Featured Article: Exploring Encryption
Encryption comes from the age-old science of cryptography. In the digital world of today, encryption refers to using electronic devices to generate unique encryption algorithms which essentially scramble messages and data making them unintelligible to anyone who tries to intercept them, and also to provide an effective way to lock our electronic devices.
Encryption can be used for most things that have an internet connection, such as messaging apps, personal banking apps, websites, online payment methods, files and more.
Cybercriminals seek our personal data (especially financial details) which they can find in our files, on our personals devices, and on websites / platforms and places online where we have submitted that data e.g. for registration/login, payment, in the form of emails and other messages, and our personal data may be stored in many different places (servers and databases) across the Internet and the digital world.
Verizon figures show that nearly one-third of all data breaches in 2018 involved phishing and that phishing was present in 78% of cyber-espionage incidents and the installation and use of backdoors. Also, IT Governance figures, for example, show that 421,103,896 data records were confirmed to have been breached in October this year (still only 50% of the monthly average!) in111 incidents (including the compromising of sensitive and financial information).
A recent nCiper survey showed that the main driver for encryption is the protection of sensitive information and that organisations use encryption to protect intellectual property and the personal information of their customers.
Symmetric and Asymmetric Encryption
There are two main encryption methods, symmetric and asymmetric, both of which are made up of encryption algorithms, and the use of prime numbers forms a fundamental aspect of popular encryption methods.
Note: You will often hear the term ‘keys’ used as part of the explanation of encryption. Keys in this sense means a random (but unique) string of bits that are generated by an algorithm to scramble and unscramble data. Generally, the longer the key, the harder it is to break the encryption code.
Symmetric encryption uses the same (identical) key for encrypting and decrypting data. With symmetric encryption, two or more parties have access to the same key. This means that although it is still secure, anyone who knows how to put the code in place can also reverse engineer it. Symmetric key encryption is generally used for encrypting large amounts of data efficiently e.g. 256-bit AES keys are symmetric keys.
Asymmetric encryption, on the other hand, uses a pair of keys, one for encrypting the data and the other for decrypting it. For the first key (used to encrypt data), ‘public key’ cryptography uses an algorithm to generate very complex keys, which is why asymmetric encryption is considered to be more secure than symmetric encryption (the code can’t be run backwards). With asymmetric encryption, the public key is shared with the servers to enable the message to be sent, but the private key (owned by the possessor of the public key) is kept secret. The message can only be decrypted, therefore, by a person with the private key that matches the public one. Different public-key systems can use different algorithms.
Public Key Encryption - HTTPS
Public key encryption is widely used and is useful for establishing secure communications over the Internet e.g. for TLS/SSL, which enables HTTPS. For example, A website's SSL/TLS certificate is shared publicly and contains the public key, but the private key is on the origin server i.e. it is “owned" by the website.
Different Methods of Encryption
There numerous common encryption algorithms and methods. These include:
RSA – Unveiled by three mathematicians back in 1977, RSA is a public-key encryption algorithm and a common standard for encrypting data sent over the internet.
Triple DES – designed to replace the original Data Encryption Standard (DES) algorithm and uses three individual keys with 56 bits each. Triple DES is being used less frequently now but is still used in financial services and other industries.
Blowfish – also designed to replace the original Data Encryption Standard (DES). This is a flexible and strong standard that is found in many different software categories e.g. e-commerce platforms (to protect passwords).
Twofish – One of the fastest, can be used in hardware and software environments, and (like Blowfish) is freely and often bundled in encryption programs.
AES – Advanced Encryption Standard (AES) is an incredibly strong encryption algorithm used by the U.S. Government, and likely to become the private sector standard in future.
In addition to Blowfish and Twofish, other free encryption tools include LastPass (a popular password manager), VeraCrypt (available for Windows, OS X and Linux OS), and FileVault2 (good for encrypting data on macOS devices and Mac hardware).
Windows 10 includes its own encryption tool ‘BitLocker’ which enables you to use encryption on your PC's hard drive and on removable drives.
End-to-end encryption is used to encode and scramble information so only the sender and receiver can see it. For example, WhatsApp uses end-to-end encryption and although the messages go through a server, none of those messages can be read by anyone other than the sender and receiver.
WhatsApp and its end-to-end encryption were criticised by Amber Rudd in 2017 (who was Home Secretary at the time) when it was revealed that the first London Bridge terror attackers used WhatsApp to plan the attack and to communicate. This led to government calls for ‘back doors’ to be built-in to WhatsApp and other end-to-end encrypted communications tools to allow government monitoring. These calls were resisted on the grounds that building back doors means that security is compromised, and cybercriminals could also exploit these back doors.
Although encryption provides effective security and privacy it is not always infallible. For example:
Back in May 2018, A German newspaper released details of a security vulnerability discovered by researchers at Munster University of Applied Sciences, in PGP (Pretty Good Privacy) data encryption. PGP is an encryption program that is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and disk partitions, and to increase the security of e-mail communications.
Also, in October this year a report by a former Google employee on the ‘Freedom of the Press Foundation’ website warned organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.
One on threats to existing encryption that many tech commentators fear in the near future comes from quantum computers. For example, quantum computers can perform calculations much faster than classical computer and this could enable them to defeat the encryption that currently protects our data e.g. our online banking records and other personal documents on hard drives. With people having access to (commercial) quantum computers, this could become a real threat (e.g. access to Quantum Systems are now being offered via the cloud).
As well as the quantum threat, there is also some concern among tech and security commentators about the encryption and anonymisation technology that is being used to hide criminal activity e.g. on the dark web
In the immediate future, therefore, some companies are seeking to address the threat from quantum computers cracking existing encryption algorithms. Estimates of when there will be commercially available quantum computers range between 10 and 20 years, although state-sponsored use of quantum computers for wrongdoing could conceivably happen sooner.
The National Institute of Standards and Technology is already pushing researchers to look ahead to this “postquantum” era.
Recently, IBM researchers developed two quantum-proof cryptographic algorithms (Kyber and Dilithium) which now make up the “Cryptographic Suite for Algebraic Lattices” (CRYSTALS). These have enabled IBM to create the world’s first quantum computing-safe tape drive.
In the meantime, however, with cyber threats evolving at a fast pace, companies and organisations that don’t use encryption as one of their security tools are effectively making things too easy for cybercriminals to access their data, with potentially devastating consequences.