cryptography – Encryption and the “security time decay” of prior encrypted data

One notion is called Perfect Forward Secrecy. This applies to situations where you encrypt data and decrypt it almost simultaneously, but you worry about an attacker who would later on obtain a copy of the decryption key. This is a restrictive model, but it applies to SSL connections: the server private key is long-lived (usually, it is stored in a local file) and thus subject to future theft; whereas there is no legitimate need to decrypt exchanged data at a future date.

In the case of SSL, the solution relies on the “DHE” (Diffie-Hellman Ephemeral) cipher suites. Roughly speaking, client and server use a Diffie-Hellman key agreement, with fresh private exponents, to establish the session keys. The server private key (the one corresponding to the public key in the server certificate) is used only for signing (so that the server is duly authenticated by the client). Therefore, ulterior theft of the server private key does not allow the attacker to decrypt data which was exchanged beforehand. The Diffie-Hellman private exponents and the session key, being transient (linked to that session only), are never stored on a physical medium, and they are forgotten once the session is closed; therefore, they are much less susceptible to ulterior theft.

Moore’s law and overall increase in available computing power is not a big issue, because it is predictable: such computing power increases by a factor of less than 2 every year. Therefore, it is easy to oversize keys a bit to account for that factor: in the case of symmetric encryption, just add one key bit per year. This means that AES with a 192-bit key will be fine for at least one century, at least with regards to such technological advances. For RSA, Diffie-Hellman, Rabin-Williams or El-Gamal, aim at 8192-bit keys for the same protection level (384-bit key for elliptic curves).

More worrisome are scientific advances, namely potential discovery of faster algorithms for, e.g., integer factorization. Such advances are much less predictable than technological advances; however, they also seem to happen quite rarely (the last big advance in factorization was the invention of the Number Field Sieve, and that was 20 years ago). The quantum computer is an unknown joker here: if it can ever be built, then it utterly destroys asymmetric cryptography (well, at least, the factorization-based and discrete-log based algorithms, including the elliptic curve variants; possibly, McElliece encryption may resist).

Generally speaking, the biggest threat for long-term confidentiality of encrypted data is private key theft. When applicable, PFS really improves things by a fair margin. Worrying about Moore’s law or quantum computing is very good news indeed: it means that you have already thwarted all easier attack vectors, which is no small achievement. Thinking that “encryption is an infallible lockbox” is not completely preposterous: if done properly, the encryption part itself will add negligible risks to what you must already face when it comes to storing a private key and keeping it safe while not losing it altogether.