Snooping set might need aeons to read your mail

By MICHAEL FOREMAN

An Auckland security expert doubts that Government agencies have the technical ability to intercept large volumes of e-mails, even if proposed legislation gives them the power to do so.

Last week Information Technology Minister Paul Swain said law changes being considered would give police, the Security Intelligence Service and the Government Communications Security Bureau the power to intercept electronic communications.

But Lech Jancewski, an Auckland University lecturer in management science and information systems and chairman of the New Zealand Information Security Forum, said anyone with some computer knowledge could easily find encryption tools that would make it difficult for the Government to break into e-mails.

128-bit encryption software such as Pretty Good Privacy and web services such as mail2web were freely available, and it was also possible to obtain stronger encryption software.

Without help from overseas security agencies, it was unlikely that the Government here would be able to break into messages that were encrypted with key lengths of more than 128-bits.

"I doubt the technology exists in New Zealand," he said.

"If you tried to break into a 128-bit encrypted email with a PC, for example, you would fail. You need to have much more powerful equipment than that."

He estimated that someone using hardware at present costing around $2 million would take about four days to break into a 128-bit encrypted e-mail using "brute force" methods - that is, trying every possible combination.

A message protected by the next step up in strength, 256-bit encryption, would take the same hardware 10 to the power of 17 years to decrypt.

While certain software decryption methods could reduce these times significantly, Mr Jancewski said that even stronger defences were available. "Military standard" 512-bit encryption, for example, was extremely difficult to crack.

"I am always very careful not to say impossible," he said. "It's always a question of what it's worth."

While he believed it might be possible for the Government to read the e-mails of a few targeted individuals, large-scale scanning would not be practical, thanks to the volume of traffic.

"If you started scanning e-mails you could easily detect all encrypted messages, but if everyone started using encryption then telling which ones were using powerful or weak encryption would be very difficult."


Herald Feature: Privacy

Related links