Encryption Alone Will Not Secure Data, Warns Expert After Code Cracks

Encryption on its own will no longer be enough to protect data, according to one information security specialist. Secondary authentication from pass codes or biometrics will soon be essential after two encryption technologies were cracked, he said.

An encryption method used to keep mobile phone calls secret was cracked in December by a German computer scientist. Last week another form of data encryption, 768-bit RSA encryption, was cracked by researchers who used distributed computing power to process numbers, finding the key to unlock data.

A more secure form of that encryption, 1,024-bit encryption, has not been cracked. The researchers involved said that it would take another decade to crack that encryption.

A storage company has now said that encryption systems will soon no longer be enough to protect data and that information cannot be called secure unless also protected by personal identification numbers (PINs) or biometric systems, which verify identity using biological traits such as fingerprints.

"The days of relying on encryption alone as a means of defending private data are now drawing to a close," said Andy Cordial, managing director of storage company Origin.

A team of researchers from France, the Netherlands, Switzerland, Japan and the US published a paper last week explaining how they cracked the 768-bit RSA encryption.

The RSA encryption was cracked by 'brute force', which means that they team used hitherto-unimagined computing power to find the key that unlocked the encryption. That task used hundreds of computers and took two years, but the team in its paper said that the task was massive.

"On a single core 2.2 GHz AMD Opteron processor with 2 GB RAM per core, [this process] would have taken about fifteen hundred years," said the paper (22-page / 579KB PDF).

Though the decryption still involved the use of massive computing power, the research has demonstrated that it is possible for anyone who can amass that amount of computing power to break that method of encryption.

"The use of a PIN-based protection – and even biometric authentication – alongside a fully encrypted drive is now the logical choice for companies wanting to protect sensitive data from prying eyes," said a statement from Origin. "Since biometric-enhanced encryption systems are still relatively expensive, the logical choice is a PIN/password-enhanced external encrypted drive."

"At the very least, this will allow the CEO or chairman to put his/her hand on heart and say the company's data is secure whilst in transit from one place to another," said Cordial. "That's a claim you can't truly make any more with single factor encryption."

The development may have implications not just for the practical use of encryption, but for organisations' compliance with data protection and other laws. Cordial said that regulators may soon no longer consider single-factor encryption to be secure enough to protect customer data, especially when it is in transit.