Skip to main content

Cryptography - As Strong As Your Weakest Link

Cryptography is as old as communication itself in many respects, with people (and even animals) developing mechanisms to shield messages from those who are not trusted.  One of the most common that has passed the test of time is that of the Caesar Cipher.  The Caesar Cipher is a basic substitution approach, changing each alphabet letter with a new letter, n positions away.  So if your movement was by 3, A would become D, B would become E and so on.  Pretty simple to use, but obviously simple to reverse too.

Modern day cryptography is generally broken into two areas - symmetric and asymmetric.  Symmetric uses the same key to both encrypt the plain text and decrypt.  Again, this is nice and simple to implement, but no matter complex the key could be, if the key is stolen, the message can be easily decrypted back in to the original plain text.

Over time, asymmetric encryption has become popular, mainly through the implementation of public key infrastructures.  PKI requires two keys, one public that is generally used to encrypt messages, and a second private key that is used to decrypt.  The private key, as the name suggests, is kept secret generally password protected and local to the de-cryptor.  Public keys are made available to whoever wants to encrypt a message to the recipient.

A common mistake, is to use the term encryption and hashing interchangeably.  Hashing is a one way function that takes a variable sized piece of plain text data and creates a fixed size block of data that is unreadable to the human eye.  The complexity of the hashing function should be so, that no two pieces of plain text create the same hash digest.  This is known as collision avoidance.  It is impossible to retrieve the plain text from a complex hashing function (or so should be the case), hence hashing is often used for password storage.  To check confirm password equality, an entered password is passed through the hash function and compared to the original hash, as opposed to decrypting the encrypted value and comparing in plain text.  Encryption can be reversed, hashing in theory is irreversible.

Whilst there are attempts at breaking both PKI and hashing infrastructures (rainbow tables are often seen as the most plausible way of breaking a non-salted hash), encryption infrastructures are often only as strong as the weakest link.

There are several other factors involved in a complex encryption or hashing infrastructure than just the strength of the algorithms and functions being used.

Human factors play a large role in this infrastructure too.  How are keys being stored?  What happens to decrypted data once it has been read or used?  Are any keys or unencrypted data stored in temporary files anywhere?

If SSL access is being applied to a secure website, that level of security can become undermined if the underlying database is not secured or is accessible via Telnet or FTP for example.

Whilst the encryption of sensitive data, both at rest and in transit, is a key part in information security, the people, process and technology points of such an infrastructure, mustn't be ignored or deemed to be less significant.

You are only as strong as the weakest link, which was perfectly exemplified by the breaking of the Enigma code machine during World War II, when a huge break through occurred simply due to German operator error.

Don't let that operator exist in your organisation.

(Simon Moffatt)

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.