This article was written by Dr Stuart Clark and published in the Innovations magazine #5.
You could be forgiven for thinking that cryptography is the preserve of spies and governments. Indeed for many years this would have been true, but no longer. Today, as we leave more and more of our data online, our networked lives are increasingly in need of protection.
“In the past, spying was possible only for agencies that had access to transmission cables and highly sophistication equipment, as well as special authorisation. It was an isolated endeavour. Today, transferring information has become ubiquitous,” says Dietmar Hilke, director of Business Development and Cyber Security with Thales in Germany. “I can go into any wireless lounge and ‘sniff’ for transmissions using off-the-shelf equipment. I can do man-in-the-middle attacks and harvest PINs, credit card information and banking details. And I can do it with standard hardware and open source software that I can find on the net. The threat has moved from a highly sophisticated group of people to almost anyone.”
According to Hilke, our increasingly digital lives have led to a change in what he calls the threat vector. And it’s not just transmission of data that is vulnerable – computer malware is being used to harvest more and more valuable information from unsuspecting parties. Cloud computing is being used to store ever more data on third-party servers, trusting our private information to other people’s systems. The more connected we are, the more vulnerable we become.
“Securing information in transmission is no longer enough. Increased social interaction online means that we need end-to-end cryptography,” says Hilke.
Cryptography relies on taking information, known as plaintext, and encrypting it so that it is rendered unintelligible. Encryption uses a cipher, which is a mathematical algorithm, and a “key” or secret piece of information. Attackers can obtain the cipher text and may even know the encryption method but, without the key, they will not be able to break the code and read the plaintext.
It is the mathematical equivalent of putting a message in a locked box. The difficulty is in transmitting the key securely. Eric Garrido, head of the Communications & Security cryptographic team at Thales specialises in the design and evaluation of cryptographic systems.
“Even if you have a good mathematical solution, we have to be sure that they are securely implemented,” says Garrido. “Bad hardware or software is like locking the door but leaving a window open.”
PayTV is a case in point: broadcasters send encrypted content to subscribers and give users individual keys. The broadcast is the same but each key is different. This technology originated in the early 1990s but it’s now in need of updating. This was the subject of a recent collaboration between Thales and Swiss digital media company Nagra.
“All the old protocols were too theoretical to be practical. There is a big gap between theory and practice. The goal was to make them realistic in practice,” says David Pointcheval, head of the crypto team at École normale supérieure, Paris, who worked on the collaboration.
The cost of hardware and software development is the main limitation when designing practical decryption systems. For example, the set top box needed to perform decryption for PayTV subscribers must be both simple and cheap to produce. As a consequence, the quality of the mathematical decryption can suffer, making the systems easier to hack by non-subscribers.
Another consideration is that the larger a system becomes, the bigger a target it becomes for hackers. Numerous websites and apps brag that they can help hack specific social media sites like Facebook, Twitter and Instagram, putting all of our privacy at risk.
Then there is the escalation in the hacking of military and government targets. On 12 January 2015, the US Central Command’s social media accounts were hacked by alleged Islamists. Although the US military’s Twitter account is hardly going to be as encrypted as its classified servers, breaches like this point to a dangerous future.
“One thing is stealing information, but once I can do that, I can then manipulate that information and create real physical damage to systems,” says Hilke.
In 2010, the Stuxnet programme was uncovered. It attacked specific types of Programmable Logic Controllers (PLCs), designed to regulate industrial hardware by processing input from the machines to keep them within correct operating parameters. Stuxnet inserted random commands to the machinery while supplying normal looking settings to the users. It targeted the PLCs used in Iran’s nuclear centrifuges, reportedly destroying a fifth of them by making them spin beyond their design limits. This is only the beginning according to Hilke.
“Imagine attacking a warship. You are not going to get into the maximum security weapons management system, but you may get into the engine control system where you can command the turbines so that they will be destroyed. Think about how much investment is needed to damage the ship in that way, and compare it with a ship-to-ship missile,” says Hilke.
It is a frightening comparison. He estimates that, for the price of an armoured tank, up to a thousand people a year can be employed to launch cyber attacks: “It brings it from the abstract theft of information into the realm of creating real damage,” says Hilke.