Nigel Thorpe of SecureAge explores the evolution of data encryption and asks if today’s Public Key Infrastructure encryption techniques have cracked it .
Data encryption goes back millennia. Ancient civilisations all used forms of message concealments, in peace and war. The Egyptians used Disordered Hieroglyphics where each picture is replaced by a different picture. The Greeks used Steganography where secret messages are hidden in ordinary non-secret messages. The Spartans used scytales where a cylinder has a strip of parchment wound around it on to which is written a message and the parchment is then unrolled. And the Romans used the Caesar Shift cypher where each letter in a message is replaced by a letter a fixed number of characters down the alphabet.
While these basic methods laid the foundations for modern cryptography, what has evolved are two fundamental approaches based on complicated mathematics: ‘symmetric’ and ‘asymmetric’ cryptography.
The Caesar Cipher is an example of symmetric cryptography. It is designed to ensure that the plain text of a message is replaced by the ciphertext that appears to be gibberish. The sender of the message uses an algorithm and a ‘key’ to encrypt the message and the recipient then reverses the processes, using the same algorithm and key.
A simple algorithm could be shifting the alphabet by a specific number of places, so a key of 3 means that the letter A would be replaced with D, and so on. The person receiving the message uses the same key to shift reverse the process.
The issue with symmetric cryptography
It sounds simple and in general it is. All modern forms of symmetric cryptography are based on this principle. However, there are problems with its security because the person encrypting the message must be able to deliver the key to the recipient safely. If anyone else gets hold of it and they also know the algorithm, they can decrypt the message and so can just about anyone else who has that information.
Public vs private keys
To overcome the problems of symmetric cryptography, researchers came up with asymmetric, or ‘public key’ cryptography, using some very complicated mathematics to create two tightly connected keys per person. One key is a public key and the other is a private key. For example, if Bob encrypts a message using Alice’s public key, she can decrypt it using her own private key, hence the asymmetry of the process. Alice can give everyone her public key, knowing that only she can decrypt messages for her because she can keep her private key secret.
To encrypt some data so that only the intended person can read it, we need a reliable and secure way of finding their public key. If a malicious individual, let’s call her Villanelle, manages to send her public key to Bob while pretending it is Alice’s public key, then Villanelle will be able to decrypt Bob’s messages to Alice. Villanelle can also then re-encrypt the message using Alice’s real public key and send it on, so no-one notices the interception and the breach goes undiscovered. On top of this, public key cryptography, by its nature, is significantly slower than symmetric.
This is where PKI - Public Key Infrastructure - comes in. This addresses both the problems of identity and of performance. Identity is at the core of PKI - and being able to identify an individual is all about trust.
PKI uses the same principle as having a regular nationality passport but instead employs digital certificates, which are ‘signed’ not by a government as is the case with passports, but by a Certificate Authority (CA). Everyone who needs to share or exchange encrypted data between themselves needs to trust the CA involved.
So now, Alice, Bob and Villanelle all have certificates which contain their public keys, and which are signed by a trusted CA that is common to them. The signature consists of the encryption process as above, but in reverse. The CA has its own public and private keys and this time, it uses its private key to encrypt (or sign) everyone else’s public keys. The resulting signatures are contained in a digital certificate. Bob can now retrieve Alice’s public key by obtaining her digital certificate from a certified directory, secure in the knowledge that this is Alice’s true identity.
Speeding things up
To resolve the speed issue, there is a combined approach. Rather than using public key encryption for data, symmetric cryptography is used, with each file encrypted using a very large symmetric key. The process is fast, employing hardware instructions that are incorporated into modern CPUs.
If Alice wants to encrypt a file called CustomerDetails.xls, for example, so both she and Bob can decrypt and work on it, she generates a random symmetric key and the CustomerDetails file is encrypted using this key. Alice retrieves both her and Bob’s certificates and through them, both their public keys. She then encrypts the symmetric key using both her and Bob’s public keys.
Alice now has a file that is useless for anyone other than herself and Bob. To decrypt it, Bob or Alice use their private keys to decrypt the symmetric key and then use the symmetric key to decrypt the customer details file.
Carry on encrypting
You could be forgiven that with all this evolution and the plethora of encryption products on the market, we had it cracked. But it’s not as simple as that.
To deliver comprehensive data protection, firstly we have to recognise that even the most innocuous-looking information could help the ‘bad guys’ to build a set of personal profiles that can be used for fraud. Therefore, all information must be encrypted all of the time, and in all locations. Data must be protected at rest, in motion and in use.
And particularly with the exponential growth in remote working forced on us by COVID-19, we need to be sure that information is useless if it falls into the wrong hands – whether by accident, through insider theft or by malware attack
But ubiquitous encryption needs to be fast and completely invisible to the user – removing the human element entirely. The only way to do this is through transparent encryption operating at the file system level. This way there is no disruption to the way people and applications work. If you want to edit a spreadsheet - you just open it as usual.
All the process of finding keys, decrypting and encrypting has to happen behind the scenes. This approach means that there are no user decisions to make – the data will always be strongly protected, and users don’t have to decide what to encrypt and what not to.
The Romans, Greeks and Egyptians showed us the way, and had we thought more about protecting the data and less about simply trying to prevent access to it with firewalls, user controls and other ‘castle and moat’ techniques, modern information security may have taken a different route.
But the fact is that we now have the knowledge, the technology and the processing power to deliver on the promise of using encryption to protect all of the data all of the time.
Nigel Thorpe is technical director at SecureAge. For more information, visit www.secureage.com.
Main image courtesy of iStockPhoto.com