Skip to main content

Cryptography - As Strong As Your Weakest Link

Cryptography is as old as communication itself in many respects, with people (and even animals) developing mechanisms to shield messages from those who are not trusted.  One of the most common that has passed the test of time is that of the Caesar Cipher.  The Caesar Cipher is a basic substitution approach, changing each alphabet letter with a new letter, n positions away.  So if your movement was by 3, A would become D, B would become E and so on.  Pretty simple to use, but obviously simple to reverse too.

Modern day cryptography is generally broken into two areas - symmetric and asymmetric.  Symmetric uses the same key to both encrypt the plain text and decrypt.  Again, this is nice and simple to implement, but no matter complex the key could be, if the key is stolen, the message can be easily decrypted back in to the original plain text.

Over time, asymmetric encryption has become popular, mainly through the implementation of public key infrastructures.  PKI requires two keys, one public that is generally used to encrypt messages, and a second private key that is used to decrypt.  The private key, as the name suggests, is kept secret generally password protected and local to the de-cryptor.  Public keys are made available to whoever wants to encrypt a message to the recipient.

A common mistake, is to use the term encryption and hashing interchangeably.  Hashing is a one way function that takes a variable sized piece of plain text data and creates a fixed size block of data that is unreadable to the human eye.  The complexity of the hashing function should be so, that no two pieces of plain text create the same hash digest.  This is known as collision avoidance.  It is impossible to retrieve the plain text from a complex hashing function (or so should be the case), hence hashing is often used for password storage.  To check confirm password equality, an entered password is passed through the hash function and compared to the original hash, as opposed to decrypting the encrypted value and comparing in plain text.  Encryption can be reversed, hashing in theory is irreversible.

Whilst there are attempts at breaking both PKI and hashing infrastructures (rainbow tables are often seen as the most plausible way of breaking a non-salted hash), encryption infrastructures are often only as strong as the weakest link.

There are several other factors involved in a complex encryption or hashing infrastructure than just the strength of the algorithms and functions being used.

Human factors play a large role in this infrastructure too.  How are keys being stored?  What happens to decrypted data once it has been read or used?  Are any keys or unencrypted data stored in temporary files anywhere?

If SSL access is being applied to a secure website, that level of security can become undermined if the underlying database is not secured or is accessible via Telnet or FTP for example.

Whilst the encryption of sensitive data, both at rest and in transit, is a key part in information security, the people, process and technology points of such an infrastructure, mustn't be ignored or deemed to be less significant.

You are only as strong as the weakest link, which was perfectly exemplified by the breaking of the Enigma code machine during World War II, when a huge break through occurred simply due to German operator error.

Don't let that operator exist in your organisation.

(Simon Moffatt)

Popular posts from this blog

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.