Cryptography is, by design, complex and difficult to understand. Cryptography is present in every corner of the internet – or rather, it should be. Especially as the total value of the internet is anticipated to grow from $3.5 trillion last year to $5.8 trillion in 2020, according to the GSMA.
Google Brain has recently developed two artificial intelligences that evolved their own cryptographic algorithm to protect their messages from a third AI. While the study was successful, research continues to investigate how the developed algorithm actually works.
As cryptography becomes increasingly complicated and perhaps gradually more unintelligible for humans (especially as we hand it over to AI), understanding the precepts of security and cryptography is essential to all businesses, especially those that provide internet services or store customer data in internet-based systems.
Businesses in this position need to comprehend these principles to protect their assets as it’s unarguably critical in conducting business online in this modern age. However some of the principles underlying the complexity can be fairly accessible, so let’s start there.
Symmetric and Asymmetric
Symmetric Key Cryptography is very classical in its approach. A single key is used to both encrypt and decrypt a given message. A schoolyard example of this is the Caesar Shift Cipher. In this cipher, the key is a single number between one and 25 - this key represents the number of positions the letter is slipped in the alphabet to perform the encryption and decryption of a plaintext message. This means that if the key were three, you'd translate 'A' in your plaintext to 'D' in an encrypted message. Equally, 'B' would become 'E' and 'C' would become 'F', etc.
Once a message is delivered, to decrypt a message the reader would perform the same alphabet slip, but inversely. For every 'D' found in the encrypted version, it would replace with an 'A', etc. until the message is revealed. This is an example of a substitution cipher, and even in modern symmetric encryption algorithms (such as Data Encryption Standard (DES) and Advanced Encryption Standard (AES)), substitution steps are still performed to scramble the message into a strongly encrypted message.
There are more symmetric key algorithms out there than I could comfortably hold count, and even more permutations when you consider modes of encryption - what do you do if your plaintext is not exactly a multiple of the key length? How can you parallelize the encryption task?
Suffice to say there are some industry-approved symmetric ciphers for particular tasks and for particularly risky appetites. I’ve seen banks continuing to rely on 3DES and even 2DES for certain protocols, even though the use of 3DES is somewhat frowned upon.
Really, these days, not using AES-128 or AES-256 for bulk data encryption should be flagged as a risk. AES represents a very strong and universally accepted encryption technique which is also very quick to encrypt/decrypt depending on its mode of operation. This is a moving goalpost though, and businesses should engage periodically with the security industry to ensure they stay ahead of this game.
Asymmetric cryptography is quite easy to understand conceptually, but in practice is quite difficult to explain without diving into a mathematics degree. Essentially there are two keys: one is the private key which only the creator has access to; while the other is the public key which is available to everyone. The mathematical relationship between these two keys is such that with the public key, anyone can encrypt a message such that only the owner of the private key can decrypt.
One of the first practical and wide-spread algorithms to make use of asymmetric cryptographic principles was RSA. RSA makes use of the inherent difficulty in factoring the product of two prime numbers to secure messages. Research continues to speed up this factorization to break the RSA algorithm, but it remains secure making it a good choice for businesses to use with large enough key sizes. In fact, most HTTPS enabled websites today use RSA keys.
There are also other things you can do with RSA keys, such as signing and verifying documents. Together with its encryption capability, it’s easy to see how this versatile algorithm can be bent to not only enhance the security of an application, but can also be misconfigured to create an illusion of security. All too often I’ve seen key architectures built where public keys are held secretly, for instance. Cryptography is often made very accessible by clever packaging or GUI interfaces, but it’s always worth getting a specialist involved to verify that the underlying cryptographic primitives are well suited to your application, rather than assuming that they are.
In practice, symmetric and asymmetric cryptographic techniques are used in combination to secure messages as they fly across the public internet. Symmetric ciphers suffer in the key management and distribution front, and asymmetric ciphers suffer as they cannot securely encrypt data longer than their key length. Symmetric ciphers are used to bulk encrypt data (webpages, images, documents, audio, video, etc.) and Asymmetric ciphers are to then used to encrypt that Symmetric key and protect it in transit.
Elliptic Curve Cryptography
A relative newcomer to the asymmetric party is Elliptic Curve Cryptography (ECC). ECC makes use of unusual properties in a two-dimensional curve to encrypt and decrypt.
ECC has two major advantages over RSA: ECC keys are significantly shorter and provide stronger security; and ECC is very easy to perform quickly on low powered devices. The features of ECC also make it a perfect candidate for the Internet of Things (IoT) and Blockchain technologies. Many progressive websites are using ECC for HTTPS sites too, which is providing better security for users.
While the security industry still approves the use of RSA with key sizes of 2048 or more, there is a big push right now to move towards the use of ECC. It’s a goalpost we all know will soon move, so if you are deploying a new system, and it’s capable of supporting the use of ECC, (generally) do so! For example, Google and Facebook are already using ECC for their HTTPS protection.
With ECC, there are some decisions to be made as not all curves are equal! The American National Institute of Standards and Technology (NIST) have developed and published some, however concern over NSA influence of the parameters of those curves has raised the suspicions of some cryptographers as to whether “backdoors” have been introduced for those curves NIST approves.
There are some other curves though which have been independently researched and published which while not NIST approved, are preferred for use by those sceptics amongst the security industry.
There are lots of complex and baffling techniques being used to build the security we all rely on to conduct our business over an inherently insecure medium. For instance, research continues to be conducted into quantum cryptography whereby the quantum effect can be used to securely transmit keys or data.
Of course, encryption is essential in at least some respect for every business. However the breadth of complexity and variety of use cases within one business can make the selection process difficult.
An important step before such investigations however is to develop an understanding – whether through their own learning or through consulting a partner - of what is involved with each application of cryptography, and therefore the differences and suitable uses for the individual technologies on offer. This allows prudent decisions to be made, and for a businesses and its customers to be protected appropriately.