LOGBOOK

HELP

1 / 14
Other keys: showSpace: good1-4: rate0: skip5: flag6: invert

Question

A common claim in cryptography is that key length is NOT the only security criterion. Why not — what else can break a system whose algorithm and key size are both strong?

Answer

A large, correct key only secures the math. Real systems still fall through side-channels, badly-protected keys, software (rather than hardware) key storage, a weak first key exchange, broken authentication protocols, and attacks that never touch the wire at all.

A 256-bit AES key or a 3072-bit RSA key makes brute force hopeless — but attackers rarely fight the math. Here is how a "strong-key" system still gets broken:

  • Side-channel attacks — timing, power draw or electromagnetic leakage reveal the key around the cipher, without breaking it.
  • Poorly protected keys — a 2048-bit RSA private key guarded by a 6-digit password is only as strong as those 6 digits.
  • Keys/algorithms in software, not a security module — if the crypto runs in the PC's memory instead of dedicated hardware (HSM, smartcard), the key can be read out.
  • A weak initial key exchange — "trust on first use" (TOFU) or plain FTP lets an attacker sit in the middle during setup, before any strong key is agreed.
  • Weak or wrong authentication protocols — if you can't be sure who holds the other key, its size is irrelevant.
  • Attacks off the communication path — the classic Alice–Bob model only considers on-the-wire attacks; the endpoint, the user, or the supply chain are often the real target.

A sharper version of the same point: the size of a brute-force attack says nothing about an algorithm's security. 104-bit RC4 is brute-force-proof, yet it can be broken on home equipment because the algorithm is weak. Security is the weakest link in the whole chain — never just the biggest number in it.

Go deeper:

An attempt to decode RSA key bits using power analysis. The left pulse represents the CPU power variations during the step of the algorithm without multiplication, the broader right pulse – step with multiplication, allowing an attacker to read bits 0, 1.
An attempt to decode RSA key bits using power analysis. The left pulse represents the CPU power variations during the step of the algorithm without multiplication, the broader right pulse – step with multiplication, allowing an attacker to read bits 0, 1.
Audriusa. Recorded by student in ETH (Zurich) during system security laboratory work. · GPL · Wikimedia Commons
or press any other key