4

Suppose sensitive information is sent over an insecure channel, but it is encrypted with a cipher such as AES. As of this writing AES is not broken and brute-forcing it would take more than millions of years (or at least very long). However, the encrypted data is eavesdropped on and stored.

Sometime in the future there will be computers that can brute-force AES or the AES-algorithm itself gets broken. Then this data of the past, that couldn't be decrypted without the key at the time, is now possible to decrypt.

  • In what scenarios/applications is this an actual concern?
  • Is it realistic that someone will store the encrypted data that long?

I imagine government communication over internet might be at risk for this kind of attack. Is there any policies regarding this?

I understand that if it takes too long until the data of the past can be decrypted, it might not be interesting anymore, i.e. the government communications. Is this the fact that is relied on regarding this concern?

(Note that AES is only used as an example. This question applies to all ciphers.)

arcus_mannen
  • 105
  • 6
  • depends; if you're talking about how you murdered someone, they can round you up as an old man. assume they store everything forever, because that is an objective. – dandavis Aug 23 '16 at 19:57

1 Answers1

7

Actually we might assume the government is already doing this. There have been numerous rumors of organizations collecting traffic on a mass scale, and storing this is datacenters for the next years. And yes it is a real concern. That is why AES (or any block cipher) alone is not good enough for communication over insecure channels.

Tunnels like TLS use many different techniques to make it harder to decode a stream of information. For example; some TLS suites allow for a Diffie Hellman Ephemeral key that changes ever so many bytes/minutes. The key is then regenerated and exchanged between the parties which they use to encrypt the information from that point on. Any listening party would need to break the individual keys together with the master key in order to derive the plaintext.

Update (reaction on comment)

There is a difference between the pre-master secret and the master secret. The pre-master secret is the key which was agreed upon by both parties. This could come from a DHE key exchange in case of a ephemeral capable cipher suite. The master secret is merely a (hash) function that derives a shared secret. After this the shared secret can be used for, say, symmetric encryption. The last component of that process can be repeated over and over.

Yes, ephemeral keys make things harder but certainly not impossible. It does not only require the adversary to decrypt the individual pieces, but to collect them all (in order) to start with, which poses it's own set of problems.

The fear exist that an organization or government will decrypt all the intercepted traffic retrospectively in 10 or 20 years from now when, as an example, quantum computers can efficiently implement Shor's for mainstream bit sizes such as 4096 and similar.

Yorick de Wid
  • 3,346
  • 14
  • 22
  • If I understand correctly; individual keys are generated with DHE and used as the key for the AES encryption of the data for a period of time/bytes. Then an attacker has to break more than one AES key for the session since a new key is selected every now and then, right? But what role does the master key play here? And in the end, doesn't it still boil down to just more encryption to break? – arcus_mannen Aug 24 '16 at 05:30
  • @arcus_mannen Yes you are correct, I will expand my answer to include that concern – Yorick de Wid Aug 24 '16 at 09:36