Why doesn't public key encryption stop hackers?

[nomadreid]

This is a question from a total non-specialist: I can't write or even read code; I just follow the mathematical underpinnings. The public key encryption schemes seem almost unbreakable, theoretically (until quantum computers come along), so what is it that allows hackers to hack one's email, for example, or more complex programs? (I am not trying to learn to be a hacker, no danger there, I am just trying to make sense out of the news.)

 

[PeroK]

This is a question from a total non-specialist: I can't write or even read code; I just follow the mathematical underpinnings. The public key encryption schemes seem almost unbreakable, theoretically (until quantum computers come along), so what is it that allows hackers to hack one's email, for example, or more complex programs? (I am not trying to learn to be a hacker, no danger there, I am just trying to make sense out of the news.)

Very little, if any, hacking involves breaking your PKI. In my experience the most common problems are: a) The trojan: a dodgy file gets sent to your computer in the hope you will open it; b) Operating system bugs: which can allow code to be smuggled onto your computer; and c) Simply conning someone into giving their password, or simply guessing it.

Virus checkers and firewalls are supposed to deal with a) and prevent malicious software reaching your computer. Keeping your o/s up to date with security patches should prevent b). And, security awareness should prevent c).

On high-profile systems, which potentially a foreign government might target, things gets a bit more complicated. E.g. two layers of firewalls from different manufacturers and suppression of error messages to prevent the hacker seeing how far they have got etc.

 

[nomadreid]

Thanks, PeroK

 

[Ibix]

I went on a tour round Bletchley Park, where they did code breaking during the Second World War.

The Germans changed their encryption keys daily. But because distributing keys was tricky back in the day, groups of units shared an encryption key. They weren't obvious groupings, so the senior commanders didn't share keys. But the high command did share a key with some unimportant base in Africa. The Allies left them alone. Every day, they reported in: "Nothing to report". And every day the Allies used that known plain text to crack their key and read the high command's messages.

Also, the problem with changing keys every day was that people didn't really change them - the equivalent of using password1 today and password2 tomorrow. Or else they cycled through half a dozen keys. So rules were introduced to make things more random. The guide's face when he said this was hilarious - I was there with about twenty maths/engineering/science types from work, and I suspect we looked like the National Synchronised Face Palming squad. Especially when he went on to say that there were so many restrictions on what changes had to be made that if we broke your key today there were only about half a dozen possibles for tomorrow instead of hundreds.

That's the anecdotal version of PeroK's response, basically. Sloppy usage by people who don't understand how catastrophic it can be is exploitable, no matter how good your encryption is.