Cryptography for all

This article was written by Dr Stuart Clark and published in the Innovations magazine #5.

You could be forgiven for thinking that cryptography is the preserve of spies and governments. Indeed for many years this would have been true, but no longer. Today, as we leave more and more of our data online, our networked lives are increasingly in need of protection.
 
“In the past, spying was possible only for agencies that had access to transmission cables and highly sophistication equipment, as well as special authorisation. It was an isolated endeavour. Today, transferring information has become ubiquitous,” says Dietmar Hilke, director of Business Development and Cyber Security with Thales in Germany. “I can go into any wireless lounge and ‘sniff’ for transmissions using off-the-shelf equipment. I can do man-in-the-middle attacks and harvest PINs, credit card information and banking details. And I can do it with standard hardware and open source software that I can find on the net. The threat has moved from a highly sophisticated group of people to almost anyone.”

According to Hilke, our increasingly digital lives have led to a change in what he calls the threat vector. And it’s not just transmission of data that is vulnerable – computer malware is being used to harvest more and more valuable information from unsuspecting parties. Cloud computing is being used to store ever more data on third-party servers, trusting our private information to other people’s systems. The more connected we are, the more vulnerable we become.
“Securing information in transmission is no longer enough. Increased social interaction online means that we need end-to-end cryptography,” says Hilke.
Cryptography relies on taking information, known as plaintext, and encrypting it so that it is rendered unintelligible. Encryption uses a cipher, which is a mathematical algorithm, and a “key” or secret piece of information. Attackers can obtain the cipher text and may even know the encryption method but, without the key, they will not be able to break the code and read the plaintext.

It is the mathematical equivalent of putting a message in a locked box. The difficulty is in transmitting the key securely. Eric Garrido, head of the Communications & Security cryptographic team at Thales specialises in the design and evaluation of cryptographic systems.

“Even if you have a good mathematical solution, we have to be sure that they are securely implemented,” says Garrido. “Bad hardware or software is like locking the door but leaving a window open.”

PayTV is a case in point: broadcasters send encrypted content to subscribers and give users individual keys. The broadcast is the same but each key is different. This technology originated in the early 1990s but it’s now in need of updating. This was the subject of a recent collaboration between Thales and Swiss digital media company Nagra.

“All the old protocols were too theoretical to be practical. There is a big gap between theory and practice. The goal was to make them realistic in practice,” says David Pointcheval, head of the crypto team at École normale supérieure, Paris, who worked on the collaboration.
The cost of hardware and software development is the main limitation when designing practical decryption systems. For example, the set top box needed to perform decryption for PayTV subscribers must be both simple and cheap to produce. As a consequence, the quality of the mathematical decryption can suffer, making the systems easier to hack by non-subscribers.

Another consideration is that the larger a system becomes, the bigger a target it becomes for hackers. Numerous websites and apps brag that they can help hack specific social media sites like Facebook, Twitter and Instagram, putting all of our privacy at risk.

Then there is the escalation in the hacking of military and government targets. On 12 January 2015, the US Central Command’s social media accounts were hacked by alleged Islamists. Although the US military’s Twitter account is hardly going to be as encrypted as its classified servers, breaches like this point to a dangerous future.

“One thing is stealing information, but once I can do that, I can then manipulate that information and create real physical damage to systems,” says Hilke.

In 2010, the Stuxnet programme was uncovered. It attacked specific types of Programmable Logic Controllers (PLCs), designed to regulate industrial hardware by processing input from the machines to keep them within correct operating parameters. Stuxnet inserted random commands to the machinery while supplying normal looking settings to the users. It targeted the PLCs used in Iran’s nuclear centrifuges, reportedly destroying a fifth of them by making them spin beyond their design limits. This is only the beginning according to Hilke.

“Imagine attacking a warship. You are not going to get into the maximum security weapons management system, but you may get into the engine control system where you can command the turbines so that they will be destroyed. Think about how much investment is needed to damage the ship in that way, and compare it with a ship-to-ship missile,” says Hilke.

It is a frightening comparison. He estimates that, for the price of an armoured tank, up to a thousand people a year can be employed to launch cyber attacks: “It brings it from the abstract theft of information into the realm of creating real damage,” says Hilke.

Encryption: by the numbers

The 2015 Global Encryption and Key Management Trends Study, based on independent research by the Ponemon Institute in the United States and sponsored by Thales, revealed that the use of encryption continues to grow in response to consumer concerns, privacy compliance regulations and ongoing cyber attacks.
According to the survey of more than 4,700 business and IT managers in the US, UK, Germany, France, Australia, Japan, Brazil, Russia, India and Mexico:
34%
use encryption extensively
36%
have an enterprise-wide encryption strategy
1/2
believe that encryption removes the need to disclose a breach
+1/2
identified key management as a major pain point, due to lack of corporate ownership, fragmented systems and inadequate tools
+1/2
view hardware security modules as an important part of a key management strategy
N°1
perceived threat is employee error
Las 3
reasons for deploying encryption are compliance with data protection mandates, to address specific security threats and to reduce the scope of compliance audits

Standards of security

Cryptography is more important than ever and it is an ever-changing game.The current gold standard is known as RSA encryption. Described by MIT academics Ron Rivest, Adi Shamir and Leonard Adleman in 1977, it is like sending an open lock to the person wanting to send an encrypted message. The sender of the lock keeps the key to open the message when it is sent back.

The algorithm multiplies two large prime numbers together to produce an even larger number. Factorising the result is easy if you have the prime number key but almost impossible without.
“At the moment, we don’t know how to factor numbers that are larger than 600 digits efficiently. It could take dozens of years even with the most powerful computers,” says Pointcheval. Does this solve the problem? Is our data completely secure if we use this system?

Sadly, not. Although factorising such vast numbers is almost impossible at the moment, scientists and engineers are working to build quantum computers that perform calculations in a fundamentally different way.

“If a quantum computer comes along in the next few years, then all the keys are broken,” says Pointcheval. As a result, Thales is working on new enciphering methods that even quantum computers would find difficult, if not impossible, to break.

Another goal is to develop so-called “fully homomorphic encryption” – what Hilke means by end-to-end encryption. It would guarantee privacy by keeping data encrypted even as it was being processed by a remote server. Pointcheval says it is exactly what is needed to make cloud computing safe.

At the moment, even if you encrypt data for transmission, it must be decrypted before it can be evaluated. Every time you return to the plaintext, the data becomes vulnerable. In the wake of the Edward Snowden leaks, which revealed the degree to which personal data was being accessed by certain government agencies, privacy has leapt to the fore for digital media companies. Guaranteeing privacy is now the number one priority and homomorphic encryption is the Holy Grail.

“With a homomorphic system, it is possible to manipulate data in a fully encrypted way. You send the cloud encrypted information. It will do any computation that you wish and send you back the answer, still fully encrypted. Since you are the only one who knows the key, you are the only one who can read the answer. The cloud never sees the unencrypted input or the output. It sounds like magic but with such functionality, you could do a google search that even google wouldn’t know what you are searching for. You can get answers without the person you are querying ever knowing what you are searching for,” says Pointcheval.

Of course as soon as these systems are perfected – meaning that Internet users can do anything with guaranteed anonymity –  there will inevitable be a dialogue about the needs of national security agencies to intercept communications to keep us safe. All in all, cryptography is set to become more and more important to all of us as time goes by.

Cybersecurity: tailored responses to critical challenges

An essential operator of a city, an energy provider company is victim of a cyber-attack. The impact of the attack is increasing due to a lack of risk prevention. Thales, European leader in cybersecurity, is contacted to counter the cyber-attack. The attack is detected, located and measures are put in place to protect the system. The information system is now secured.
1:00