Nowadays, ransomware seems to be everywhere. A quick search of Google's news tab gets about 12 million results—including the terrifying story that almost half of all US hospitals have shut down their networks due to ransomware. Ransomware has become so ubiquitous that Last Week Tonight with John Oliver made it their main story of the week:
Ransomware works through cryptography, the study of communicating securely. Secure communication is incredibly important. We don't want cybercriminals getting ahold of our credit card numbers, social security numbers, or passwords. Yet, we need to communicate our credit cards to make a purchase online[1], our social security numbers to e-file our taxes, and our passwords to access our computers and online accounts. To keep our confidential information secure, we turn to cryptography.
The problem is that the same cryptographic techniques that we use to keep cybercriminals out can be turned on us. This is essentially what ransomware is: cryptography used to secure our computers against us. (For more about this, check out "When Good Encryption Goes Bad: Ransomware.")
While cryptography seems to be an esoteric art for cryptologists and cryptanalysts, it is something that all of us need and use every day on our computers. Today, we're going to explore cryptography, what it is, its history, and its objectives.
Nowadays, it is easy to think that cryptography is an aspect of computers or the internet. However, cryptography dates back to the ancient world. Crypto- means "secret," and -graphy means "to write." As such, cryptography literally is secret writing. In most cryptography, algorithms transform the plaintext message into a ciphertext (gibberish), which requires a specific key to decrypt the message and return it to plaintext.
Typically, cryptography is explained through two generic users A and B, who in 1978 cryptography researchers named Alice and Bob.[2] Ten years later, another team of researchers added the character of Eve, as in eavesdropper, to this relationship.[3] When Alice tries to communicate with Bob, Eve tries an on-path attach to become the proverbial man-in-the-middle that we discussed in "Let's Get Physical … with Our Security."
Fig. 1 Randall Monroe's XKCD perfectly conveys how just adding crypto-characters convey drama and intrigue.
A good example of this secret writing is the Caesar cipher. In this cryptographic technique, the communicator shifts letters in words in a specific pattern, shifting each letter used forward or backward in the alphabet. As such, if the letters were shifted, three letters to the left, JULIUS CAESAR (who used this for his personal correspondence) would become GRIFRP ZXBPBO. Back in the Roman era, as well as today, cryptography was especially important for political and military applications.
The problem with the Caesar cipher is that it is fairly easy to crack. And once deciphered, the entire message—and often more—is vulnerable. The problem is that even cryptography as simple as this Caesar cipher takes a lot of work for humans to do by hand. To take cryptography to the next level, we need machines.
Perhaps one of the most famous examples of cryptography is the Enigma Cypher used by the Nazis in World War II. This device used an electromechanical rotor mechanism to scramble the alphabet. Enigma changes the connection with each keypress, so Enigma gave the Nazi's a large communications advantage—until it was deciphered by the Polish Cipher Bureau. Unaware of this decryption, the Nazis obliviously communicated with one another while the Allies listened in.[4]
While the Enigma machine was bleeding edge at its time, it is no match for contemporary computers. As such, we have needed to take cryptography to the next level. Modern cryptography relies on a cryptographic key exchange that comes in flavors: symmetrical and asymmetrical.
In symmetrical, Alice uses a key to encrypt her message, and Bob uses the very same key to decrypt it. Because of its uniformity, symmetric Encryption requires a much lower resource requirement. However, because everyone is using the same key, symmetric Encryption is also far more vulnerable to compromise.
A much safer option is the asymmetric Encryption standard (AES). Here, each user has two keys: a private key and a public one. Alice encrypts her message with Bob's public key, and Bob decrypts it with his private key. Then Bob reverses the process by encrypting his message to Alice with her public key. While this method is much more secure, calculating these public and private keys takes considerable computer resources. As such, it is not difficult for AES to require resources well beyond smartphones, tablets, and even most computers.
In 1991, Phil Zimmerman took the best of both symmetric and asymmetric Encryption to create Pretty Good Privacy (PGP). In this method, Alice has a random symmetric Encryption key created. This key is used to encrypt the data. Then this key is encrypted with Bob's public key. Alice then sends Bob both the encrypted data and the encrypted key. Bob decrypts the symmetric key with his private key and then uses it to decrypt the data from Alice.
For cryptography to work, there are four central objectives: confidentiality, authenticity, non-repudiation, and integrity.
These four cryptographic objectives are why AES wins out over symmetric Encryption. AES is more confidential because anyone with the key can open a symmetric Encryption communication, while only the person with the private key can open an AES encrypted communication. Since anyone can use a symmetric key, no one can use this to authenticate, and therefore can never prove non-repudiation. AES authenticates by offering a digital signature that could have only been created by a specific person's private key. Furthermore, combining this combination of encrypted communication with proof of authentication offers non-repudiation. Since anyone could use a symmetric key, there is no way to know the message is intact. However, since AES prevents anyone but whoever holds the private key from tampering with the communication, its integrity is beyond reproach.
And PGP takes all this to the next level.
With computers being encrypted left and right from ransomware, now more than ever, cryptography is something all of us need. Cryptography was essential to political leaders dating back to Caesar and militaries took it to the next level in World War II. Nowadays, we use cryptography to have our computers communicate. There are two primary means of computer Encryption: symmetric or AES (or a combination of both with PGP). This Encryption—especially via AES and PGP—offers users the four objectives of Encryption: confidentiality, authenticity, non-repudiation, and integrity.
If you would like someone else to worry about cryptography, reach out to us. We would be happy to set up and maintain your cryptographic needs.
[1] Unless, of course, we happen to have bought bitcoin or other cryptocurrencies.
[2] The cryptography characters of Alice and Bob were created by Rivest, Shamir, and Aleman in their "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems."
[3] Eve was created by Bennett, Brassard, and Robert in their "Privacy Amplification by Public Discussion."
[4] In modern cybersecurity terms, the Allies here were conducting an on-path (or man-in-the-middle) attack.