Cyber Smarts Series: Confidentiality and Encryption
The importance of confidentiality, integrity, and availability and cannot be underestimated. These three elements make up the information security triad and are crucial for every information security policy and process.
This week we will focus on confidentiality and by default, the need for encryption to ensure confidentiality. Merriam-Webster defines security as the state of being safe and confidentiality as the state of keeping or being kept secret or private. A steel safe with a strong, complex combination lock is a good place to keep an item of value both secure and confidential. One important caveat: the items are safe and private until a bad actor defeats the lock. Every lock can be defeated given enough time and energy.
Changing the combination periodically would increase the time and energy required to defeat the lock, especially if the bad actor does not know that the combination has been changed. You could also completely change the lock each time a stronger lock becomes available. There is another possibility; the lock only needs to protect the items while they have value – meaning that a lock used to protect a signed document that is valid for 30 days must only be strong enough to last 31 days.
That is the basic concept of encryption, the most common method used to secure electronic data until it no longer has value or until a stronger version is available. The weakness of encryption, like locks, is that it can eventually be defeated. Encryption uses a cipher (a method, usually an algorithm) to disguise the data. Ciphers have been used for thousands of years. In fact, one of the most common ciphers ever used was devised by Julius Caesar, known as the Caesar Cipher. The method is a simple shift of the letters of the alphabet a few places and then a substitution of the shifted letters in the message.
The phrase “this is a secret” becomes “wklv lv d vhfuhw”. To make the cipher stronger, you could encode the cipher text “wklv lv d vhfuhw” with Morse code, resulting in “.– -.- .-.. …- / .-.. …- / -.. / …- …. ..-. ..- …. .— ”.
Today’s ciphers are complex, mathematical algorithms that use one or more long, complex alpha-numeric special character passwords called keys. Keys resemble gibberish. Increase the complexity of the algorithm or the number of characters in the key and it will take longer to defeat. It is estimated that it would take a standard computer 300 trillion years to break current encryption!
Without a method that ensures that the keys that encryption algorithms use remain secret during the initial transmit and connection, most internet tractions that we take for granted today would not take place. Of course, this problem was solved. The solution enables computers previously unknown to each other to communicate securely, countless times every day, once the computers have exchanged encrypted keys and established an encrypted connection. The exchange occurs through an ingenious method that uses more “locks and keys” to protect the keys that need to be exchanged. It is enabled through an algorithm known as Diffie-Hellman and uses two complex, long sequences of characters – with each side of the transmission having only one of the two keys.
An Analogy of Encryption
Enter three monkeys. Abu, Rafiki, and, Curious George. Abu and Rafiki represent two computers and Curious George represents the bad actor. A perfectly ripe and delicious banana represents the key, and Curious George’s friend, the Man in the Yellow Hat, is the courier, representing the internet.
Abu wants the Man in the Yellow Hat to bring Rafiki the banana. He knows that Curious George is going to try to figure out a way to eat the banana in transit. So, Abu puts the banana in a box and puts a lock on the latch. The Man in the Yellow Hat takes the box and brings it to Rafiki. Curious George is curious but cannot open the box. Rafiki can’t either, but there is room on the latch for a second lock. Rafiki puts a lock that only he has the key to on the box and has the Man in the Yellow Hat take the box back to Abu. Abu takes his lock off the box and has the Man in the Yellow Hat bring the box back to Rafiki. Rafiki has the key to unlock the remaining lock, and safely removes the banana.
The Sequence of Encryption
Now it may have crossed your mind that the two locks in the analogy are encryption of data that has already been encrypted and that the decryptions are occurring out of sequence. That is the true brilliance of the algorithms, that it does not matter what order the encryption or decryption occurs.
Let’s go back to the Caesar Cipher and Morse Code example from above. If you know the offset and apply it only once, it doesn’t make a difference in what order the encoding or decoding is done in. The letters in the phrase can be offset first, then converted to Morse Code. You can also convert the letters to offset dots and dashes in Morse Code that correspond to each letter. The result is the same, and it works in reverse as well.