Encryption

From New Media Business Blog

Jump to: navigation, search

Encryption is the foundation of trust on the internet. You use it in your day to day life without noticing, and nearly every company in the world relies on it for the protection of their information.

At its most simple, encryption is the process of encoding a message. If Alice wants to send a message to Bob[1], yet does not want Eve (who is listening in on their conversation) to understand that message, she should encode that message in a format that is readable to Bob, but not readable to Eve. This can be done even if Eve listens to their conversation from start to finish.

Contents

What is encryption?

Encryption and cryptography in general has a very long history in mathematics. Secure communications have always been important in human society; however, the method of encoding those conversations has drastically changed over time. During World War I and World War II, encryption was of particular important, as pigeons carrying messages, telegraphs, or radio signals could easily be intercepted.

What it's not

One of the common misconceptions people have about encryption is that it is related to hacking. In fact, they are almost completely separate. The vast majority of hacks that hit the news have nothing to do with broken encryption, only poor security practices. It is very hard to get security right. It isn't just companies like Chrystler[2] that get it wrong, even organizations specifically focused on encryption have security failures[3]. This report won't spend much time discussing hacking, only what can be done with information that is released.

This report will also not spend much time discussing alternative authentication methods like two factor authentication[4] or biometrics[5]. Two factor authentication does often use encryption, but it depends on the way it is implemented[6]. Although biometrics are a convenient form of authentication, they cannot be encrypted in the same way normal passwords can.

What it is

The Zodiac Killer was a serial murderer that left many encrypted messages. Some remain unsolved[7].
Kryptos is an art piece located at the CIA headquarters. There are four encrypted messages on the sculpture, only three of which have been solved[8].

Encryption is a very broad term that is inclusive of any type of message encoding. This includes ciphers, languages, and almost any other type of communication. Every communication has to be encoded in some way. For this report we will be focusing on modern implementations of hashing algorithms, and how they can be used with modern technology. As exciting as the Zodiac Killer ciphers and Kryptos are, we would like to leave the cracking of those ciphers to others.

The type of encryption we will be focusing on has been around since the late 1940s with the release of a paper by a mathematician named Claude Shannon[9]. In this paper he writes "[We consider only] 'true' secrecy systems where the meaning of the message is concealed by cipher, code, etc., although its existence is not hidden, and the enemy is assumed to have any special equipment necessary to intercept and record the transmitted signal." Given the qualities of the internet today, this will also be the focus of our paper.

Why does encryption matter?

Whether or not you know it, encryption is the barrier between your information and the rest of the world. Without encryption, the internet would not be able to be what it is today. Individual user accounts would never be secure, banking could not take place online, and communications could be monitored very easily.

Even with encryption, it is important that the right type of encryption is used. Security breaches are a regular occurrence (it is good practice to check to see whether or not information associated with your email has been leaked[10], but breaches can happen silently too). Weak encryption methods or poor implementations of encryption standards allows adversaries crack many types of encryption relatively easily. Lists of accounts from major leaks have been published, and hobbyists have typically been able to crack the vast majority of leaked passwords[11]. Some sites have even published walkthroughs showing just how easy it is[12].

Although it is easy to get worn out from the numerous security warnings you see online[13], simply using basic techniques (such as creating strong passwords or using a unique password for each website you register for) can protect you from the vast majority of problems caused by poor implementation of encryption standards. Complicated passwords are more difficult to break, and if you use unique passwords then the broken password will not be tried on your other accounts. Kaspersky publishes a passwords strength checker that you can use to gauge the strength of different types of passwords[14]

Modern encryption standards

Modern encryption research has long been kept a secret from the public due to government concerns. It wasn't until the 1970s that a strong encryption standard was released to the public (DES - Data Encryption Standard). Today, this standard is considered insufficient and has been replaced with many other standards (such as AES - Advanced Encryption Standard). However, the algorithm that you use is only part of the implementation of a strong encryption system.

Public key exchange

If I am trying to share secret information with you, it is easy to simply encrypt it with a password, allowing you to do decrypt it with the knowledge of that password. However, as we mentioned earlier, the encryption we are discussing assumes that an adversary may be able to listen to your entire conversation (including the password I wish to share with you). One of the big problems in encryption, for a very long time, was how to get around this restriction.

The solution to this problem came in the 1970s. Two cryptographers developed a mechanism of exchanging keys known today as the Diffie-Hellman key exchange. This involves sharing a public key of yours, and anything encrypted using that key can be decrypted using your private key (which only you know and is never shared). This method was revolutionary because it did not matter whether or not adversaries were able to listen in on your conversation; information could be protected from start to finish.

Public and private keys are interesting to play around with. I would recommend testing out how they work and considering some possible applications.[15][16]

Iterations

One way to slow down attackers is to using multiple iterations of any given hash function. Basically, you hash the password, then you hash the hash, and so on. This can be done thousands of times depending on the security necessary[17]. Some security experts consider this step at least as important as salts[18]. Some modern implementations of password hashing functions such as bcrypt or scrypt have this built in (with additional snags that increase the amount of time or memory necessary to test a single password). Currently, scrypt and bcrypt are considered the most effective way of storing passwords.

Modern implementations

Many companies will hash things their own. Facebook has a fairly unique method of password storage; developed due to usability rather than security (they did not want to log in for the password storage update). Their steps are as follows[19]:

  1. . Hash the password with MD5(password).
  2. . Generate a 20-byte (160-bit) random salt (this is well over the 64 bits you'd need to defend against birthday attack collisions).
  3. . Hash with hmac_sha1(hash, salt).
  4. . Send this value to a separate server for further operations (mitigates offline brute-forcing).
  5. . Hash in a secret key with hmac_256(hash, secret). Note this operation is on a separate server. The secret key might be colloquially termed a "pepper".
  6. . Hash with scrypt(hash, salt) to make local computation slower.
  7. . Shrink the final value with hmac_256(hash, salt) for efficient database storage[20].

Types of encryption

There are no shortage of types of encryption. There are so many unique communication methods that it makes it challenging to group them. For this report, we will outline 3 interesting and topical uses for the technology.

Hashing

Information that is encrypted is typically hashed. This means that you can take a password (or piece of data) and transform it in a way that cannot be returned from. For example, a very simple hash function for someone's name would be to simply use the first letter. This works for any name and cannot be returned from, however it is not a good function because there are duplicates (these are called hash collisions). Hash collisions with strong encryption algorithms are exceedingly rare. Hash functions are good for password storage because the actual password itself does not need to be stored (which would be a major security risk); the only thing that needs to be checked is whether or not the generated hash matches the saved hash.

Some types of passwords cannot be stored this way. Biometrics, for example, rely on fuzzy matching (no two fingerprint scans are the same)[21]. This type of data cannot be checked against saved hash; instead the actual fingerprint (or the characteristics of that fingerprint) would need to be saved[22]. While this could be encrypted, it adds an extra password that you were likely hoping to avoid by using biometrics. This is part of the reason many security professionals dislike the way biometrics are currently being used in relation to security[23].

Steganography

Steganography is the encoding of secret messages inside existing messages or files. Modern usage has made it possible to do this in increasingly interesting ways. Messages can be encoded in what appears to be spam[24], in images, in music, etc. It is possible to hide any manner of data, including other image or music files. While this isn't a common technique for businesses, it can be an interesting way to hide or transfer data.

This photo contains a secret message (or does it?)

Secret sharing

Of recent interest, cryptographers have developed what some call a democratic method of sharing secrets[25]. Secret sharing is the practice of distributing a secret to a certain number of parties without the secret being revealed. In order to reveal the secret, the distributed data must be combined. However, what makes it interesting is that not all the data needs to be combined. It is possible to distribute a secret to 25 people, not revealing what that secret is until any 15 of them have combined their secrets[26]. Software exists that automates this process[27].

Some suggest that tools like this could be useful for leaving messages or secure information to loved ones in case of an unexpected death, and it has also been suggested that this would be useful for ensuring online or even real world democratic practices.

Modern uses

As we mentioned, encryption is used very widely today in a wide variety of industries.

Password storage

With millions of different sites offering online accounts, online security of keeping account information such as passwords has been very important to users. In the past couple of years, hackers have breached multiple websites such as LinkedIn, and Ashley Madison obtaining millions of account information and passwords. To better assess your online security, it is best to know how websites are storing your passwords, where different methods are considerably more secure than others.

Plain text passwords

The simplest way websites store passwords are in plain text. When creating an account and entering a password, the server stores the password inside a database without any text modifications. If you entered “qwerty” as your password, the website will save “qwerty” into its’ database. When trying to login, the website will check and match credentials on the database to grant account access. This is the worst method in terms of password storage and security, where a breach in a server’s database leaves vulnerable passwords immediately compromised.

Password encryption

A step up to password security is encrypting plain text passwords. Before storing your password in plain text to a database, the website will encrypt the password first. Encryption is using special keys to turn plain text passwords into random string of characters. For example, the password “qwerty” could turn into “7UQvOCExMSFeXAjJEvqDEl62fA”. Therefore, if someone breaches a website’s database, instead of seeing passwords that can be used immediately to log in to accounts, they are met with random characters. The only way a hacker can infiltrate your account is by having the key to decrypt your password back into plain text. Although this is a more secure way of storing passwords, keys are often saved on the same server as the encrypted passwords, which means that a breach in the server allows a hacker to use the keys in the database to decrypt user passwords.

Hashed passwords

A method similar to password encryption is password hashing. Before saving your password into a database, algorithms turn passwords into a long string of random characters. The different between encryption and hashing is that hashed passwords are a “one way street” [28]. If a hacker obtains your hashed password, there is no decryption key to return it to plain text. To crack your password, hackers must try several different password combinations to see which one matches the hash to your actual password. This may seem like a lot of work, but with today’s technology, computers can do this process rather quickly. Another problem with hashed passwords is that many password combinations are already decoded which can be found on the web as “rainbow tables”. For instance, a password “qwerty” would be hashed as “3c8b9f4b983afa9f644d26e2b34fa3e03a2bef16” in SHA-1 format[29].

Hashed passwords with a dash of salt

The most secure way of storing a password is hashing with a dash of salt. A dash of salt means adding a random string of characters at the beginning of end of a user’s password[30]. With random characters ended in with your password, it then hashes it creating a very long, complex and unique hash that cannot be found in rainbow tables. For example, “h1z1al6lf” could be the random salt added at the end of “qwerty” turning it into “qwertyh1z1al6lf”. After hashing, the password may turn into “c5e635ec235a51e89f6ed7d4857afe58663d54f5”, something that will not be stored in a rainbow table, that must be cracked by a computer to obtain your actual password.

Payments industry

According to a paper by the Smart Card Alliance Payments Council (Smart Card Alliance)[31], a US non-profit organization leading smart card technology discussion, there are three technologies currently used globally to secure transactions; they are EMV, End-to-End encryption (E2EE), and Tokenization. The Smart Card Alliance notes that all three technologies used in conjunction, or in a layered approach, is considered to be the best available solution for payments protection. This section will explain how EMV technology emerged as the payments standard globally, how each payment technology works throughout a card-present and card-not-present (CNP) transaction, and how payment encryption could improve in the future.

EMV technology

The EMV payment specification has been available to the global payments industry since 1996, is currently the global security standard for card payments, and is managed by EMVCo (Europay, MasterCard, and Visa)[31]. EMV works to secure credit and debit card transactions through embedding a microprocessor circuit chip into a physical object, typically a plastic card, and can also be supported by NFC-enabled smartphones. For a more detailed explanation of EMV functionality please refer to the Functionality and Benefits of EMV section. The Smart Card Alliance notes that though EMV technology has been available for over 20 years and is proven to be more effective at preventing counterfeit fraud than magnetic stripe technology, financial institutions and merchants in Europe, Latin America, Asia, and Canada have adopted EMV earlier than the US. This is said to be attributed to a historically more secure and sophisticated magnetic stripe transaction environment compared to the rest of the world, but the recent moves to EMV chip-based architecture globally has led the US to be a comparatively weaker infrastructure. You can see an example of the increasing security concern over magnetic stripe technology in the US compared to Canada’s EMV infrastructure in the figure by the Wall Street Journal[32].

[32]

With the increasingly apparent weakness of a magnetic stripe infrastructure in the US, American Express, Discover, MasterCard, and Visa announced migration plans to chip-based technology in the US in 2011 and set policies for card-present fraud liability shift to merchants without EMV enabled by 2017.

Functionality and benefits of EMV

In a card-present environment where customers are physically present in a merchant’s store, EMV chips on cards are powered by the merchant card reader, and if the reader is dual-interface, physical contact or contactless (tap) communication is used[31]. Physical contact requires a contact plate on the card to be inserted into the merchant reader while contactless communication uses radio frequency and an embedded antenna. According to the Smart Card Alliance, EMV chip cards are designed to store sensitive data securely and “have the processing power to perform cryptographic computations dynamically, as opposed to magnetic stripe cards that use static data.” This means that for each transaction, a unique digital signature or cryptogram is generated by the card chip using an algorithm and applied to the card, the acceptance device, and transaction-specific data. By having each transaction require decryption of transaction-specific data for card authorization, stolen card data is heavily devalued and cannot be used to create a counterfeit magnetic stripe card. As well, the Smart Card Alliance notes that a counterfeit magnetic stripe card would also not have the service code number or chip that only the original physical card has, so validation will fail. Online (in-person) card authentication and offline (CNP) transactions also use different cryptography methods (asymmetric for CNP and symmetric cryptography for online), but both still generate a unique cryptogram as part of the authorization process. In summary, an EMV chip-enabled card prevents card fraud more effectively than a magnetic stripe card due to its ability to generate encrypted dynamic data in each transaction compared to magnetic stripe static data that uses a physical card code for authentication.

Transaction data encryption

According to the Smart Card Alliance[31], transaction data encryption for payments has two approaches used by merchants and payment processors; they are end-to-end encryption (E2EE) and point-to-point encryption (P2PE). The E2EE method encrypts the cardholder data at the point of interaction with a payment system at a POS terminal and remains encrypted until it reaches a Payment Card Industry Data Security Standard (PCI) compliant processor or acquirer where the data is decrypted. For P2PE encryption, cardholder data is also encrypted at point of interaction with the payment system, but the data can be decrypted by third parties such as a gateway provider or independent sales organization (ISO). However, the Smart Card Alliance notes that in both solutions the merchant never has access to the cryptographic keys or raw cardholder data, and all parties involved with the payment process must be PCI Compliant. Encryption can also be applied to multiple card-present (hardware-based) payment standards, such as magnetic stripe reader (MSR) POS interfaces, signature/PIN capture MSR POS interfaces, and EMV-enabled signature/PIN encrypting MSR POS interfaces. For CNP or software-based encryption, the encryption process starts at the browser.

Through the encryption process like EMV, cardholder data becomes significantly devalued, as "criminals cannot monetize data that they cannot decrypt," and EMV can further complicate the stolen data by encrypting different types of transaction data[31]. Thus, encryption contributes to overall payment data confidentiality and integrity.

Tokenization

In addition to EMV and data encryption, the Smart Card Alliance[31] notes that tokenization is another recommended payments industry security specification that replaces a payment card primary account number (PAN) with a token that only holds value when decrypted or ‘detokenized’ by a token solution provider (TSP). The essential purpose of the token is to remove sensitive card data from the payments ecosystem and reduce risk of unauthorized disclosure of sensitive account information. Like E2EE and P2EE, tokenization makes sensitive cardholder information essentially useless if the token was stolen, and can be used in card-present or CNP transactions. Tokenization is different from encryption however since a TSP is involved in the tokenization process. Only the TSP has the ability to provide and decrypt the token for the associated card PAN that authenticates transactions, and any payment processor has to be registered with the TSP to acquire the PAN. Payment processors can include merchants, mobile service providers, or an issuer, and the TSP can dictate which payment channel (NFC, e-commerce, magnetic stripe environments) the token can operate in. The Smart Card Alliance also notes that there are multiple standards being developed for card-present and CNP (e-commerce and mobile) transactions.

The benefits of tokenization include higher assurance for account verification during transactions, and removing cardholder data from merchant business environments for the purpose of loyalty programs or card-on-file transactions.

As stated earlier, using a layered approach of EMV, encryption, and tokenization provides the best solution for protecting payment transaction data and reducing risk of counterfeit card fraud. In a layered solutions approach for card-present transactions upon entry to the card reader, the EMV chip creates a unique cryptogram of the transaction data, the E2EE or P2PE enabled reader encrypts cardholder data until a PCI-compliant acquirer decrypts it, and a TSP sends and detokenizes tokens that protect the cardholder PAN for transaction authentication. In a CNP transaction, the process is essentially the same, except EMV is not available without a physical reader and an e-commerce token is sent by the TSP.

Future of encryption in payments

Though EMV, E2EE and P2PE, and tokenization is widely available for use in the payments industry, the Smart Card Alliance[31] notes that not all merchants have adopted a layered approach and recommends considering investment in implementing the technologies as needed. As well, since standards are continuously being developed, merchants should consider industry and government regulations before fully investing in the current payments security best practices. As new communication and commerce platforms emerge for payments, such as mobile and CNP, payment stakeholders will have to critically review which technologies and specifications work best for their specific business environments.

With the consideration of the Smart Card Alliance in mind, the future development and standardization of encryption in payments will require large multi-organization effort, including government and industry regulators to push better security solutions globally. However with organizations like EMVCo and the Smart Card Alliance in place to work towards higher security standard implementation, it can be presumed that the payments industry will move faster towards new and improved encryption methods in the future.

SSL

Web communications often contain private information. Many people do their banking online, talk to friends online, and and even file their tax returns online. This needs to be done in a way that can prevent any third parties (such as network owners) from learning what is being communicated. The tool used to do this is called SSL (or TLS).

How it works

SSL does not use public key encryption, they rely on a shared secret. These secrets are distributed through ssl certificates and companies such as digicert[33] or Comodo[34] (referred to as certificate authorities). The servers and clients then encrypt their communications using this key, and it can be deciphered by either party.

Let’s Encrypt

It is currently expensive to purchase and use a SSL certificate. Luckily, a company called Let's Encrypt[35] has been distributing free certificates (derivative of their master certificate) that allow any website to set up SSL. Steps like these will make the internet a much safer place.

Modern software

Encryption is hard to get right, and unless you are a cryptography expert you should not do it yourself. Pre-developed software exists that will do nearly any function you can imagine, and it will all have had at least some scrutiny.

Tor

The World Wide Web consists of two layers: the surface web, and the deep web. The surface web is anything that can easily be accessed through means of most web-browser applications. The deep web consists of websites that, although still accessible, are made much more difficult to access as they are not linked or indexed in search engines. The dark web is a portion of the deep web that is hidden away by means of encryption, or the constant rerouting of information. While most websites on the dark web are publicly available to those who know the navigate the dark web, the IP addresses of those who run these websites are hidden to preserve their anonymity. The most well-known example of the dark web is the Tor Network, otherwise known as the Onion Network[36].

History

The concept of Tor was established in the early 1990’s and continued its development until it went public in 2004. Although Tor was created with the purpose of protecting the information of the Government of the United States, it has since then evolved into an anonymous web-browsing network that is designed to help protect people’s privacy from governments and corporations[37][38]. Currently, it is being maintained by the Tor Project, which is a non-for profit organization focused on research education[39].

Access

The dark web, more specifically, the Tor network can be accessed using the Tor browser, which is a web browser developed by members of the Tor Project. Users can access the TOR network by simply using the browser to visit websites within the Tor network. One of the benefits of using Tor is that it allows a user to remain anonymous by encrypting their data as they move through the network. However, browsing speed is sacrificed as user data must travel through many different nodes before it reaches its intended destination[40].

URL generation

Navigating the Tor network is different from normal web-browsing however, in a sense that all URL’s end with “.onion”, referring to the Onion Network. In addition, most URL’s are randomly generated using a 1024-bit RSA key, which is then further encrypted with SHA-1[41]. This ensures that a user’s communications remain within the network and is kept private.

It is possible, however, to create a custom “.onion” domain name. In an effort to create awareness for anonymous web-browsing and encouraging its users to be conscious about their online privacy and security, Facebook generated a “.onion” URL (facebookcorewwi.onion). This was generated using pattern matching tools such as Scallion or Scallop to look for a matching key pair with a URL like Facebook[41].

How it works

Tor allows its users to navigate the Tor network anonymously using numerous virtual tunnels, redirecting its users’ info such that it is difficult to track. Not only does the Tor browser hide its users’ identity and its whereabouts, Tor does the same for those hosting websites as well by making inbound and outbound communications difficult to track[42].

Relays

Tor preserves the anonymity of its users using relays, or nodes. These relays or nodes pass along information to different points along the network. The nodes that are responsible for passing through information along the Tor network are called middle relays. Generally, middle relays are considered safe to host, as information that passes through the middle relay is hard to trace. However, those who host exit relays are at risk. Exit relays are the end relays at which information passes through to reach its destination. Those who choose to use the Tor network with malicious intent are masked behind the network; however, their information can be last traced back to exit relays which pose a threat to those who run these nodes. Hosts for exit nodes are at risk of visits from law enforcement agencies and complaints from firms that are affect by activity that takes place on the Tor network[43][44].

Without users that volunteer hosts for relays, it would be difficult for the Tor network to exist. Middle relays make up the backbone of the Tor network, allowing for users to reroute their information multiple times to preserve their anonymity. However, exit node hosts also run large risks, as they cannot control which users use their nodes, as well as the activity that takes place at these nodes. As such, the Tor Project recommends that those who are willing to operate exit nodes dedicate a facility that is prepared to deal with the risks, and are aware that they are hosting an exit node[44].

Encryption in Tor

When the user’s information originally exits its starting point, the data is encrypted such that only the exit relay can decrypt the data. On top of that layer of encryption exists another layer of encryption, which can only be decrypted by the node prior to the exit node. This process repeats until the original user’s information is encrypted many times over, being decrypted one layer at a time at each node that it passes through. This is what earned the name of the network the “Onion network”, as the many layers of encryption can be compared to the many layers of an onion[44].

Uses

The homepage of the hidden wiki[45]

With the level of security and privacy that Tor offers its users, the dark web is mainly used for hosting hidden services, which are websites that can only be accessed through Tor. Uses include:

  • Circumventing state censorship
  • Whistleblowing (Wikileaks recommends submitting articles through Tor[46])
  • File sharing (publicly or privately through the Tor network)
  • Drug trade (the most notable example being Silk Road[47], now replaced with marketplaces like Agora[48])
  • Trade of other illegal goods
  • Terrorism
  • Pornography

TrueCrypt

TrueCrypt[49] was a tool that created encrypted volumes of data; basically an encrypted folder. It was run for around 10 years by anonymous developers before being shut down for reasons that remain unknown and have led to the rise of numerous conspiracy theories[50].

TrueCrypt used multiple encryption algorithms, including AES, Twofish, and Serpent. It offered the ability to cascade these (use more than one at a time) and used many iterations. TrueCrypt also had a function that enabled plausible deniability; a user could create two passwords for their volume. One of these passwords could open a folder containing only benign data, whereas the other passwords would reveal the truly hidden information. Additionally, TrueCrypt volumes were difficult (in some cases impossible) to differentiate from simply random data.

Since the shutdown of TrueCrypt, forks of the project such as VeraCrypt[51] have taken the place of TrueCrypt, offering identical functionality.

Hashcat

Hashcat[52] is one of the quickest hash breakers in the world. It supports acceleration using a graphics card and is capable of breaking the majority of available hashing methods. It can be run in several different modes, and can be very effective for weaker algorithms such as SHA-1.

Password managers

Keepass is a regular password manager that stores passwords in an encrypted database, protected using AES, Twofish, and SHA-256[53].

As we mentioned earlier, it is best to use strong passwords. Because it is challenging to remember strong passwords, particularly unique strong passwords for multiple websites, it is considered good practice to use a password manager. Doing so makes it simpler and more likely to use a strong, unique password.

Regular password managers store an encrypted database of passwords. Some, such as LastPass[54] make the database accessible over the web. Rarely, some password managers (such as pass[55]) will encrypt the information for each site individually. Another type of password manager, called deterministic password managers, are password managers that will generate a password for each website based on a single master password. It does this by hashing your master password while using site specific info (such as the URL) as a salt. Deterministic password managers are generally considered insecure[56].

Chat applications

Facebook recently introduced a secret conversations feature that uses end to end encryption.

A number of chat applications have recently been developed to capitalize on a recent trend in encrypted chat applications. Some of these are specifically privacy focused[57], whereas others are only changes to existing applications[58]. Some involve entire new network protocols[59].

End to end encryption

Communication has advanced dramatically in the past century, where technology has enabled us to communicate with one another through networks. Today, we can send instant messages through our cellular devices with extreme privacy, instead of making a phone call and having the risk of individuals eavesdropping your conversations. However, hackers today are finding ways of intercepting messages, such as man in the middle attacks[60].

To deal with potential eavesdroppers, end-to-end encryption was created to ensure that only senders and recipients are the only people that can send and read messages. In tradition messaging applications, messages are sent between clients and servers, meaning that you trust a third party that host servers that handle the messages that you are sending. In end-to-end encryption, cryptographic keys are used to encrypt and decrypt plaintext[61]. These keys are generated and stored at endpoints, meaning that only the users have the keys and not any servers. This means that only the sender and recipient can read messages that are sent and received, not even company servers used to transfer the messages can read them.

Authentication

When two users interact with one another in a chatroom encrypted end-to-end, authentication keys are created to help encrypt and decrypt messages. Devices generate a pair of keys known as a public and private key that helps keep conversations private. Private keys are used to decrypting messages where the key is permanently stored on your device. Public keys are used for encrypting messages, but designed in a way that only a corresponding private key can decrypt certain messages[62].

Applications

The driving force behind end-to-end encryption derives from Open Whisper System and their development of the Signal Protocol [63]. Applications such as WhatsApp Messenger and Facebook Messenger both utilize end-to-end encryption for their users today. The major difference in the two is that WhatsApp Messenger automatically enables and enforces users to have the encryption feature on, whereas it is optional for Facebook[64]. Other subtle differences between WhatsApp and Facebook is that Facebook calls their end-to-end encryption feature “Secret Conversations”, and is only available on mobile devices for Android and Apple’s iOS.

Wired[65]

Threats

As with any security technology, where there are strengths there are weaknesses. If not, there are weaknesses on the way. Encryption is no different. The massive financial payoff to breaking encryption algorithms remains a draw to both bad actors and good. However, there are a few unique threat vectors worth discussing.

Moore’s law

Moore's law states that the maximum number of transistors that can be fit into a single space tends to double around every two years[66]. Though some doubt that these advancements will continue (we are reaching the atomic limit of transistor size), others expect the law to continue over time.

Supercomputers from barely 20 years ago are unable to compete with devices we can fit into our pocket today. This is a threat to encryption because the only thing preventing adversaries from engaging in brute force attacks on specific hashes is processing power. Nowadays, home PCs can try billions or even trillions of passwords a second on weaker algorithms.

Growth of computing power must also be met with increased algorithm complexity. This was part of the reason for the change from DES to AES; DES was developed in the 70's and cannot adequately prevent against brute force attacks from modern machines.

State level attacks

There are a number of attacks on encryption that could be undertaken from the state level. These typically involve hundreds of millions of dollars invested in the development of supercomputers that would work to break specific keys or take advantage of weaknesses in specific standards. Researchers from the University of Pennsylvania recently published a paper explaining how attacks like this might work[67]. It is possible that attacks like this could get cheaper over time, papers like these should act as signals to developers to prevent them from relying on outside inputs.

P versus NP

One of the major unsolved problems in computing science is the P versus NP problem[68]. This refers to the complexity of completing or verifying a given algorithm. The simplest way of breaking down the problem is by making the assumption that P means a problem is easy to solve, and NP (not in P) means it is hard to solve (but quick to verify). It is currently unknown if P = NP or not.

If it turns out the P != NP, then cryptography remains safe. This would imply that there are specific problems that do indeed take longer to calculate than to verify. However, if it turns out that P = NP, it would mean that it is theoretically impossible to construct a secure public key. Practically, it would still take large amounts of resources to attack any given algorithm, but encryption would be theoretically unsafe.

While this isn't something most people have to know about or worry about, it is an interesting look at the mathematics behind cryptographic security. It shows that things aren't quite as defined as many may assume.

Quantum computing

According to a blog post by CB Insights, a data analytics and research organization[69], “a quantum computer utilizes subatomic particles called qubits to speed up the solving of complex computations.” Qubits or quantum bits, according to D-Wave Systems CEO Vern Brownell, are like the digital bit that’s in every computer, but has a special characteristic where it can be in a superposition of zero and one at the same time. This means that a qubit is actually in two different states at the same time and therefore quantum computers can compute all possible input combinations simultaneously. As the Vice-President of Technology of Lockheed Martin, Brad Pietras, noted in a Bloomberg interview[70]. “it would take longer than the age of the universe to complete the most complicated calculations” with a regular computer compared to a quantum computer that can compute combined inputs all at once. As well, Pietras noted that Quantum computing can be used as a practical tool for extremely complex predictive analysis and machine learning, and relevant for business applications in drug discovery, cybersecurity, business, finance, investment, health care, logistics, and planning. Encryption also happens to be a complex problem that quantum computing could solve, and is discussed in detail below.

In terms of quantum computing applications related to encryption, the blog post by CB Insights[69] also noted that there are corporations currently invested in quantum computing and exploring security applications, however many are also interested in machine learning and selling quantum computing hardware and software. The CB Insights blog post features “18 corporations that have reported unique technological breakthroughs in the last three years in the field of quantum computing,” but only eight of the 18 firms are focused on security. Of the eight companies focused on security, all were focused on quantum computing for developing secure communication either for mobile or quantum-encrypted data transfer. As time moves forward, there will likely be more breakthroughs in quantum computing research for business applications, and many more businesses investing in application development to stay competitive.

Security from quantum hacking on a government level is also a concern being addressed by researchers. In an article by IEEE[71], the world’s largest professional applied sciences organization, a study by MIT computer scientists have assembled the first five quantum bits of a quantum computer that could supposedly factor any number in the future, and thereby crack the security of traditional encryption schemes. IEEE notes that “much of the world’s digital data is currently protected by public key cryptography,” more specifically the RSA algorithm, which relies on factoring very large numbers. As well, IEEE noted that computers have traditionally struggled to perform calculations based on factoring, so with the computational ability of a quantum computer, these scientists theorize that widely used encryption methods today are at risk.

However, according to a study led by University of Waterloo researcher Matthew Amy[72], the researchers found that current US government encryption standards SHA-2 and SHA-3 are not at risk to quantum computing. The paper argues that quantum ‘hashing’ to break SHA-256 and SHA3-256 would take millions of years to crack, even running millions of hashes per second. Thus, with more research of current encryption methods being tested for quantum ‘proofing,’ there is a likely chance that our data will be protected from even quantum calculation.

Considering the quantum encryption studies by researchers at MIT and the University of Waterloo, though quantum computing may be considered a threat to current encryption methods, there is a high probability that researchers will ensure solutions are made as vulnerabilities are found and more evidence may likely show the near impossibility of cracking our encryption.

Politics

Because encryption enables near absolute privacy, it is useful for people that wish to stay anonymous. Sometimes, states believe that they should have the right to track these people, and are willing to pass laws banning or punishing the use of non-state-sanctioned cryptography.

Cases

With encryption becoming a more widespread and mainstream technology, it has also become a central topic within many news subjects. Especially where current and upcoming technologies are focused on interconnectivity, many are concerned with the privacy of their information and how their information is used and collected. While encryption can be used to protect an individual from malicious third-parties, these third-parties can also use encryption as a means of staying hidden from law-enforcement agencies. On the other hand, law-enforcement agencies and their recent actions in circumventing encrypted user information has also been a popular subject in recent news. The most notable example of law-enforcement agencies and the politics surrounding encryption is when the United States Government asked Apple to create a backdoor to the iPhone as a means of collecting user info without the knowledge of the users[73].

“Message to Our Customers”

On February 16, 2016, Apple published an open letter to their customers on their website outlining their stance on protecting its users’ information amidst the requests from the U.S. Government for an iPhone backdoor. The U.S. Government referred to an act of terrorism in December 2015, arguing that they needed Apple’s help in using collected user data to catch those responsible for the attack. The U.S. Government requested that Apple build a modified version of its existing operating system without various security features to allow them to unlock any iPhone recovered for investigative purposes.

Apple identified this act as a dangerous precedent, as they argued that allowing the U.S. Government to have the power to unlock any iPhone and intercept user data is a step back from all the developments in encryption and cybersecurity that has occurred over the past few years[73].

Open Whisper Systems subpoena

Open Whisper Systems is a team of developers that created an iOS and Android private messaging application called Signal. Signal allowed its users to communicate privately amongst one another through the means of end-to-end encryption. In early 2016, Open Whisper Systems received a subpoena from the Eastern District of Virginia, requiring them to provide an exchange of information that occurred between two users[74].

Open Whisper Systems published the subpoena onto their website despite gag orders as an act of transparency towards its users. However, this incident has not been met without controversy, as it shines a light on governing bodies and their attitude towards privacy. Without any form of protection, it is difficult to predict or even tell when our private information is being collected or used in any way.

Encryption and terrorism

Although Apple’s stance on protecting its users’ privacy is a step towards keeping the integrity of the concept of data security through means of encryption, it is understandable why the U.S. Government would make a request for a backdoor to the iPhone. Terrorist organizations are constantly searching for ways to operate despite under heavy surveillance from governing bodies around the world. A notable example would be ISIS and the Al Qaeda, whom are well known for their use of cryptography to communicate within the organization.

A recent example of a terrorist attack that may have been mitigated to some degree include the Paris Attacks in 2015. Although the U.S. Government warned France of an impending ISIS two months prior, the use of encrypted messaging applications made it difficult for governing bodies to accurately track down ISIS related activities before the attack itself[75]. Though CIA officials place the blame on Edward Snowden on his act of whistleblowing regarding U.S Surveillance, it is difficult to say that these terrorist plans were successfully propagated amongst one another because of terrorists being aware of U.S Surveillance. Terrorist organizations have been proven to use cryptographic methods such as steganography and encryption from as early as the 1990’s[75]. With the recent proliferation of end-to-end encryption being implemented in mobile chat applications, it is also important to consider that these measure of security can also be employed by malicious organizations, which explains why global governing bodies are keen on gaining access to our private information.

Future of encryption

It's challenging to know what the future holds for encryption. Quantum mechanics will certainly change the way encryption algorithms are developed, and the field will remain exceptionally math heavy. Future advances in mathematics (such as the P versus NP problem) could certainly effect the type of encryption that is considered safe.

Many in the security field expect encryption to become more popular to consumers in response to recent heavy handed government regulation such as rule 41 in the US[76] and the Investigatory Powers Act in the UK[77].

Overall, encryption has been an exceptionally valuable tool, and it will continue to remain valuable. Advancements in the field will certainly keep us safer and keep our data private.

References

  1. https://en.wikipedia.org/wiki/Alice_and_Bob
  2. https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
  3. https://en.wikipedia.org/wiki/Heartbleed
  4. https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/
  5. http://www.esecurityplanet.com/trends/biometric-authentication-how-it-works.html
  6. http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA
  7. https://en.wikipedia.org/wiki/Zodiac_Killer
  8. https://en.wikipedia.org/wiki/Kryptos
  9. http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf
  10. https://haveibeenpwned.com//
  11. https://hashes.org/public.php
  12. https://www.trustedsec.com/june-2016/introduction-gpu-password-cracking-owning-linkedin-password-dump/
  13. https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly
  14. https://password.kaspersky.com/ Don't enter your real password!
  15. https://www.igolder.com/PGP/encryption/
  16. https://www.igolder.com/pgp/decryption/
  17. http://stackoverflow.com/questions/6054082/recommended-of-iterations-when-using-pbkdf2-sha256
  18. https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
  19. https://news.ycombinator.com/item?id=12548210
  20. https://video.adm.ntnu.no/pres/54b660049af94
  21. http://www.axcrypt.net/blog/encryption-and-biometrics/
  22. http://www.sce.carleton.ca/faculty/adler/publications/2004/adler-2004-NATORTA-biometric-encryption-vulnerabilities.pdf
  23. http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
  24. http://www.spammimic.com/encode.shtml
  25. https://www.cs.umd.edu/~gasarch/TOPICS/secretsharing/feldmanVSS.pdf
  26. https://en.wikipedia.org/wiki/Secret_sharing
  27. http://www.pgpi.org/doc/pgpintro/#p24
  28. http://lifehacker.com/5919918/how-your-passwords-are-stored-on-the-internet-and-when-your-password-strength-doesnt-matter
  29. https://md5hashing.net/hash/sha1/3c8b9f4b983afa9f644d26e2b34fa3e03a2bef16
  30. http://lifehacker.com/5919918/how-your-passwords-are-stored-on-the-internet-and-when-your-password-strength-doesnt-matter
  31. 31.0 31.1 31.2 31.3 31.4 31.5 31.6 http://www.smartcardalliance.org/downloads/EMV-Tokenization-Encryption-WP-FINAL.pdf
  32. 32.0 32.1 http://www.wsj.com/articles/chip-card-rollout-has-banks-retailers-scrambling-1429568104
  33. https://www.digicert.com
  34. https://ssl.comodo.com/
  35. https://ssl.comodo.com/
  36. https://brightplanet.com/2014/03/clearing-confusion-deep-web-vs-dark-web/
  37. https://www.cert.se/2015/11/2015-11-20_Tor_-_the_Onion_Routing_Network.pdf
  38. https://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser
  39. https://www.torproject.org/about/corepeople
  40. https://www.torproject.org/index.html.en
  41. 41.0 41.1 https://timtaubert.de/blog/2014/11/using-the-webcrypto-api-to-generate-onion-names-for-tor-hidden-services/
  42. https://www.torproject.org/about/overview.html.en
  43. https://www.eff.org/torchallenge/what-is-tor.html
  44. 44.0 44.1 44.2 http://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/
  45. https://thehiddenwiki.org/
  46. https://www.wikileaks.org/wiki/WikiLeaks:Tor
  47. https://en.wikipedia.org/wiki/Silk_Road_(marketplace)
  48. http://www.agoradrugs.com/
  49. http://truecrypt.sourceforge.net/
  50. https://forum.truecrypt.ch/t/my-analysis-of-what-really-happened-to-truecrypt/387
  51. https://veracrypt.codeplex.com/
  52. https://hashcat.net/hashcat/
  53. http://keepass.info/
  54. https://www.lastpass.com/
  55. https://www.passwordstore.org/
  56. https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers
  57. https://tox.chat
  58. https://www.wired.com/2016/10/facebook-completely-encrypted-messenger-update-now/
  59. https://geti2p.net/en/docs/how/intro
  60. https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/
  61. https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/
  62. https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/
  63. https://whispersystems.org/blog/whatsapp-complete/
  64. https://www.wired.com/2016/10/facebook-completely-encrypted-messenger-update-now/
  65. https://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/
  66. http://www.intel.com/content/www/us/en/silicon-innovations/moores-law-technology.html
  67. https://eprint.iacr.org/2016/961.pdf
  68. https://en.wikipedia.org/wiki/P_versus_NP_problem
  69. 69.0 69.1 https://www.cbinsights.com/blog/quantum-computing-corporations-list/
  70. http://www.bloomberg.com/news/articles/2013-05-30/what-quantum-computing-can-do-for-you
  71. http://spectrum.ieee.org/tech-talk/computing/hardware/encryptionbusting-quantum-computer-practices-factoring-in-scalable-fiveatom-experiment
  72. http://www.crawfordwise.com/sha3-256-is-quantum-proof-should-last-beellions-of-years-say-boffins/
  73. 73.0 73.1 http://www.apple.com/customer-letter/
  74. https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/
  75. 75.0 75.1 http://arstechnica.com/information-technology/2015/11/isis-encrypted-communications-with-paris-attackers-french-officials-say/
  76. https://www.eff.org/deeplinks/2016/04/rule-41-little-known-committee-proposes-grant-new-hacking-powers-government
  77. http://www.theregister.co.uk/2016/11/30/investigatory_powers_act_backdoors/

Authors

Allison Chan, BBA, Beedie School of Business

Ashton Charbonneau, BBA, Beedie School of Business

Zachary Chua, BBA, Beedie School of Business

Wilson Ha, BBA, Beedie School of Business

Personal tools