There are always researchers and hackers looking to break encryption algorithms. In fact, there are regularly a series of challenges against the very commonly used RSA algorithm. Recently, the RSA-250 challenge was completed with the algorithm being factored, albeit with a key length of only 829 bits. Most of us would use a 2048 or 4096 key length, so this isn’t that disconcerting. Especially given the amount of time this took.
The effort took 2700 core-years, and in real time, thousands of cores used for a few months. This was a new record, and one that scientists regularly compete for. There are challenges that are being run to try and help determine just how strong our encryption algorithm are in today’s world. I don’t think many of us have anything to worry about, but if you are still using any lower length RSA key lengths (512 or 1024), you might think about replacing these keys with longer ones.
In fact, all sorts of algorithms and key lengths have been shown to be insecure, meaning they can be cracked relatively easily. In SQL Server, there are a number of algorithms that have been deprecated for this reason. While most people don’t use the encryption features of SQL Server, some do, and some of you might not realize they are in use in your system. If older algorithms are being used, you should change them as soon as you can. Right now, only the AES algorithms are active, and using any older ones requires a compatibility level of 120 or lower.
This isn’t to imply that encryption isn’t strong or useful or necessary. It does provide protection, but it isn’t perfect. In fact, just like many organizations don’t rely on just locks; they also use live human patrols to secure their assets. You shouldn’t rely only on encryption along. Audit and monitor your systems for unusual and unauthorized activity, and then take the appropriate action, including revoking access for compromised encryption keys.