Everything we do on line is assumed to be secure. Would we put our banking information, our brokerage account information, file our taxes, make purchases from Amazon and EBay, all online if we weren’t confident of it’s security? Our unspoken assumption is that the architects of the Internet have made it so that only those who are supposed to be able to read data can in fact read that data and all others cannot. The problem, from my point of view is that while this was theoretically true in 1998 when the typical person didn’t have at their disposal what would then have been considered a super computer. Today computers are thousands of times more powerful and storage (which is important for brute force methods of decryption) is millions of times less expensive. While Moore’s law has been at work over the last 10 years doubling the power and halving the price of computers every eighteen months. There has been a similar rule (though I have never heard a name for it) at work doubling the capacity and halving the price of hard drives every six months! All the while, the web browser we all use has been restricted by law to 128 bit encryption. If you read academic articles on the strength of this encryption from ten years ago, people made statements like,”The sun will burn out before this will be broken”.

We are working a project to determine if this is true. The largest 128 bit number is about 3.4 e 38. With e6 being millions, e9 being billions and e12 being trillions. You can consider this to be a very large number based upon every day experience. Problem is, that for computers to count that high and analyze numbers that big, the capabilities are being created where numbers that large are manageable. We have been working against numbers that were posted by the Clay Mathematics Institute. The first number 1020030004000050000060000007 was factored by us in 2.5 minutes. (I'm rounding, but you get the point.) This number is 63 bits long and not too long ago, it would have been considered completely unmanageable.

One of the limitations we found was that the programming languages and the operating system itself had limits, the problem, from a security standpoint, is that programming libraries for arbitrarily large numbers are readily available online. The Clay Mathematics Institute also posted the following number 51920810450204744019132202403246112884629925425640897326550851544998255968235697331455544257

Is approximately equal to 5.192 e 91 which is significantly larger than 3.4 e 38 that I said was the largest 128bit number

That breaks down into the following factors:

2158122193002952449690243008233157266924190689

24058327474941875553768074062128402939746847713

In binary bits the number is 305 bits...significantly more than 128 bits. It took us about 15 cpu days to factor this number. We specifically limited ourselves to a couple of mid-range desktops and we overshot 128 bits by fifty or so orders of magnitude so that our results would resemble those achievable by a typical hacker with modest resources, a sophisticated education and too much time on their hands. It is reasonable to assume that the technology as exists today, for a typical hacker to break 128 bit encryption in about 1 week. Couple this with the fact that the most secure encryption that is available through web browsers is 128 bit and my fear is that online ecommerce is in significant danger. If not today, then in certainly by 2012 as Moore’s law and the unnamed law about hard drive space continue to chip away at the time required. I advocate strongly, that we increase the amount of strength in the browser encryption to 512 bits or 1024 bits before 2012.

## Comments

You can follow this conversation by subscribing to the comment feed for this post.