With all the news about encryption and security breaches (here’s a recent one), I thought I’d share a conversation I recently had with a security-expert friend of mine. These are largely his views, not mine, but I found them interesting and thought you might, too.
“We should learn to live without encryption” was his main, broad point. He justified that by saying, “everyone knows that ‘security through obscurity’ is no security at all, and encryption is by and large just over-the-top obfuscation. Any encryption can be broken eventually, and all data is decrypted somewhere at some point, and so we should learn to live without the obscurity.”
For some context, his comments were largely about payment information. “We’ve always relied on no one knowing your credit card number to protect that number; obviously, tons of people are exposed to the number. Encrypting the number is pointless, because as we’ve seen it always gets decrypted someplace. The new trend of one-time authorization numbers [used in systems like Apple Pay as well as EMV cards] is better. We don’t need to encrypt the data, because it’s only good that one time. It doesn’t matter if someone else sees it, because they can’t use it. It’s a system where the data is essentially valueless, and so we don’t feel the need to obfuscate it.”
He acknowledges that, when it comes to what he calls “human data,” the argument gets more complicated. “When you’re talking about the contents of a chat message, or an e-mail, it’s a little harder. The data is intrinsically valuable to at least you, and therefore likely to hold value for someone else. You can’t easily de-value that data the way you would a payment authorization number, because the value is in the semantics of the data itself. So we continue encrypting.”
He still feels the current PKI- and shared secret-based encryption mechanisms aren’t ideal. “What would be better,” he says, “is a system where encryption uses a one-time key that actually changes throughout the data transmission.” He’s a math genius, so he dumbed it down by comparing the process to one of those authorization tokens, like an RSA token or the Google Authenticator app. “Both ends of the conversation know the sequence of numbers, and they move through the sequence at a rate of one number per ten seconds or something. So the encryption key is known only to each party, and it changes constantly, even over the course of a single conversation.”
Data at-rest, he says, could use similar rotating-key encryption to better protect against decryption. But he says we should apply the technique only in cases where it’s literally impossible to make the data valueless, because we’re ultimately still relying on obscurity.
Obviously, all this business with “you shouldn’t be encrypting data on your smartphone” has him fuming. Even allowing for cultural differences in privacy expectations, it just makes him nuts that the government wants to dive into content whenever it wants.
Anyway… thoughts? It’s an interesting conversation, for me, and I’d love to hear what you think.