The Safety of SSL

There have been a number of SSL/TLS related security vulnerabilities in the news recently including the Null Prefix problem and the more recent Man in The Middle attacks. The later has yet to be fixed but doesn’t seem to yet present a major risk for e-commerce, online banking or other internet transactions that require authentication and encryption. Indeed it seems that sessions that require client certificates for authentication would be most at risk, a scenario that is not that common. Whatever the seriousness of the vulnerability, it is based on the implementation of SSL/TLS rather than the core technology of Asymmetric Encryption algorithms.

Asymmetric Algorithms more commonly known as Public Key Cryptology allows two way secure communication without the hassle of prior key exchange. Some of the more common implementations of Public Key Cryptology including RSA, make use of the fact that some mathematical operations are much easier to perform in one direction rather than the other, in particular the factoring of large numbers. For example if you tried to determine values for x and y where x * y = 65869 it would take a fair amount of time. The reverse problem of finding the result of 199 * 331 would be much quicker. Note x and y are prime numbers as otherwise they could be factored into smaller values. Naturally as computing technology improves it becomes feasible to use brute force to do the factoring in a short amount of time. However, the same technology allows us to use larger and larger values for x and y without compromising performance. The Greek mathematician, Euclid, proved in around 350 BC that there are an infinite number of primes and the more recent Gauss’s prime number theorem shows that will be a sufficient number of them not to risk choosing the same ones. Hence we can be reasonably confident that it should always be possible to stay ahead of improvements in brute force technology.

Of course one day someone may come up with a way of simplifying factoring of large numbers to render current Asymmetric Algorithms useless. Note that this wouldn’t make encryption impossible, but would stop simple over the wire key exchange. It’s worth pointing out that modern encryption for internet communication is generally hybrid with an Asymmetric Algorithm initially being used to exchange a symmetric key to be used for the rest of the session. A future technique that could replace current systems is quantum key exchange. To vastly over simplify, if a key exchanged in a quantum system is intercepted, the observation of the key will alter its state and hence alert the sender and the receiver. As the system relies on physics rather than mathematics, there is no algorithm to crack making it unbreakable. Today’s infrastructure is obviously not geared for wide spread quantum key exchange but who knows for the future.

Further reading. The Music of the Primes by Marcus du Sautoy. Quantum, a guide for the perplexed, Jim Al-Khali.