A Brief History of Cryptography

From Caesar to Honeypots

90% of the world's data was generated in the last two years. To keep pace with this massive proliferation of data creation and transmission, cryptographers have been working overtime to engineer increasingly complex encryption techniques.         

In truth, the art of cryptography is a double-task: first, the information must be encrypted, but then the decryption key must also be made available to the correct, and only the correct, recipient. In some ways, the second task is far more difficult. Here, we consider five historical methods of encryption as well as several strategies that are employed today.

Early Cryptography
1. Caesar Cipher
When Julius Caesar needed to send secret messages to his military leaders in the field, he invented something called a substitution cipher. The key to substitution ciphers is the shift value. For example, if we wanted to encrypt the word dog using a shift value of -2, we'd end up with bme, by replacing each letter with the one two places earlier in the alphabet.

Clearly, this form of encryption is hardly secure; it suffers from three immediate problems. Firstly, there is the problem of conveying the shift value to the generals on the front. You couldn't exactly print it at the top of the letter. Furthermore, even if the recipient has the shift value (perhaps you included it in an earlier letter), the Caesar Cipher suffers from something called Patternization. In English, for example, the most common letter is e. Someone wishing to crack the code could simply find the most common letter in the encrypted message, deduce the relevant shift value, and then proceed to decrypt the entire message. Alternatively, you could find the words with only one letter, assume that it's the letter a, and perform a similar deduction. Finally, since there are 25 possible shift values in English, you could simply go through them one by one until you hit upon the correct one.

2. Scytale
A quite different form of encryption was developed by the Spartans that seems, at first glance, to have solved some of the problems above. The Scytale Cipher was created by taking a short pole, wrapping it in tape, and then writing length-wise across the pole. Once the tape is unwound from the pole, the text will be illegible. The key, then, is the diameter of the pole used.

Of course, the pole diameter used during encryption will still need to be transmitted to the recipient, but at least issues related to Patternization are less obvious. However, since the message is written in plaintext, in some ways it becomes easier to spot words throughout the sequence.

3. Vigenere
Skipping ahead to 1553, an Italian by the name of Giovan Battista Bellaso created an updated version of the Caesar Cipher that remained unsolved until 1863, earning it the name of le chiffre indechiffrable ('the indecipherable cipher'). In this form, each letter of the message has its own shift value, determined by the cipher key. Accordingly, even if you solve one word in the message, it won't help you in solving the rest of the message, assuming that your cipher key is long enough (i.e. has enough bits) not to repeat itself.

4. Vernam
The Vernam Cipher, also know as a one-time pad (OTP), is the only existing code that has been mathematically proven to be unbreakable. The trick? Create a Vigenere Cipher with a key which has at least as many bits as the message to be concealed, and then destroy the key after each use. The Soviets took this one step further by creating OTPs which were so small that you needed a special magnifying glass to read them. The idea being that the more layers of randomization that are included in the encryption process will make the decryption process exponentially more difficult.

Although mostly defunct, due to the difficulty involved in distributing the keys, OTPs are currently reserved for emergency scenarios in which standard forms of encryption are made unavailable (e.g. if electronic communication is cut off).

5. Enigma
The Enigma, used by Germany in WWII, used a method called rotary encryption. Although the concept is essentially the same as other substitution methods, Enigma used a series of disks which would be inserted in a machine according to a specific sequence (the key) which would decode the message for you. After the original version, containing three disks, was cracked, the Germans simply added a fourth disk, making the Enigma virtually unbreakable.

The only way that the Allies were able to finally decrypt Enigma was by noticing patterns in the texts (e.g. each transmission began with the date) and with help from an early computer created by Alan Turing.

In all of these forms of encryption, it is important to remember that the problem of transmitting the key was never solved. In some way or another, you had to provide the key to your recipient outside of the encrypted message (i.e. 'out-of-band'), and then pray that no one else discovered it. This has become known as symmetric encryption (the same key is used for both encryption and decryption). But everything changed with the invention of asymmetric encryption.

Modern Cryptography
1. RSA
Think of asymmetric encryption as using a lock-and-key method. Anyone can use my lock, but only I have access to the key to unlock it. Now, let's say that Bob wants to send a message to Sally. Instead of Bob 'locking' the message with his own lock, and then sending his key to Sally (as we saw above), he can simply lock the message with Sally's lock (which is made public), and now Sally can use her private key to unlock it. Sally, in return, will use Bob's public lock when sending him a message, for Bob to unlock with his private key. In this way, neither Sally nor Bob need to share their private key with each other.

Nowadays we call this public-key encryption, and one of its first applications was in the RSA encryption system developed in the late 70s. (RSA stands for Rivest Shamir Adleman, the MIT cryptographers who developed it.)

2. Salt
Salting is part of the process commonly used to encrypt passwords and has been in use since the 70s. Simply put, the 'salt' is a random string of alphanumeric characters added to the end of the password before it's encrypted. That way, even after the password has be decrypted, you will still need to 'subtract' the salt before you can use the password. Salting has been very successful to combat the rise of hash-tables (a list of common passwords along with their encrypted format). In other words, even if you use a common password, once the salt is sprinkled on top, it will be sufficiently unique so that the encrypted form of the password won't be recognizable.

To illustrate, let's say you set your password as 'password'. Since this is very common, the encrypted version of the password will also be quite well known (and therefore included in the would-be attacker's hash table). However, once the password is salted, it may turn out to be something like 'password2nUD?!830dFN' (with the additional characters being added at random). Now, once the salted password is passed through the encryption algorithm, it will produce a unique value that is virtually impossible to reverse engineer.

3. Advanced Encryption Standard (AES)
Since 2001, AES has become the default encryption mechanism for the US government. AES relies on a method known as substitution-permutation networking, in which the results from the first round of encryption is fed into a second round of encryption, whose results are fed into a third round, and so on. Accordingly, a slight shift in the plaintext will be increasingly magnified through each round of encryption, resulting in an untraceable final product.

As AES becomes more accepted, the former encryption standard, the Data Encryption Standard (DES), is considered to be vulnerable and to be avoided.

The Future of Cryptography
From behind the screens of increasingly powerful computers, a global battle is being waged between cryptographers and hackers (whether they be state-backed, criminals, NSOs, or hobbyists). As technical cryptography has advanced to a stage where it can be virtually impenetrable, hackers have come to increasingly rely on social-engineering attacks to create the first crack in the armor of an organization. The future of cryptography, then, lies in developing psychological techniques to both guard against social engineering as well as confuse any potential attackers.

Two particularly successful approaches are Two-Factor Authentication (TFA) and Honeypots. A common form of TFA is where an SMS is sent to your phone with a unique PIN that is needed in addition to your password. That way, even if a social hacker was able to get your password, they would still be helpless without access to your phone.

Honeypots, on the other hand, involve creating legitimate-seeming data, but isolating it from the main network and monitoring it closely. This has the benefits of (1) tricking the attackers into thinking they've successfully penetrated the network, (2) frustrating the attackers once they realize that they've been fooled, (3) alerting the organization to the presence of attackers.

For better or worse, the weakest link in your organization is almost certainly your people. Accordingly, any cybersecurity strategy must create a dynamic of shared responsibility at its core if it is to be at all effective. This means introducing training workshops, awareness programs, and top-down messaging that shows employees that your organization takes cybersecurity seriously. Cybersecurity is only secure when it's everyone's responsibility.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.