I remember when a 128-bit SSL certificate meant that my transaction was secure. Now we’re wondering what gaps in the security there may be, even when looking at 4,096 bit encryption!
When we’re talking “key length” – we’re talking about those number of bits we use to “measure” encryption for every day purposes. A key allows you to then decrypt the encrypted data (a file, a picture, a credit card number, etc…). With good security practices the key is not related to the crytographic method used to obscure the data, it is merely what allows you to then decrypt the file. Kind of like how your car key doesn’t actually start the engine, it just triggers the ignition to do the rest for you. A higher “bit value” means there are more possibilities for each key, the integer multiplied by powers of two.
All of that aside, when we talk about something being “4,096 bit” – currently considered highly sophisticated encryption – we’re still only talking about a comparitively small amount of data. CPUs are getting faster by leaps and bounds. Memory is so widely available that sloppy coding has been “Standard Procedure” for over a decade. Storage drives are getting physically smaller, while storing more data than ever before in human history. You can walk in to a store and buy a 3TB hard drive. In the 1980’s, terabytes were still theoretical measurements. So I ask – why are we “settling” for encryption like 4,096 bit? Shor’s algorithm seems to be on path to crack every password and read every encrypted document that you’ve ever created, so why not lock things down tighter.
Google has stepped up encryption plans in response to the NSA news going public, but that is only half of the battle. It is also nothing more than a PR battle – Google knew what was going on, they were the ones who complied. To make a sudden scramble and speed up their implementation is only for show, it’s not like they were as surprised about the leaks as the rest of us. It just irks me that they’re going for brownie points with this stunt, being so public about it.
I believe that everything should be encrypted, all the time. HTTPS shouldn’t be necessary anymore, HTTP should simply exist as a secure platform. As should all of the data stored on your computer, and on the web. After the revelations that these large companies have been buddy buddy with the NSA, it’s safe to assume that things like Microsoft’s “Bitlocker” encryption isn’t enough. We need something better, something open source and publicly verified by many independent voices. And not only that, but something that is strong. If I used 2:1 encryption on every files on my hard drive at work, I would still have a massive amount of free disk space. Computational limitations of encryption are of no concern to nmost people as memory, storage capacity, processing power, and bandwidth get larger and larger. Take my 60GB of data, wrap it with 120GB of fluff, so now I have a total of 180GB sitting on my disk drive. So what, I still have 820+ free gigs of storage!
As encryption gets better, crytographic keys need to become stronger. Eventually we’ll move beyond passphrases and keys, passwords and PINs… voice encryption, retinal scans, and finger print identification… those are possible, and just the tip of the iceberg when it comes to security. Heartbeats, thoughts, even the way we breathe are all being experimented with as methods of identification. But who knows what it will take to ensure our security and privacy in the future.