption registration statement with the federal government. If the government believes it is not a mass market item, the export may be prohibited. U.S. manufacturers who want to sell an encrypted product abroad have some incentive to stay at or under 512 bit encryption in order to avoid the red tape.
If online consumers lose confidence in the system, then the billion dollar valuations of ecommerce tech companies could fade away.
© 2015 Clark Stith
We are a debt relief agency. We help people file for bankruptcy under the Bankruptcy Code.[wpfblikebox]