When Apple and the FBI got into it in early 2016 over the company’s refusal to decrypt an iPhone that belonged to one of the two terrorists involved in the San Bernardino massacre, the media coverage opened a small window into the world of cybersecurity that most consumers rarely see into.
While sending important business email, entering credit card information for an order from Amazon, or managing personal finances online, we all rely on something that cybersecurity specialists at Apple and elsewhere work hard to manage: secure encryption algorithms.
Even though Apple CEO Tim Cook stuck to his guns, the phone’s encryption was broken all the same when the FBI went to a small Israeli cybersecurity firm that was able to crack the phone.
The media coverage abated, and most consumers paid very little attention to the bigger implications: Our iPhones might not be all that secure after all. And to date, the security hole used to crack the phone has not been disclosed or patched.
Like Apple, almost every business relies on maintaining the security of data on devices they make or operate. And although we are generally unaware of it, so do most users. Strong cryptographic standards are the only thing that make things like reliable email, secure credit card transactions, and even safe web browsing possible.
Secure encryption isn’t an abstraction to information security professionals. Instead, it’s the most vital tool in their toolbox for verifying identity, securing networks, and transmitting information safely between users.
Dealing with the tricky, complex realities of modern cryptography often falls to cybersecurity researchers with advanced degrees.
Cryptography: The Ancient Practice Underlying Modern Life
Encryption is nearly as old as written communication. Non-standard Egyptian hieroglyphics found carved into monuments around 1900 BCE hint at a desire to communicate information securely between only those with the knowledge necessary to decipher the symbols.
Early cipher schemes seem laughably rudimentary to modern specialists, but the history of cryptography even up until today remains a constant battle between encryption and decryption. Every advance in the field that has been touted as unbreakable has eventually been broken.
Many of the vulnerabilities in ciphers – both new and old – have come from the need to distribute the keys to unlock them. Encrypting data is worthless unless the people who need to use it can decrypt it. But distributing such a key both widely and securely is contradictory. With millions of anonymous users, the modern Internet could never function with such a scheme.
The Birth of Asymmetric Encryption
But in the late 1970s, two new cryptographic methods were introduced, each making use of two keys. One key, to decrypt, had to remain secret—but the other, to encrypt, could be made public without fear of revealing the secret decryption key.
The methods (Diffie-Hellman and RSA), known as asymmetric encryption (because each key only worked one way– asymmetrically), were not as strong as traditional shared secret key encryptions, but they did offer a new way to share that secret key securely.
Equally important to modern networks, this system is capable of both securing data and verifying identity, covering the two basic tenets of access control all in one package. Since only the owner could know a private key, it became a sort of super-password– only that person could decrypt a message encrypted with the corresponding public key. To this day, digital signatures are rooted in asymmetric encryption schemes.
A protocol called TLS, Transport Layer Security, is the foundation of the modern Internet. It uses asymmetric keys to authenticate a server identity and negotiate a shared secret session key that the browser and server will then use to encrypt further traffic between them. The scheme prevents eavesdropping, man-in-the-middle attacks, and spoofing.
For all the failures in credit card and personal data protection that have hit the news in recent years, almost none have resulted from encryption failures.
The Double-Edged Sword for Cybersecurity Specialists: How Terrorists and Cybercriminals Hide Behind Encryption
As powerful a tool as cryptography has become for white hat information security professionals, it has also introduced a significant obstacle for many of them: cybercriminals and terrorists have begun to exploit the power of encryption to their own ends.
As with the San Bernardino shooters, terrorists of all stripes around the world have taken operational security to heart and begun to encrypt their own planning and communication channels, often using the same popular, commercially available ciphers that governments and businesses use to secure their own data. In fact, ISIS terrorists have taken to using the popular, heavily encrypted Telegram Messenger app to connect with one another privately.
But run-of-the-mill cybercriminals are also taking advantage of modern cryptography. “Ransomware” is the latest trend in online crime. Using viruses that exploit other security holes in computer systems, hackers insert code that seeks out and encrypts data files on the infected machines, and only the hackers hold the key necessary to decrypt them.
Hackers then contact the hapless victim of the cyberattack, who is by then trying in vane to access their files, demanding money in exchange for the key necessary to decrypt the data. In one recent example of a ransomware scheme, a Los Angeles hospital was forced to pay $17,000 to unlock vital patient and financial data that had been encrypted on their internal network.
Everything You Need To Know About Cryptography Can Be Learned by Studying Cybersecurity at the Master’s Level
For most cybersecurity specialists, the details of the mathematical theory behind the cryptographic methods they invoke everyday in the course of their jobs will be too complex to track. More important for them is the ability to stay up to date with strong and weak ciphers, and to select the correct family of cryptographic functions for the task at hand. Most encryption failures in cybersecurity do not result from a crack in the algorithms used, but rather a misapplication of the encryption scheme to the requirements of the system.
Still, there will always be a need in the cybersecurity community for specialists who can understand and evolve the field of cryptography to keep up with modern threats and computing capabilities. Master’s-prepared cryptographers are those specialists.
Cryptographers have to be expert mathematicians, but they also should be cunning puzzle players. There is no escaping the need for mathematical rigor in cryptographic design or analysis, but there is no denying that intuition and ingenuity are also of key importance.
Although cryptography remains a game of math and theory, the proving ground, and the potential of any algorithm, is defined by the state of the art in technology.
Much has been made of algorithms with keys that would theoretically require thousands or millions of years to break with modern processors. But the processors keep getting faster, and with quantum computing on the horizon, the implications for both encryption and decryption are overwhelmingly dependent on technology.