A Tide in the Affairs 

Download Article Article in Digital Form

I recently encountered two interesting, if dismaying, articles concerning security protection, which, until that time, I had considered to be the keystone of information security.1 The first, titled “BREACH Compression Attack Steals HTTPS Secrets in Under 30 Seconds,” states that researchers Angelo Prado, Neal Harris and Yoel Gluck were able “to demonstrate a method to read encrypted messages over the web by injecting plaintext into an HTTPS request and measuring compression changes.”2

The second, “Black Hat 2013: Experts Urge Elliptical Curve Cryptography Adoption,” is even scarier. It says “Crypto experts speaking at the Black Hat USA 2013 conference…said there’s a real—though perhaps not overwhelming—possibility that much of the Internet’s encryption will soon become completely unraveled. This grand unveiling of secrets, they contended, could arrive within a handful of years.”3 This means that the public key encryption algorithm first described by Ronald Rivest, Adi Shamir and Leonard Adelman in 1977, and known today as RSA for their initials, may be nearing the end of its useful life. The same may be said of the widely used key exchange protocol developed by Whitfield Diffie and Martin Hellman in 1976.

Shakespeare and Information Security

In short, we may be in for a period in which much that had been thought to be certain in the field of information security may, in fact, be undermined. With apologies in advance to the Bard of Avon:

There is a tide in the affairs of information security professionals which, taken at the flood, leads on to effective protection of information. Omitted, all the voyage of their life is bound in shallows and in miseries. On such a full sea are we now afloat, and we must take the current when it serves, or lose the security of the information we are trying to protect.4

Until this time, I have advocated that if an organization is truly intent on securing its information resources, or at least its most critical ones, it should encrypt them. This remains true, but the tools and techniques that have been employed so successfully for so long may now require a significant and costly upgrade. It is important to emphasize that this is a pending problem not an imminent threat. Now, before the tide crests, it is timely to consider what the business impact may be, leaving the impacts on cryptology to the mathematicians who actually understand them.

Business Impacts

To a certain extent, very little will change for many organizations. Most information that is transmitted or stored in encrypted form can continue to use existing techniques for some time to come. The messages and files will still be unreadable to all except the most determined attackers. After all, is anyone really likely to use decryption tools such as Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)?5 This would require a major investment in attack capabilities and intent to penetrate the secrets of targeted organizations.

Oh, but wait…

From what we read in the newspapers, governments (to say nothing of terrorists and criminals) around the world are engaged in preparations for cyberwarfare.6 It might be easier to consider the governments that are not doing so; I believe that we can reasonably exclude Andorra from the list of those doing it. Unfortunately, there is every reason to believe that governments are, in fact, attempting to steal military, governmental and corporate information.7 Thus, there is a real possibility that encrypted information may be at risk.

Another concern is the communication and storage of information in the cloud. It has long been recognized that “a robust encryption scheme, supported by an equally robust public key infrastructure (PKI), is necessary to achieve confidentiality and integrity for [cloud]-based services.”8 In other words, cloud technology, especially for a public cloud in which information from many organizations may be adjoined, if not intermingled, requires encryption in order to provide security not only from outside, but also from within that particular cloud.

If the most widely used encryption algorithm is breakable, or soon will be, organizations must consider the risk of placing sensitive information in the cloud. The nature of that analysis will be governed by the magnitude of the threat of data being stolen, sizable but unknowable, as stated previously. Similarly, the value of the information must be figured into the risk equation. If the information is sensitive, the threat realistic and the available safeguards inadequate, use of the cloud would not be advisable.

Elliptical Curve Cryptography

Or, organizations could look for a more dependable encryption algorithm, which many cryptanalysts believe is available. Elliptical Curve Cryptography (ECC) was developed by Certicom, a mobile e-business security provider, and many other companies are also working on ECC implementations.9 How does it work? Sorry, but I am not smart enough to explain it. But, those who can think that it may provide a faster, easier-to-use and harder-to-break alternative to RSA.10

The potential obsolescence of RSA is a part of the life cycle of information security. Security techniques have a period of usefulness that at one point comes to an end. By way of illustration, the symmetric-key Data Encryption Standard (DES) was long the prevailing method of protecting information. By 2005, it had been withdrawn as the US national standard,11 and by 2008, it was possible to buy commercial hardware that could break DES keys in less than a day for less than €10,000.12

Is ECC the great next wave in the tide of information security? If it is, it will rise to the top only to sink once again sometime in the future. I am very skeptical of “waves of the future.” In the first article I ever wrote for the Journal, two name changes and 15 years ago, I said: “We have seen a number of such technical ‘advances,’ waves of the future all of them, crash on the beach.”13 The tide in the affairs of information security do flow, but they ebb as well.


1 This is being written in August 2013. I am indebted to my colleague, James Anderson, for bringing these articles to my attention.
2 Mimoso, Michael; “BREACH Compression Attack Steals HTTPS Secrets in Under 30 Seconds,” Threat Post, 12 August 2013, http://threatpost.com
3 Richardson, Robert; “Black Hat 2013: Experts Urge Elliptical Curve Cryptography Adoption,” SearchSecurity, Tech Target, 2 August 2013, http://searchsecurity.techtarget.com
4 Adapted from Shakespeare, William, Julius Caesar, act 4, scene 3: “There is a tide in the affairs of men. Which, taken at the flood, leads on to fortune; Omitted, all the voyage of their life; Is bound in shallows and in miseries. On such a full sea are we now afloat, And we must take the current when it serves, Or lose our ventures.”
5 Op cit, Mimoso
6 Perlroth, Nicole; David E. Sanger; “Nations Buying as Hackers Sell Flaws in Computer Code,” New York Times, 13 July 2013, www.nytimes.com
7 There are far too many accounts of such attacks to give a comprehensive citation. One such, chosen more or less at random, is: Lewis, Leo; “Cyber-attack Cripples South Korean Banks and TV Stations,” The Times (London), 21 March 2013, www.thetimes.co.uk
8 Ross, Steven J.; “Cloudy Daze,” ISACA Journal, vol. 1, 2010
9 Elliptical Curve Cryptography (ECC), http://searchsecurity.techtarget.com/definition/elliptical-curve-cryptography
10 Just to confuse matters further, there is RSA, the algorithm, and RSA, a security products company that sells encryption solutions. In this article, the references are to the algorithm.
11 US National Institute of Standards and Technology, “Announcing Approval of the Withdrawal of Federal Information Processing Standard (FIPS) 46-3, Data Encryption Standard (DES); FIPS 74, Guidelines for Implementing and Using the NBS Data Encryption Standard; and FIPS 81, DES Modes of Operation,” 19 May 2005
12 Network Working Group, “Deprecate DES Support for Kerberos,” 3 February 2012, http://tools.ietf.org/html/draft-ietf-krb-wg-des-die-die-die-00
13 Ross, Steven J.; “If PKI Is the Answer, What is the Question?,” IS Audit & Control Journal, vol. VI, 1998

Steven J. Ross, CISA, CISSP, MBCP, is executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1999. He can be reached at stross@riskmastersinc.com.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.