As an aside on previous post on computation and security requirements I thought I'd add a note on an obvious omission, encryption and hashing...
Tricks like encryption and hashing aren't really applicable to computation security requirements even though they are computations themselves. Encryption and hashing are more applicable to transport (connections) and storage (data). It's nigh-on impossible to do any computation on encrypted data so you generally need it in plain-text form (homomorphic encryption aside since it's not really market ready yet).
Hashing is a useful tool in so many cases but is increasingly becoming overused. The compute power available today; especially in the cloud, means its relatively easy for someone to create a lookup database of all words in hashed form. This can then be used to identify user passwords for example. You can salt the hash to make it more distinct but this then means you need to manage the salt; and likely change it from time to time for the same reason you change encryption keys. Forcing longer and more complex passwords helps (well, maybe, that's another debate) but with compute power in 5 years time it may well be pointless and alternative forms of identification will be needed (if they aren't already).
Using hashes to obscure data such as postcodes or dates is even less worthy as the number of hashes you need to create are limited and can be computed in seconds on a modern computer. Date-of-birth for example is limited to say 100 years * 365 days worth of hashes. A particularly determined attacker could even look at the distribution of these hashes to determine that it's date data even if it's not labelled as such.
Encryption and hashing are useful for data transfer and persistence but; whilst they're clearly computational tasks themselves, they're not generally requirements for computational components currently.
No comments:
Post a Comment