For Microsoft, the past 2 weeks must seem like a nightmare come true: The company's network has been cracked two more times by a Dutch hacker. Last Friday, a man using the name "Dimitri" gained access to a Microsoft Web server using a known bug in IIS that Microsoft created a patch for in August but failed to apply to one of its exposed Web servers. After the initial break-in on Friday, Microsoft still failed to apply the patch to the affected server, and as a result, Dimitri cracked the system again on Tuesday.
During his activity on Microsoft's Web farm, Dimitri claims to have downloaded administrative usernames and passwords, which he could have used to further his reach into the network. Most likely, Dimitri downloaded a SAM database, and as you know, Microsoft uses the Data Encryption Standard (DES) algorithm to protect that information. But with tools such as L0phtCrack at your disposal, cracking the SAM is much simpler: DES encryption just isn't secure enough in many cases.
The US Government is adopting a new encryption standard called Advanced Encryption Standard (AES), which will eventually replace DES. On October 2, the National Institute of Standards and Technology (NIST) announced that it had chosen Rijndael (pronounced Rhine-doll) as the new standard's cipher formula. Detailed information about the Rijndael cipher is available here.
A press release on the NIST Web site states, "When approved, the AES will be a public algorithm designed to protect sensitive government information well into the 21st century." If that's true, what will we use after AES? Perhaps the answer resides in quantum mechanics.
I recently read an interesting article in Physics Today called "From Quantum Cheating to Quantum Security." The article offers a good view of the inherent risks in our current encryption technologies, such as DES and RSA, and relates how scientists could create quantum mechanics-based computers to both break encryption systems and to facilitate more secure encryption algorithms.
DES and RSA algorithms rely on computational assumptions for protection. For example, the fact that intruders need considerable processing power and time to crack keys helps keep those keys safe to some extent. But because a quantum-based computer can perform instructions so much faster than current computers, intruders can use such technology to reduce cracking time and render algorithms such as DES, RSA, and AES useless. Obviously, when quantum-based computers become reality, we'll need stronger algorithms to protect our information. Perhaps quantum encryption is the answer.
Quantum encryption uses photon state as the key for encoding information. According to the Heisenberg uncertainty principle, it's impossible to discover both the momentum and position of a particle at any given instant in time. Therefore, in theory, an intruder can't discover a cryptographic key based on particle state information; the intruder would need the actual particle to decipher any data encrypted with the key.
The idea is simple yet incredibly complex to implement. IBM scientists constructed the first working prototype of a quantum key distribution (QKD) system in 1989. Back then, they could transmit quantum signals only 32 centimeters through open air. Today, fiber optic cables can transmit the signal up to 31 miles, which isn't very far, but it's definitely good progress. And although we might not see QKD come to market for quite some time, the technology sounds incredibly promising and well worth the wait.
If you're interested in encryption technology, be sure to read the article in Physics Today. Until next time, have a great week.