The Internet, and many forms of online commerce and communication that depend on it, may be on the brink of a "cryptopalypse" resulting from the collapse of decades-old methods of shared encryption.
The result would be "almost total failure of trust in the Internet," said four researchers who gave a presentation at the Black Hat security conference in Las Vegas earlier this month.
"We need to move to stronger cryptosystems that leverage more-difficult mathematical problems," the presenters said.
Why Internet trust could end
At the heart of the impending "cryptopalypse" are the Diffie-Hellman and Rivest-Shamir-Adleman (RSA) shared encryption algorithms, which were independently developed at Stanford and the Massachusetts Institute of Technology in the mid-1970s.
Both algorithms are on the verge of being "cracked" — proven to be vulnerable to attack — by academic mathematicians.
"There is a small but real chance that both RSA and Diffie-Hellman will soon become unusable," said the Black Hat presenters, Thomas Ptacek of Chicago-based Matasano Security, Tom Ritter and Javed Samuels of iSec Partners in New York, and Alex Stamos of Artemis Internet, a security firm in San Francisco.
The Diffie-Hellman and RSA algorithms underlie many of the authentication and verification standards on the Internet.
Among those methods are the HTTPS protocol, which makes sure you're securely connected, for instance, to Amazon or Gmail; PGP, which encrypts secure email messages; the RSA keychain tokens that tens of thousands of corporate and government employees around the world use to log into their organizations' virtual private networks; and the certificates of authentication that software makers use to digitally "sign" applications and updates.
Without secure shared encryption, online monetary transactions and Internet-delivered software updates would no longer be trustworthy.
Once mathematicians crack an encryption algorithm, the presenters said, it isn't long before security researchers and hackers apply the breakthroughs to the real world. (Such academic work, the presenters pointed out, quickly rendered useless the MD5 one-way encryption algorithm a few years ago.)
After years of slow progress, rapid mathematical advances toward cracking Diffie-Hellman and RSA came in the first few months of 2013, the presenters explained, adding a note of urgency to their presentation.
"We want this room to become the seed of change," they told the audience of fellow security researchers and IT specialists gathered in the large meeting room at Caesar's Palace on the Las Vegas Strip.
How a patent lawsuit gets in the way
Despite this impending catastrophe, the presenters said, private industry has been slow to move on to next-generation shared encryption algorithms, such as those based on the elliptic-curve cryptography (ECC) method developed in the 1980s and refined in the past decade.
One reason for the delayed uptake may be simple inertia.
"Diffie-Hellman and RSA are here and they are easily understood," the researchers said.
Another obstacle holding up widespread ECC adoption is that many of the dozens of patents relating to the use of ECC are privately held by a company called Certicom, now a subsidiary of BlackBerry.
The National Security Agency licensed ECC patents from Certicom in 2005 to develop its Suite B encryption standards for U.S. government use; in 2007, Certicom sued Sony for using ECC in Blu-ray Disc digital-rights management software.
Certicom and Sony settled out of court soon after BlackBerry (then called Research In Motion) bought Certicom in 2009. Now that BlackBerry has put itself up for sale, it's possible the patent rights will be transferred to yet another party.
Baby steps to the next level of encryption
There is some reason for hope, however. Apple and Google have included patent-free implementations of ECC in their iOS and Android smartphone operating systems, the researchers said, although both use other systems as well. (Blackberry, naturally, uses the ECC patents it owns extensively.)
On the desktop side, the latest versions of Microsoft Windows and Apple OS X support patent-free ECC; Windows also supports the NSA's Suite B.
However, just because major operating systems include ECC support doesn't mean ECC is actually being used.
In that respect, ECC is like IPv6, the next-generation Internet networking protocol that all modern Web browsers and email clients support, yet almost none use because there's no immediate reason to upgrade.
Ptacek, Ritter, Samuels and Stamos want to change that.
They urged Web browser makers to upgrade to the next Internet secure-communications suite, TLS 1.2, which includes patent-free ECC. (TLS 1.2 is supported in Safari, supported but disabled in Internet Explorer and Opera, and not yet supported in Chrome or Firefox.)
The researchers also urged software makers to move away from the Diffie-Hellman and RSA standards, to support ECC at all points in a network and to retrofit older encryption methods with ECC "wrappers."
The four had a special request for Blackberry.
"Make the world a safer place," they said. "License the ECC patents openly to any implementation of [the NSA's] Suite B, regardless of use."
To all other companies using the Internet, the researchers had a more general message.
"There is a huge amount of work to be done," they said, "so please get started now."