top of page

The Achilles' heel of math-based encryption standards: predictability!

In my ongoing attempt to educate and provide thought provoking information on our lack of security in the digital world here is a recent revelation that has been troubling me. Today, there is a prevailing notion that the key to robust security lies in open-sourced technologies, transparent algorithms, and predictable encryption methods. However, my recent revelation has sparked a new perspective, challenging these well entrenched beliefs. The realization revolves around the static and predictable nature of our security systems and how that has become the Achilles heel of our security underpinnings.

The traditional narrative by the establishment suggests that for true security, we must have transparency into how our solutions work, embrace open-source practices by releasing all code for the world's review, allowing the community to thoroughly examine the algorithms and scrutinize their efficacy. Furthermore, this narrative advocates for standardized key systems, where we understand the mechanisms of key creation, ownership, and the potential vulnerabilities in the system. From cloud security to internet protocols like TLS and AES, this mantra extends even to post-quantum algorithms, which are often considered predictable as well. Just look at the NIST process of algorithm selection.

Yet, in a pivotal shift of perspective, the heart of the security problem lies not solely in who controls the keys, but in the unchanging and predictable behavior of our security systems. Take the case of AES (Advanced Encryption Standard) or any other math-based encryption system. Every time these algorithms are employed, they execute the same process, over and over again. The key may vary, but the algorithm's fundamental function remains the same that is essentially to encrypt and decrypt using a pseudo random key.

This predictability becomes a prime target for bad actors and nation state hackers. Attackers seek out static security solutions and predictable repetitions because those are the Achilles' heel of security systems. Picture a static lock on a door in your home (every door has a knob and a lock) and it's the same for every single door lock. If a bad actor or nation state hacker who understand how the lock functions, can either find a way to pick the lock (because it's static) or if they have knowledge of the type of lock can create a new set of keys to unlock the lock. Once the inner workings of a security measure are comprehended, once the static nature of its function is deciphered, exploiting its vulnerabilities becomes significantly easier. That's no different than our security today, it's weakness is that it's static, and predictable like a lock on a door.

Let's take a closer look at AES encryption, also known as the Rijndael algorithm. This symmetrical block cipher converts 128-bit plain text into ciphertext using keys of different lengths – 128, 192, and 256 bits. However, the foundation of this math-based encryption lies in predictability due to its repetitive nature, where it generates a not really random key (pseudo random) and then allows users to encrypt & decrypt. This poses a question for potential wrongdoers: should they try to brute force the key itself or instead focus on the key generator responsible for key creation? This dilemma is not exclusive to AES; it extends to emerging post-quantum algorithms, which transition from key generators using pseudo-random number generators to algebraically calculated or quantum-random number generated keys. In all three scenarios, the key generator remains the ultimate weak point. Understanding the 'magic' behind key creation is the Achilles heel to our current math-based encryption system.

This realization might have you pondering the nature of randomness itself. Take the Fibonacci sequence, for instance – a series that might seem random at first glance, but upon closer inspection, it becomes clear that all mathematical constructs in our entire universe follow patterns that can be explained mathematically. This notion extends to seemingly random occurrences in our lives as well, challenging the very essence of randomness.

So, in this journey of understanding security, we are faced with a paradox. While the industry emphasizes transparency and predictability, it's essential to recognize that these very attributes can undermine the security we strive to achieve. The traditional methods of math-based encryption are not foolproof due to their static & predictable nature. Also, as we are learning the very hard way, relying on math is ultimately a fouls errand. It's not a matter of if you will be hacked but when. We must move to solutions that are inherently secure by a function of the process data undergoes physically. Physical data protection is the answer to the math predictability dilemma.

As we navigate this complexity, it's imperative to think beyond the established norms. As technology evolves and threats become more sophisticated, we must adapt our approach. True security might lie in embracing dynamic, evolving encryption methods that confound attackers by defying patterns and unpredictability. Secured2 is in the process of patenting a totally new system that will provide a better way of authenticating and exchanging trust in a digital world. It's very clear static systems are not the future and we most move to dynamic systems that are constantly changing, morphing and intelligent.

In the end, it's not just about who holds the keys; it's about redefining the locks themselves and pairing the locks with other security mechanisms that provide impenetrable security. The security landscape is shifting, and as we come to terms with the hidden flaw in our encryption systems (predictability), we're prompted to explore innovative, agile solutions that outwit even the most determined adversaries. That's our focus at Secured2!

26 views1 comment
bottom of page