On the morning of Feb. 23, Google announced that two researchers from the Netherlands' Centrum Wiskunde & Informatica (CWI) and several Googlers successfully broke an internet lock. They'd been working on this project for nearly two years, using several hundred computers in eight different locations around the world, and now they have succeeded.
What is an Internet lock, and why would Google try to break it? Should this worry you? As someone, who uses internet banking, browses websites and surfs Facebook and Twitter, should you be concerned?
As cartoonist Peter Steiner's famous cartoon in the New Yorker on July 5, 1993, quipped, "On the Internet, nobody knows you're a dog;" in other words, you cannot trust anyone on the internet.
This is where the science of encryption comes in: to establish trust. A more sophisticated name for encryption technology is cryptology, the art and science of making and breaking cryptographic functions, which can be likened to physical locks with keys. Two people who share a key can lock and unlock with little effort, but those without the proper key should not be able to do so.
These locks are given proper names from the jargon, such as hash functions, public-key encryption methods and digital signatures. Each one of them has a purpose, and all together, they provide the trust infrastructure that is normally nonexistent on the internet.
Using these cryptology locks, we are able to send secure messages to our friends, knowing that only they can read them or order products on e-commerce websites with our credit card or banking information, knowing that others cannot see. These locks provide the trust function not only to consumers (so that they don't hesitate to use, for example, Internet banking), but also companies for billing, advertising, and keeping track of their business operations. Needless to say, without strong locks there would be no trust on the internet!
But how do we know our locks are strong? The expected competition is between those who make difficult-to-break locks and those who try to unlock them without proper authorization. Young hackers, organized hacking companies, ethical hackers and government agencies are constantly trying to find weaknesses in the complex trust architecture for obvious reasons. While young hackers like to boast, organized hackers pursue money, and government agencies seek information on their adversaries.
Therefore, the good guys, i.e. lock makers, need to make sure their locks are strong. One question that always comes up: Are there unbreakable locks? If there are, why not use them and be done with it? The answer is, yes. Indeed there are unbreakable cryptologic locks, but they are not useful when it comes to Internet transactions. So, cryptologists need to come up with strong locks and keep checking on them, if necessary, update them once every few years, just to keep the trust architecture running.
National and international standards organizations are precisely entrusted with this job. They constantly review current cryptography standards and declare some obsolete, and then design new ones to replace them.
On the other hand, companies like Google, Apple, or Amazon have big stakes in the trust architecture. Google earn billions of dollars from advertising every year, in fact 90% of Google income directly come from advertising.Without Internet trust architecture, the correct click count of each advertising icon cannot be obtained, and this would cost Google its business. While standard organizations have a mandate in making sure Internet locks work properly, Google has its lifeline depends on it.
Going back to the analogy of lock makers versus lock breakers, tech giants like Google also invest to make sure locks are strong and determine the best way to check if a certain type of lock is indeed strong? Well, just try to break it. If you can break it within a specified duration by investing a reasonable amount of money, then others can too. This is precisely why Google (and other big companies) invest part of their time and energy constantly checking the quality of Internet locks.
Thus, Google allowed its team to use up to 6,500 computers and 110 supercomputers for approximately one year in their lock-breaking project.
The cracked lock, with the obscure name, "SHA-1," was actually deprecated by several standards organizations about three years ago. However, it is still being used in many Internet protocols, involving secure file transfer, identity verification and digital signatures.
The ability to break SHA-1 implies that any document can potentially replace another one and still be considered as true and authentic. This way, for example, a digital electronic funds transfer order coming to a bank could be changed into a fake one with different recipient and/or different amount, if SHA-1 is used as the authentication lock.
The team's success implies SHA-1's failure as a viable lock, meaning, website designers and identity verification systems that employ this authentication lock have to check their software as soon as possible and remove SHA-1. Though a serious matter, it should not concern consumers. The news excited cryptology researchers, who have been phasing out SHA-1 slowly anyway, but now, they need to speed up.
