Researchers are talking of a new encryption system that could thwart hackers for good
Scientists promise an end to web attacks
/v3-uk/news/2000005/scientists-promise-web-attacks
07 Dec 2009, Dave Neal , V3
Research published by academics at the University of Bristol's Department of Computer Science suggests that a new technology could render cyber attacks " computationally impossible".
The experts will present their research at the ASIACRYPT 2009 security and cryptology conference being held in Japan this week. Paul Morrissey, Nigel Smart and Bogdan Warinschi will discuss how a new technique could be applied that makes web site attacks impossible.
The researchers plan to demonstrate how encryption could be used to prevent attacks such as denial of service, while also providing two-factor authentication that does not overburden users. Both hardware and software issues will be discussed.
A second paper will demonstrate how to transfer information between databases in a truly encrypted way. The researchers suggested that this could be used by doctors to access centralised healthcare databases in a way that protects patient confidentiality, for example.
A final paper covers what the researchers call "basic constructions in cryptography", which could be applied to applications like the web browser.
"We are delighted to have such a strong presence at this year's ASIACRYPT conference, especially as it was particularly hard to have papers accepted. Of 300 submissions, just over 40 were selected for presentation at the conference, " said Smart, a professor of cryptology, and co-author of two of the papers.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Oh yes.
Encryption - it has solved all security problems so far..... Lets see, it has solved the problem of authentication since it is impossible to attack authentication. And it has solved the problem with confidentiality since noone can break encryption. And it has solved the problem of non-repudiation since no digital signatures algorithms are strong and cannot be tricked into faking a signature.
Lets play "spot the sarcasm" with the above text...
Seriously: I have read many scientific papers about security in my life and some of them have pretty good ideas, but they are completly unfeasible because the scientists usually do not get what matters - implementing it in real life.
Posted by Foo, 08 Dec 2009
@Foo
Foo: your sarcasm is misplaced.
You also seem to have the wrong idea about what encryption is intended to achieve. The best encryption can offer is to make it too computationally expensive, by the standards of the day and the foreseeable future, to break a given algorithm.
As CPU speeds increase, all encryption algorithms are vulnerable to attack (unless the encryption itself is governed by a physical law, which is what makes quantum cryptography so interesting).
But the simple fact of the matter is millions of online transactions take place safely each day across the internet. This would not have been possible without public/private key cryptography, which has to rank among the finest achievements of the 20th century.
You're right to say a lot of the ideas that come out of scientific papers cannot be immediately implemented in practice. But this hardly makes them useless. Some, no doubt, will be implemented in future years as costs come down and technology improves, and others will feed into other scientific papers, perhaps providing the impetus for new lines of enquiry.
Posted by adam, 09 Dec 2009
Encryption is not an answer, and will not end attacks
The title for article and lead-in may be misleading. Certainly a new cipher or encryption system will not end attacks. In fact, encrypting everything often helps hackers because it hides attacks from analyzers. Most attacks are at the application level where encrypting all data does not help. Even with two-factor, once an endpoint is compromised, it may not help. For example, does it matter that a hacker cannot log in to the doctor's Web system if they have keystroke loggers on the PC or zombie which can access the app once the doctor logs in? What if doctor is the attacker?
That said, perhaps the new system is interesting academically.
Posted by Emir, 09 Dec 2009
denial of service
I would be interested to see exactly how encryption can make a denial of service attack impossible. Not really getting how that would work.
Posted by Peter, 09 Dec 2009
Still, how does encryption help?
Maybe I'm missing the point, but I really fail to see how encryption can stop DoS attacks. Unless they're going to propose massive changes to the way IPv4 works, it will remain possible for most classes of DoS and DDoS attacks to take place, because these attacks don't rely on overloading servers with valid traffic. Rather, DDoS attacks simply rely on a LOT of traffic, often from thousands of compromised hosts on different networks.
This article is pretty light on details.
Posted by Ryan, 09 Dec 2009
What they might be announcing
A few years ago RSA Labs announced a theoretical approach to using crypto to stop DoS attacks. I required that the client (either legitimate or malicious attacker) perform a computationally intensive public key function as part of the TCP connection establishment. The theory is that if you can force a heavy enough load onto the client relative to the server, it becomes too costly from a resource standpoint to launch a DoS / DDoS attack. It has never been successfully implemented in practice. Maybe these folks have picked up where RSA left off and have a way to make it work in the real world.
Note that this is not use of crypto to provide confidentiality or authentication, but just to burden the client enough that trying to open up thousands of connections to a target server causes the client to grind to a halt.
Guess we'll have to wait to what the Bristol researchers are thinking.
Posted by Tommy Ward, 10 Dec 2009
How about reading the paper first?
Not being able to imagine something is no proof that it cannot exist - however bright you are.
The paper might just show us something we hadn't already thought of.
Posted by James, 12 Dec 2009