90% of the world's data was generated in the last two years. To keep pace with this massive proliferation of data creation and transmission, cryptographers have
been working overtime to engineer increasingly complex encryption techniques.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
In truth, the art of cryptography is a double-task: first, the information must be encrypted, but then the decryption key must also be made available to the
correct, and only the correct, recipient. In some ways, the second task is far more difficult. Here, we consider five historical methods of encryption as well as
several strategies that are employed today.
1. Caesar Cipher
When Julius Caesar needed to send secret messages to his military leaders in the field, he invented something called a substitution cipher. The key to
substitution ciphers is the shift value. For example, if we wanted to encrypt the word dog using a shift value of -2, we'd end up with bme, by replacing each
letter with the one two places earlier in the alphabet.
Clearly, this form of encryption is hardly secure; it suffers from three immediate problems. Firstly, there is the problem of conveying the shift value to the
generals on the front. You couldn't exactly print it at the top of the letter. Furthermore, even if the recipient has the shift value (perhaps you included it in
an earlier letter), the Caesar Cipher suffers from something called Patternization. In English, for example, the most common letter is e. Someone wishing to crack
the code could simply find the most common letter in the encrypted message, deduce the relevant shift value, and then proceed to decrypt the entire message.
Alternatively, you could find the words with only one letter, assume that it's the letter a, and perform a similar deduction. Finally, since there are 25 possible
shift values in English, you could simply go through them one by one until you hit upon the correct one.
A quite different form of encryption was developed by the Spartans that seems, at first glance, to have solved some of the problems above. The Scytale Cipher was
created by taking a short pole, wrapping it in tape, and then writing length-wise across the pole. Once the tape is unwound from the
pole, the text will be illegible. The key, then, is the diameter of the pole used.
Of course, the pole diameter used during encryption will still need to be transmitted to the recipient, but at least issues related to Patternization are less
obvious. However, since the message is written in plaintext, in some ways it becomes easier to spot words throughout the sequence.
Skipping ahead to 1553, an Italian by the name of Giovan Battista Bellaso created an updated version of the Caesar Cipher that remained unsolved until 1863,
earning it the name of le chiffre indechiffrable ('the indecipherable cipher'). In this form, each letter of the message has its own shift value, determined by
the cipher key. Accordingly, even if you solve one word in the message, it won't help you in solving the rest of the message, assuming that your cipher key is
long enough (i.e. has enough bits) not to repeat itself.
The Vernam Cipher, also know as a one-time pad (OTP), is the only existing code that has been mathematically proven to be unbreakable. The trick? Create a
Vigenere Cipher with a key which has at least as many bits as the message to be concealed, and then destroy the key after each use. The Soviets took this one
step further by creating OTPs which were so small that you needed a special magnifying glass to read them. The idea being that the more layers of randomization
that are included in the encryption process will make the decryption process exponentially more difficult.
Although mostly defunct, due to the difficulty involved in distributing the keys, OTPs are currently reserved for
emergency scenarios in which standard forms of encryption are made unavailable (e.g. if electronic
communication is cut off).
The Enigma, used by Germany in WWII, used a method called rotary encryption. Although the concept is essentially the same as other substitution methods, Enigma
used a series of disks which would be inserted in a machine according to a specific sequence (the key) which would decode the message for you. After the original
version, containing three disks, was cracked, the Germans simply added a fourth disk, making the Enigma virtually unbreakable.
The only way that the Allies were able to finally decrypt Enigma was by noticing patterns in the texts (e.g. each transmission began with the date) and with help
from an early computer created by Alan Turing.
In all of these forms of encryption, it is important to remember that the problem of transmitting the key was never solved. In some way or another, you had to
provide the key to your recipient outside of the encrypted message (i.e. 'out-of-band'), and then pray that no one else discovered it. This has become known as
symmetric encryption (the same key is used for both encryption and decryption). But everything changed with the invention of asymmetric encryption.
Think of asymmetric encryption as using a lock-and-key method. Anyone can use my lock, but only I have access to the key to unlock it. Now, let's say that Bob
wants to send a message to Sally. Instead of Bob 'locking' the message with his own lock, and then sending his key to Sally (as we saw above), he can simply lock
the message with Sally's lock (which is made public), and now Sally can use her private key to unlock it. Sally, in return, will use Bob's public lock when sending
him a message, for Bob to unlock with his private key. In this way, neither Sally nor Bob need to share their private key with each other.
Nowadays we call this public-key encryption, and one of its first applications was in the RSA encryption system developed in the late 70s. (RSA stands for Rivest
Shamir Adleman, the MIT cryptographers who developed it.)
Salting is part of the process commonly used to encrypt passwords and has been in use since the 70s. Simply put, the 'salt' is a random string of alphanumeric
characters added to the end of the password before it's encrypted. That way, even after the password has be decrypted, you will still need to 'subtract' the salt
before you can use the password. Salting has been very successful to combat the rise of hash-tables (a list of common passwords along with their encrypted format).
In other words, even if you use a common password, once the salt is sprinkled on top, it will be sufficiently unique so that the encrypted form of the password
won't be recognizable.
To illustrate, let's say you set your password as 'password'. Since this is very common, the encrypted version of the password will also be quite well known
(and therefore included in the would-be attacker's hash table). However, once the password is salted, it may turn out to be something like 'password2nUD?!830dFN'
(with the additional characters being added at random). Now, once the salted password is passed through the encryption algorithm, it will produce a unique value
that is virtually impossible to reverse engineer.
3. Advanced Encryption Standard (AES)
Since 2001, AES has become the default encryption mechanism for the US government. AES relies on a method known as substitution-permutation networking, in which
the results from the first round of encryption is fed into a second round of encryption, whose results are fed into a third round, and so on. Accordingly, a
slight shift in the plaintext will be increasingly magnified through each round of encryption, resulting in an untraceable final product.
As AES becomes more accepted, the former encryption standard, the Data Encryption Standard (DES), is considered to be vulnerable and to be avoided.
The Future of Cryptography
From behind the screens of increasingly powerful computers, a global battle is being waged between cryptographers and hackers (whether they be
state-backed, criminals, NSOs, or hobbyists). As technical cryptography has advanced to a stage where it can be virtually impenetrable, hackers have come to
increasingly rely on social-engineering attacks to create the first crack in the armor of an organization. The
future of cryptography, then, lies in developing psychological techniques to both guard against social engineering as
well as confuse any potential attackers.
Two particularly successful approaches are Two-Factor Authentication (TFA) and Honeypots. A common form of TFA is where an SMS is sent to your phone with a
unique PIN that is needed in addition to your password. That way, even if a social hacker was able to get your password, they would still be helpless without
access to your phone.
Honeypots, on the other hand, involve creating legitimate-seeming data, but isolating it from the main network and monitoring it closely. This has the benefits
of (1) tricking the attackers into thinking they've successfully penetrated the network, (2) frustrating the attackers once they realize that they've been
fooled, (3) alerting the organization to the presence of attackers.
For better or worse, the weakest link in your organization is almost certainly your people. Accordingly, any cybersecurity strategy must create a dynamic of
shared responsibility at its core if it is to be at all effective. This means introducing training workshops,
awareness programs, and top-down messaging that shows employees that your organization takes cybersecurity seriously.
Cybersecurity is only secure when it's everyone's responsibility.