## Keys

The strength of encryption is based on the strength of the keys that are used to encrypt data. Key strength is derived from two characteristics – length and randomness. The longer and more random a key is, the more difficult it is to determine. Many software packages advertise that they support “40 bit” or “128 bit” encryption technologies. These statements refer to the length of the keys used in encryption processes. It is difficult to appreciate the strength of encryption keys, without understanding the work required to determine the key. As we mentioned earlier, it must be infeasible to determine the secret data knowing the key and it must be infeasible to determine the key from the encrypted data. There are generally two ways is which encryption systems are broken (or hacked) – brute force and statistical analysis.

Brute force attacks are the simplest attacks to engineer, but the most time consuming attacks to implement. This involves trying every possible encryption key until the secret data is determined. It is essentially a guess as to the value of the secret key. While this sounds simple, there is one important factor to consider; at some point, a determination must be made as to the success or failure of the attack. In other words, how do I know if I have successfully decrypted that data? A second factor to consider is the size of the keyspace. A 40 bit key, for example, has 240, or 1,099,511,627,776 possible keys. A 128 bit key has 2128 or 340,282,366,920,938,000,000,000,000,000,000,000,000 possible keys.These large numbers make guessing the secret key very expensive, even without having to make a decision as to when the guess is successful.

Statistical analysis attacks take a different approach. These attacks focus on weakness in the implementation and usage of the keys. These weaknesses can be related to key generation, storage, or transmission. Several years ago the implementation of the Secure Sockets Layer (SSL) protocol by web browsers running Netscape navigator was broken by determining that the key was derived from variances in the computers internal clock. The attackers were able to determine that it would be more efficient to recreate all the possible keys that could have been generated, rather than trying every key in the keyspace. The result of their analysis revealed that the computer could only generate one of 220 keys, as opposed to 240 keys. Another form of statistical analysis involves looking for patterns in the encrypted data. If this document were to be encrypted, then one approach would be to compare the cyphertext with known alphabetic statistics. For example, it is well known that the most common letter used is the letter ‘e’. By attempting to resolve the most common character that appears in the cyphertext to the most common character in the alphabet, the attacker has formed the basis of a statistical analysis attack.