Thursday, January 24, 2008

Al Qaeda encryption

There's been a fair amount of coverage that some Florida-based web sites are offering "new and improved" encryption technology for use by Al Qaeda. According to a Computerworld article, MEMRI (a generally reputable organization) is reporting the availability of "Mujahideen Secrets 2". MEMRI says that the first version of the tool provides users with "the five best encryption algorithms, and with symmetrical encryption keys (256 bit), asymmetrical encryption keys (2048 bit) and data compression [tools]."

So far, that's quite believable.

The problem is the quote in the Computerworld article from Paul Henry of Secure Computing Corp, who says that the new version "likely uses at least 1024-bit encryption, whereas the first version of Mujahideen Secrets used 256-bit AES encryption". I'm going to guess that Al Quaeda has sufficient technical expertise to know that if they're using 256 bit AES encryption, the encryption algorithm isn't the weakest link - it's going to be the key selection and distribution, correct implementation of the algorithms, security of the web sites where their information is stored, etc. I have no idea whether Al Qaeda doesn't understand encryption, or Mr. Henry doesn't understand it, or whether Computerworld misquoted him. But in any case, it's one of those examples of where more is not necessarily better.

The Washington Post article has the good sense to report on the release of the software without speculating on what's "new and improved".


Post a Comment

Subscribe to Post Comments [Atom]

<< Home