The Genious of Encryption
As an information security professional, consultant, and auditor, I constantly read, write, and profess the importance of confidentiality, integrity, and availability. These three elements make up the information security triad, CIA, and appear in every information security policy, process, and briefing. I take the CIA and the understanding of it for granted. After all, everyone can appreciate the gravity of each of the three terms, right?
Well, it turns out everyone does not completely understand the vernacular from a security perspective, and at times accepts the words at face value. Merriam-Webster defines security as the state of being safe and confidentiality as the state of keeping or being kept secret or private. A steel safe with a strong, complex combination lock is a good place to keep an item of value both secure and confidential. One important caveat: the items are safe and private until a bad actor defeats the lock. Every lock can be defeated given enough time and energy.
Changing the combination periodically would increase the time and energy required to defeat the lock, especially if the bad actor does not know that the combination has been changed. You could also completely change the lock each time a stronger lock becomes available. There is another possibility; the lock only needs to protect the items while they have value – meaning that a lock used to protect a signed document that is valid for 30 days must only be strong enough to last 31 days.
That is the basic concept of encryption, the most common method used to secure electronic data until it no longer has value or until a stronger version is available. The weakness of encryption, like locks, is that it can eventually be defeated. Encryption uses a cipher (a method, usually an algorithm) to disguise the data. Ciphers have been used for thousands of years. In fact, one of the most common ciphers ever used was devised by Julius Caesar, known as the Caesar Cipher. The method is simple - shift the letters of the alphabet a few places and substitute the shifted letters in the message. If you shift the letters 3 places, the conversion from plain to cipher text would be:
The phrase “this is a secret” becomes “wklv lv d vhfuhw”. To make the cipher stronger, you could encode the cipher text “wklv lv d vhfuhw” with Morse code, resulting in “.-- -.- .-.. ...- / .-.. ...- / -.. / ...- .... ..-. ..- .... .— ”.
Today’s ciphers are complex, mathematical algorithms that use one or more long, complex alpha-numeric special character passwords called keys. Keys resemble gibberish. Increase the complexity of the algorithm or the number of characters in the key and it will take longer to defeat. It is estimated that it would take a standard computer 300 trillion years to break current encryption! There are a couple of catches. First, the capability of a “standard computer” continually increases. Algorithms have been able to stay ahead of computing power thus far. The second problem is a bit more complicated. When data is being transmitted from one computer to another, the intended recipient, often previously unknown to the sender, must have the key to decrypt the data. If the key is transmitted unencrypted, it could end up in the hands of a bad actor through a “man in the middle” attack, enabling the bad actor to defeat the encryption.
Without a method that ensures that the keys that encryption algorithms use remain secret during the initial transmit and connection, most internet tractions that we take for granted today would not take place. Of course this problem was solved. The solution enables computers previously unknown to each other to communicate securely, countless times every day, once the computers have exchanged encrypted keys and established an encrypted connection. The exchange occurs through an ingenious method that uses more “locks and keys” to protect the keys that need to be exchanged. It is enabled through an algorithm known as Diffie-Hellman and uses two complex, long sequences of characters – with each side of the transmission having only one of the two keys.
An analogy to explain how the exchange occurs is far easier to understand than the math, and a bit more fun!
Enter three monkeys. Abu (Aladdin’s best friend), Rafiki (from the Lion King) and a personal favorite, Curious George. Abu and Rafiki represent two computers and Curious George represents the bad actor, or I guess we could say the curious “monkey in the middle.” A perfectly ripe and delicious banana represents the key, and Curious George’s friend, the Man in the Yellow Hat, is the courier, representing the internet.
Abu wants the Man in the Yellow Hat to bring Rafiki the banana. He knows that Curious George is going to try to figure out a way to eat the banana in transit. So, Abu puts the banana in a box and puts a lock on the latch. The Man in the Yellow Hat takes the box and brings it to Rafiki. Curious George is curious but cannot open the box. Rafiki can’t either, but there is room on the latch for a second lock. Rafiki puts a lock that only he has the key to on the box and has the Man in the Yellow Hat take the box back to Abu. Abu takes his lock off the box and has the Man in the Yellow Hat bring the box back to Rafiki. Rafiki has the key to unlock the remaining lock, and safely removes the banana. Curious George may have been curious, but he could not figure out what was in the box or how to open it.
Now it may have crossed your mind that the two locks in the analogy are an encryption of data that has already been encrypted, and that the decryptions are occurring out of sequence. That is the true brilliance of the algorithms, that it does not matter what order the encryption or decryption occurs. Let’s go back to the Caesar Cypher and Morse Code example. If you know the offset and apply it only once, it doesn’t make a difference what order the encoding or decoding is done in. The letters in the phrase can be offset first, then converted to Morse Code. You can also convert the letters to offset dots and dashes in Morse Code that correspond to each letter. The result is the same, and it works in reverse as well! If you would like to try it, use the Morse Code table below.
I will conclude with some irony in the history of the Diffie-Hellman algorithm, first published in 1976 by United States cryptographers. Many believe the method and algorithm were first developed in 1969 by three British mathematicians. Since the algorithm was not named for the British, the algorithm itself may not have been a very well-kept secret!