Crown Sterling has decrypted two RSA asymmetric public keys. It did so at an event in Newport Beach, California in front of an invited audience of over 100 academics and business professionals. During the event, Crown Sterling had two of its developers create new AES 256-bit public private key pairs and then decrypt them. An edited video showing the decryption was posted, by the company, on YouTube.
A quote ascribed to Grant in the press release says: “Today’s decryptions demonstrate the vulnerabilities associated with the current encryption paradigm. We have clearly demonstrated the problem which also extends to larger keys.”
The press release also states: “Crown Sterling also announced the consistent decryption of 512-bit asymmetric public key in as little as five hours also using standard computing.”
So is this the end of encryption as we know it? Is this Crown Sterling’s answer to its critics, including Bruce Schneier, who accused it of peddling snake oil at Black Hat earlier this year? Probably not.
Problems with the demonstration and claims
Crown Sterling claims that they decrypted the keys in just 52 seconds using a standard laptop and its own software. However, security researchers who have viewed the video have thrown considerable doubt on this claim.
Nicholas Weaver (@ncwaver) at ICSI, Berkeley tweeted: “Just realized that the Crown Sterling snake-oil is likely even more fraudulent: they likely didn’t even implement it.“ Weaver based his claim on the fact that in the video, the Crown Sterling developers didn’t suppress the “Info:root” line used by cado-nfs.
Kevin Beaumont (@GossiTheDog), Security Operations Centre Manager at BNFL went further. He tweeted that any journalist getting the video should seek expert commentary. Beaumont questioned if the tool was really run on a laptop. Grant responded, admitting that the tool wasn’t being run on the laptop in the video as claimed. Instead, he wrote, it was run on a local server apparently for security reasons.
There are much more damning claims around the video. For example, Schneier posted a blog covering the video and the claims. He writes: “This keylength is so small it has never been considered secure. It was too small to be part of the RSA Factoring Challenge when it was introduced in 1991.” He goes on to say: “Find an RSA Factoring Challenge number that hasn’t been factored yet and factor it. Once you do, the entire world will take you seriously. Until you do, no one will.”
What have others said?
Enterprise Times had already reached out to several companies and experts before seeing Beaumont’s tweet. The majority declined to comment on the grounds that they lacked enough information about Crown Sterling and its claims. However, a few did respond and this is what they said.
Bill Holtz, CEO, Sectigo said: “Crown Sterling’s example does not suggest a weakness in current cryptographic algorithms and bit lengths used in TLS/SSL Certificates today, including Sectigo. We continue to advocate replacing certificates or reconfiguring systems using deprecated algorithms and choosing appropriate bit lengths.”
Rick McElroy, Principal Security Strategist for Carbon Black said: “None of this is good for defenders. The whole thing is distracting and just occurs as more noise. They need less noise not more. It’s not a good look for the industry as a whole.
“We know that there are weak keys all over with that implementation. I don’t think it would take something new to do what they did. Pretty sure you could do this since 2015 or so. Pointing out flaws that are already known is weak. Go find new flaws. I would say the overall approach is poor. There needs to be a third party test of current implementations at 2048 and then, and only then, should something like this be considered valid.”
A longer and more response came from Simon Bain, CTO, ShieldIO. They are one of the few companies offering real-time homomorphic encryption. He said: “Crown Sterling’s achievement just goes to show that key encryption on its’ own is not enough to keep your data secure. Organizations need a multifaceted approach to security, which includes encryption, perimeter defenses and most of all employee training and buy-in, as without this everything else is liable to fail.
“All that said when it comes to encryption there are a number of things that organizations need to do to help maintain the security of their data.
- “Eliminate their KeyStore. – It is far easier for a hacker to steal your keys than it is to break them!
- “Do not rely on a single key across your data. – Just because you have eliminated the KeyStore you still require keys for encryption/Decryption. Do not rely on a single source.
- “Security is the art of deception and ‘Just making it hard’ You want the thief to move on to an easier target. So do not rely on encryption alone. Make sure that you have an application that can utilize AI Algorithms to break the data, obfuscate it and put even more barriers into making the decryption of your data not just hard but too hard to be worthwhile. By doing this any would be thief, not only has to break the key algorithm, but also the AI algorithms which put it all in to place.
- “Regularly check your defenses.
“While Crown technologies have shown vulnerabilities within keys, we knew they were there. Their achievement is no less and it does remind us that while encryption keys are here for a good while yet, we should be aware as with everything in life that there are weaknesses that can be exposed and manipulated by those who wish to see your data.”
Enterprise Times: What does this mean?
Is Crown Sterling for real? Does it have the magic bullet that will destroy cryptography as we know it? Is this nothing more than FUD to eventually sell the TimeAI encryption solution that Grant was presenting at Black Hat?
There is no question that Crown Sterling, and Grant in particular, is getting a lot of attention from the Infosec community. The problem is that none of it is positive. Grant is being derided by some of the best known names in the Infosec community. This has already led him to issue legal action against UBM, the organisers of Black Hat for the way he was treated in Las Vegas. Will he respond with more legal action given some of the comments about this presentation?
This demonstration, when viewed without the commentary from the wider Infosec community, looks good. For those with little knowledge of the field, it sends the message that encryption can be broken. This is a message that is being pushed hard at the moment. The threat of Quantum Computing invalidating many of the current encryption algorithms is seen as very real. To address this, NIST has been pushing the industry to develop new encryption algorithms that are safe from Quantum Computing.
The threat from Quantum Computing has created a knowledge vacuum. Organisations are no longer sure what is safe, what will be safe in the future and what should organisations do now to protect their data. What is important, is that organisations take the time to talk to their suppliers and experts in the Infosec community.