Security Researchers Crack 768-bit RSA Encryption

A group of academic security researchers have cracked the 768-bit RSA encryption, used for protecting sensitive data in transit

The days of relying on encryption alone as a means of defending private data could be coming to an end, after it emerged that 768-bit RSA encryption – used for protecting data in transit, such as over Wi-Fi – has been cracked.

The encryption was factored using cluster PCs and clever algorithms, which made use of distributed computing resources to speed up the process. “Cracking this crypto system using a 2.2GHz Opteron processor-based PC would reportedly have taken around 1,500 years,” said Andy Cordial, managing director with storage systems integration specialist Origin Storage.

The group of academic researchers responsible for cracking the encryption have written a white paper, recommending that companies wanting to protect sensitive data add additional layers of protection onto their encrypted drive. “The overall effort [to crack a 768-bit encryption] is sufficiently low that even for short-term protection of data of little value, 768-bit RSA moduli can no longer be recommended,” they concluded.

They also say that 1024-bit RSA, now used by most organisations for sensitive operations such as credit card transactions, should remain secure for some time. However, the white paper suggests that 1024-bit encryption should be phased out “within the next three to four years”, to be replaced with higher bit encryptions.Origin Storage recommends the use of PIN-based protection, or even biometric authentication, claiming that anyone equipped with a RAID-driven high-powered PC could now break through 768-bit RSA encryption.

“Since biometric-enhanced encryption systems are still relatively expensive, the logical choice is a PIN/password-enhanced external encrypted drive,” said Cordial in a statement. “At the very least, this will allow the CEO or chairman to put his/her hand on heart and say the company’s data is secure whilst in transit from one place to another. That’s a claim you can’t truly make any more with single factor encryption.”

The news comes within weeks of reports that the GSM A5/1 encryption system, which prevents phone calls from being intercepted by rapidly switching between 80 radio frequencies, has been cracked. German computer scientist Karsten Nohl published details of the algorithm used to encrypt calls using GSM technology at the end of December.

“We are trying to inform people about this widespread vulnerability,” Nohl told BBC News at the time. “We hope to create some additional pressure and demand from customers for better encryption.”

In November 2009, researchers discovered a hole in the secure sockets layer (SSL) protocol, enabling man-in-the-middle attackers to hack into secure applications and insert text into encrypted traffic as it passed between two end users. Security researcher Chris Paget explained that hackers could inject false commands such as password resets into communications which were otherwise encrypted.

Although most people would agree that protecting sensitive data is of the utmost importance for security, it was reported yesterday that Mark Zuckerberg – the founder and CEO of Facebook – said that people no longer have an expectation of privacy, thanks to increasing uptake of social networking. “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people,” he said at the Crunchie Awards in San Francisco.