23 July 2020
Nigel Thorpe from SecureAge explores its evolution and asks if today’s PKI encryption techniques have cracked it.
Data encryption goes back to ancient civilisations that used forms of message concealments, in peace as well as wars. The Egyptians used Disordered Hieroglyphics, the Greeks Steganography, the Spartans Scytale and the Romans, the Caesar Shift Cypher.
While these basic methods laid the foundations for modern cryptography, what has evolved are two fundamental approaches based on complex mathematics: ‘symmetric’ and ‘asymmetric’ cryptography.
Simple symmetrics
The Caesar Cipher is an example of symmetric cryptography, designed to ensure that plain text is replaced by ciphertext, appearing to be gibberish. The message sender uses an algorithm and ‘key’ to encrypt it and the recipient reverses the processes, using the same algorithm and key.
A simple algorithm could be shifting the alphabet by a specific number of places: a key of 3 means letter A would be replaced with D, and so on. All modern forms of symmetric cryptography are based on this principle. However, there are security problems because the person encrypting the message must be able to deliver the key to the recipient safely. If anyone else acquires it and knows the algorithm, they can decrypt the message along with anyone else who has that information.
Public vs private
To overcome this, researchers came up with asymmetric, or ‘public key’ cryptography, using complicated mathematics to create two tightly connected keys per person. One is public and the other is private. If Bob encrypts a message using Alice’s public key, she can decrypt it using her private key, hence the asymmetry. Alice can give everyone her public key, because only she can decrypt messages for herself because she keeps her private key secret.
To encrypt data so that only the intended person can read it, we need a reliable and secure way of finding their public key. If a malicious individual, Villanelle, manages to send her public key to Bob while pretending it’s Alice’s public key, then Villanelle can decrypt Bob’s message to Alice. Villanelle can also re-encrypt the message using Alice’s real public key and send it on so nobody notices the interception. Public key cryptography is also significantly slower than symmetric.
This is where PKI - Public Key Infrastructure - comes in, which addresses both the problems of identity and of performance. Identity is at the core of PKI - and being able to identify an individual is all about trust. PKI uses the same principle as having a passport but instead employs digital certificates, ‘signed’ by a Certificate Authority (CA). Everyone needing to share or exchange encrypted data needs to trust the CA.
So, Alice, Bob and Villanelle all have certificates containing their public keys signed by their common CA. The signature uses the encryption process above, but in reverse. The CA has its own public and private keys and uses its private key to encrypt (or sign) everyone else’s public keys. The resulting signatures are contained in digital certificates. Bob can retrieve Alice’s public key by obtaining her digital certificate from a certified directory, secure in the knowledge that this is Alice’s true identity.
To resolve the speed issue, there is a combined approach. Firstly, each file is encrypted using a very large symmetric key. The process is fast, employing hardware instructions that are incorporated into modern CPUs.
If Alice wants to encrypt a file called Customerdetails.xls, for example, so both she and Bob can decrypt and work on it, she generates a random symmetric key and the Customer Details file is encrypted using it. Alice retrieves her and Bob’s certificates and through them, both their public keys. She encrypts the symmetric key using her and Bob’s public keys.
Alice now has a file that is useless for anyone other than herself and Bob. They use their private keys to decrypt the symmetric key and then use the symmetric key to decrypt the Customer Details file.
Carry on encrypting
You could believe with evolution and plethora of encryption products available, we have it cracked. But it’s not as simple as that.
For comprehensive data protection, we must recognise the most innocuous-looking information could help ‘bad guys’ build personal profiles for fraud. All information must be encrypted all the time, in all locations: at rest, in motion and in use.
The exponential growth in remote working enforced by COVID-19 means we must be particularly sure that information is useless if in the wrong hands, whether by accident, insider theft or malware attack.
Ubiquitous encryption needs to be fast and invisible to the user, removing the human element entirely. The only way to do this is through transparent, authenticated encryption operating at file system level. There is no disruption to the way people and applications work. If you want to edit a spreadsheet, it’s opened normally. Finding keys, decrypting and encrypting happens behind the scenes, removing user decisions and ensuring that data is always strongly protected.
Ancient history showed us the way and had we thought more about protecting data and less about preventing access to it with firewalls, user controls and other ‘castle and moat’ techniques, modern information security may have been very different. We now have the knowledge, technology and processing power to deliver encryption to protect all the data all of the time.
By Nigel Thorpe, technical director,SecureAge
