New threat forces cryptography rethink

Side-channel attacks are the next big threat from hackers, according to the head of RSA Labs.

Normal attacks on code are conducted by looking at the unencrypted message and the encrypted message and attempt to recover the encryption key.

But side-channel attacks look at other information in an attempt to crack the code, such as the time taken to perform an operation and how power consumption changes.

Bert Kaliski, head of RSA Labs, told vnunet.com that these methods are forcing the industry to think again.

"Side-channel attacks are causing a fundamental rethink in the way we write encryption software," he said. "As the methods used become automated, our job is getting tougher."

In order to counter the side-channel threat encryption software is being designed to mislead anyone who is monitoring the process.

Until recently the focus of research was to cut processing time and minimise memory use. Now the encryption engine must camouflage itself, for example by varying the time taken to perform identical functions.

At the recent Cryptography Research conference in San Francisco over half the speakers' time was dedicated to side-channel attacks. Attendees were shown adapted credit card readers that could be used for such an attack.

Kaliski explained that encryption algorithms are still advancing. "The move from triple-Data Encryption Standard to the Advanced Encryption Standard [AES] should ensure that we're ahead of the crackers on one level. AES could be considered overkill," he said.

There had been fears that AES could be broken after cryptographers Nicolas Courtois and Josef Pieprzyk published an attack which could theoretically work.

However, the attacks would be impossible for years to come because of the complexity needed to cope with long key lengths.