Virtual Adventures has developed a new form of encryption, and to prove its strength, the company is letting anyone try to crack it.
Developed 10 years ago as part of a video game, Vase Software's original purpose was to enable secure transfer of video files. The game ultimately failed, but the video encryption system proved surprisingly strong. In the years since, the company transformed itself, switching from game design to cryptography. The company has spent the last few years refining the software from an overly-complex form into a user friendly, market-ready version.
Although Virtual Adventures was hesitant to reveal the proprietary mechanisms of their product, I was able to tease out a pretty distinctive detail: Unlike most other encryption systems, Vase Software is not based on prime numbers, which have some known vulnerabilities.
The software is an information protection system aimed at sensitive databases and other stored information. It's not a tool for protecting communications as they happen. Instead, think of it more like a safe than a private conversation—Vase Software locks up the valuable databases until they need to be accessed, and makes sure that only someone with the right software can use that data.
It's all but certain that the encryption will eventually be broken. The goal was not to make an impossible-to-crack system; just an incredibly difficult-to-break one. Vase protects sensitive information, which tends to degrade in value over time. The longer a sensitive database takes to un-encrypt, the safer it is, and it's easy to imagine a scenario: if files were stolen that contained the location of every CIA agent in a country, it'd be a lot better for the CIA if that file took six months to break, rather than six days.
In February, Virtual Adventures set up a site called "Can you crack this?", encouraging hackers to try their hands at breaking any of the six encrypted files available for download. There's even a boastful twitter account that dares the intrepid and savvy to crack the software. Elton Elliot, CEO of Virtual Adventures, also plans to test the product at hacker conventions.
While talking with Elliot, the topic of cyber security, and specifically a "cyber Pearl Harbor," kept coming up. As threats go, it's hardly world-ending, but I was curious to find out how software that stores encrypted data could protect against a cyber attack that actively disrupts communications and live information. To continue the earlier analogy, this sounded to me like implying a locked bank vault kept the store next door safe. Fortunately, cyberspace isn't bound by crude physical space metaphors, and it turns out that encrypted information within a virtual safe can protect an entire system. Think about it this way: If all passwords needed for machines to communicate with each other were in a safely encrypted database that required Vase software to un-encrypt, and if the Vase software effectively and rapidly responded to such a breach, it would be that much harder for an attacker to gain access.
That Steam Punk bank vault is so fascinating.
makes me wonder what is in julian assanges poison pill file. (it was distributed as a torrent)
@dkella its just the entire series of barney.
I'm not sure if you realize that the DES encryption algorithm used for decades for credit/debit cards and the more recent TripleDES and AES algorithms are probably the most frequently used encryption algorithms in place today and they do not rely on prime numbers, right?
The word you were looking for is "decrypt", not "un-encrypt".
Anyone familiar with how encryption algorithms are vetted and approved for widespread use knows that a closed, proprietary algorithm is generally best avoided (because you have no idea what vulnerabilities and/or backdoors are in place) and a "break my encryption if you can" contest is next to worthless.
Why would cryptography researchers take time out of their day to try to crack a proprietary algorithm? They already have peer reviewed algorithms that work great and have been hammered on by experts for years.
Claiming that an algorithm is strong/secure because nobody has taken time out of their busy lives to break it is just a silly notion. Nobody has broken into my house this year either, should I make a claim that I've got terrific physical security in place in my home?
While we're on the subject of encryption algorithms, I'm not sure if you realize it or not but it's rarely ever the _algorithm_ that's to blame for a data breach or data theft. It's almost always a problem with the implementation or something else like social engineering (ie. tricking someone into giving you access to physical access/passwords/data you shouldn't have access to.) Actually finding a way to break an algorithm rarely ever happens.
I'm left feeling like the author of this article and Vase Software probably don't have a very good grasp of sound practices for data security. I would not feel comfortable (sight unseen) using their product based on what I've read about it from this article.
I don't know about you, but speaking of "evolution" it looks like you & I are a couple million years behind the times here. I'm going to start shaving, how about you?
This is NOT how real cryptosystems are tested; assuming Mr. Elliot has looked into the right way to do it, one can only assume that this is a publicity stunt.
A very fundamental rule of cryptography is that all security must reside in the key (password or equivalent), meaning that complete information about the algorithm must be available. Obscurity of a cipher is not considered a security advantage, and it would generally be considered irresponsible to use a cipher which had not been published (and scrutinized by many eyes).
Cryptography is full of grunt math, and is not considered at all exciting by most humans. Those of us who understand it well enough to successfully attack ciphers, don't indiscriminately give our time away. If Elliot's not even willing to play the game correctly, why should we spend valuable time trying? Anyone who could program could pose a challenge like that, with a high degree of confidence that their cipher, however weak, wouldn't be broken, because the cryptographers of the world would ignore the challenge en masse.
Until the complete algorithm is made available, and some time allowed for review, I could never take this product seriously.
Once quantum computers become mainstream, cracking codes like that will take milliseconds. So enjoy what little security you have now. Next.
Do i get an award if i do? HA ha
i just tried, i don't know if i'm supposed to try to see the stuff, or it's just a glitch
The quick brown fox jumped over the lazy dog, right?
to what point or purpose...
anyways its not like i have access to a super computer so why waste my valuable time
Cracked one of the test files they had. I cracked the word document. got this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>414 Request-URI Too Large</title>
<h1>Request-URI Too Large</h1>
<p>The requested URL's length exceeds the capacity
limit for this server.<br />
<address>Apache/2.2.22 Server at gridserver.com Port 80</address>
Agree with rothbart and Security_Geek.
I'd never trust an encryption algorithm that hasn't been publicly evaluated and tested by many experts.
Congratulations, you figured out what Apache does when you request a URL that's too long. Too bad that has nothing to do with decrypting the files posted on that site.
Tales from decrypt ;-)
I won't shave, I don,t want to look like a naked ape.
The Sounds of Silence. Beats and rhythms existing outside of an acoustic environment.