Several months ago I posted an article about a university project called “Vanish,” which allowed documents to become gradually unreadable using distributed encryption key elements scattered across a large network. The researchers who created this little scheme figured (as do all code makers, I suspect) that their system was unbreakable, since the key would eventually degrade as elements were lost over time. This would render “stale” messages unreadable, even if they still existed somewhere.

These guys, it appears, should have taken a lesson from the “unsinkable” Titanic.

Today it was announced that some competing researchers at the University of Washington have figured out how to defeat Vanish. And their method was so obvious that one wonders why the original inventors didn’t think of it. They simply caused a single computer on a Vanish network to masquerade as more than one node. This caused the computer to accumulate more than one component of the encryption key, which made it much easier to reassemble.

As the researchers said, “rogue machine would simply need to capture and store anything that looked like a Vanish key fragment. The researchers said that this was simple, as the Vanish fragments are identifiable because of their size. Later it would be possible to reconstruct a Vanish message by simply consulting the Unvanish archive.”

Of course, the original team was quick to fire back. They said they’d already modified their initial approach, thus making it much harder for a single machine to be used to accumulate multiple key fragments. “The newly discovered weaknesses with our initial research prototype are not an invalidation of Vanish,” said Tadayoshi Kohno, a University of Washington computer scientist.

All I can say is this: no system is invulnerable to penetration. Any encryption can be defeated, and in some cases that’s not a bad thing. As some companies are now finding, encrypted documents for which they have no decryption key can cause legal issues (including contempt of court charges) if they need to be produced during a legal discovery hearing. This is an emerging area of technology, and business is still catching up.

This entry was posted on Wednesday, September 23rd, 2009 at 8:42 pm and is filed under Encryption, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.