It has been reported that Osama bin Laden’s hard drives have been seized, hard drives that could conceivably contain information regarding the membership, funding and future plans of al-Qaeda.
Information of this type would help anti-terrorism agencies enormously.
The hard drives were recovered from bin Laden’s compound in the Pakistani city of Abbottabad and are said to be encrypted with a encryption method known as AES-256.
AES-256 is the current world standard for data encryption and is used by the likes of Wikileaks and the US Government to encrypt sensitive information.
How it works
To understand how encryption works, you first need to understand binary.
The smallest possible piece of digital information is known as a bit. This piece of information can have one of two states: off or on, 0 or 1.
Computer encryption works by taking data in this binary form – a stream of 0s and 1s – breaking it into blocks 256 bits long and then entering this block into a special encryption algorithm.
This algorithm is designed to cause as much confusion as possible by using a “secret key” which also comprises 256 bits of binary data.
If you know the encryption key you can “decrypt” the data and return it to its original form. For this reason, encryption keys are kept secret.
(This short animation created by Enrique Zabala from Paraguay demonstrates just how complicated the AES encryption process actually is.)
Data encryption using the AES is ubiquitous. It is used by banks, business, governments, and in computer programs such as Skype.
Where did AES come from?
In 1997, representatives of the US Department of Commerce called for cryptologists around the world to submit an encryption algorithm that would replace the previous standard: Data Encryption Standard (DES).
As director of the Centre for Computer Security Research at the University of Wollongong, I was part of a research group that submitted an entry, called LOKI, a symmetric encryption algorithm.
Our algorithm was quickly removed from contention in the global competition as other researchers found ways to get around our encryption method.
The winning algorithm – developed by two Belgian cryptologists, Joan Daemon and Vincent Rijmen, and known as Rijndael – was selected by the cryptographic world community and announced by the US Government as its Federal standard on May 26 2002.
The name Rijndael was chosen as a combination of the authors' names and as a gentle poke at the fact few people can pronounce Flemish names without getting their tongues-tied.
Getting bin Laden’s data
Because the US Government was involved in the creation of this encryption scheme, there have been rumours in recent days that they may have covertly engineered a so-called “backdoor” into AES-256, allowing top US officials to decrypt any data encrypted using this method.
I personally don’t believe this “backdoor” exists, for the following reasons:
1) The open process by which candidate algorithms were submitted and analysed by the world cryptographic community would seem to render this impossible.
2) The fact the technology has been widely accepted by many, non-American governments (and apparently bin Laden) would suggest its robustness.
3) The process used in the encryption is both “state-of-the-art” and, in computing terms, “best practice”, which would make vulnerabilities of the type allowing a “backdoor” unlikely.
Assuming bin Laden’s files are indeed encrypted using AES-256, the only way I can see to break the encryption would be to use a painstaking “brute force” technique.
This would involve trying all of the 2256 possible encryption keys. This works out at 1.16x1077 different codes to try (the number one with 77 zeroes after it).
This process would require hundreds of thousands of specially-built machines, the likes of which do not currently exist. Even if they did, we would need many, many times the length of the universe’s lifespan to carry out the search.
In other words, it’s not going to happen.
Assuming bin Laden’s data is encrypted using the AES-256 method, the US will be lucky to learn anything from his hard drives about al-Qaeda’s plans.
11 Comments
Rennie Allen
logged in via LinkedIn
It is rumored that the NSA has access to a 1024 qubit quantum computer, so it is probable that all of OBL's files have been cracked by now.
Jeff Waugh
logged in via Twitter
Having to brute force the key at all is a worst case scenario in itself: There's plenty of dumb human things he could have done (besides break under interrogation -- they put a bullet in that option)... like write his difficult-to-remember passphrase on a post-it note, stuck under the keyboard. :-)
Michael Rumbold
Person
logged in via email @sydney.edu.au
Could someone explain, is it as simple as guessing someones "passphrase" used to generate the key? or finding it as Jeff suggests. Because I know lots of computer users at my university which write down thier important passwords so they don't forget them.
If it is this simple it would seem easier to use data gathered to pick the passphrase than use brute force to crack the code.
Jeff Waugh
logged in via Twitter
The secret could have been created through some other means than a passphrase, such as biometric data. Plus the key itself could be stored elsewhere, on a physical device such as a tiny USB disk. :-)
But yes, you could guess at the passphrase (and that's the easiest way to get into "normal" people's accounts because they rarely acquire good security habits), but if bin Laden has any sense at all (note: it took ten years to find him) he'd choose something utterly abstract *and* very difficult to brute force.
Bob Constable
logged in via Facebook
Maybe they could try a few obvious Passphrase eg.
Death to America
Allāhu Akbar
etc
LOL, Good luck
Caitlin Fitzsimmons
logged in via Twitter
"This would involve trying all of the 2 to the power of 256 possible encryption keys."
Not unless you are extremely unlucky. That's how many possible encryption keys there are but probability dictates that you would crack the code before you had to try all of them. You might get really lucky and get the right code first go or relatively early on in the piece. But there's an equal chance that you would crack it first go versus having to try every single possible combination and then cracking it on the last one. So they may as well try.
Paul Dalgarno
Editor, The Conversation
I actually had the same thought, Caitlin, but when I mentioned it to our technical director he said cracking the code first time would be like winning the lottery five weeks in a row. While I was trying to imagine this, and what I'd spend the money on, he ran away. Thanks for your comment - I'd be interested to hear more people's views.
Bob Constable
logged in via Facebook
There have been cases of people in Australia winning Lotto two weeks in a row and even more unlikely a mother and son won in consecutive weeks. So unlikely things do happen
Caitlin Fitzsimmons
logged in via Twitter
Absolutely - it's extremely unlikely. But the probability of not cracking the code until the very last possible combination is equally unlikely. The likelihood is that it would happen some time in the middle and if you're only an average sort of lucky, it would happen in the first half.
Angus McInnes
Undergraduate student at University of Melbourne
The probability of cracking it using a brute force attack is still so small that it's not worth trying.
Consider a cracker with a million computers, each capable of trying a billion keys per second (which I'm pretty sure is unrealistic with current technology). In 10 years they could try 3.16*10^23 keys. The total number of keys is 2^256 (about 1.16*10^77). So the probability of cracking the key within 10 years is one in 3.67*10^53.
For perspective, this is billions of billions of times more unlikely than all of us being killed by an asteroid impact tomorrow.
Caitlin Fitzsimmons
logged in via Twitter
I'm not truly arguing that they should try brute force. I'm just being pedantic, I guess. It's inaccurate to say it would involve trying every possible combination.
Bear in mind that we're not interested in all possible passwords but one that Bin Laden would have chosen. I imagine they would try things like de4th2USA in Arabic or similar! And the best encryption in the world won't help if the password is written on a post-it note stuck to the computer.
Even if they don't get into the hard drives, it looks like there is a vast intelligence treasure trove on unencrypted USB drives as this was how OBL sent his emails. http://is.gd/2XWgcw