In this blog, our partners at East Midlands Special Operations Unit (EMSOU) explain how Cryptography works and why you need to know about it.
This article has been written by EMSOU and seeks to promote good cyber security among businesses and the public. If you require any further assistance or guidance please contact the EMSOU Protect Team or your local Force Protect Team.
So first off, what is Cryptography?
Cryptography is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it.
Essentially, its the art of writing and solving codes.
Cryptography is an essential part of cyber security and below are some examples of how often it is used.
Want to protect the confidentiality of your data? Use symmetric or asymmetric cryptography.
Want to demonstrate that a file has not been maliciously altered in transit? Use cryptographic hashing.
Want undeniable proof of who sent a message? Use digital signatures created using cryptography.
So it begs to ask the question, what would be the consequence of cybercriminals being able to crack the code? Suddenly online banking, or any “secure” transaction doesn’t sound so attractive.
How We Use Cryptography
Cryptography provides security to information and IT systems in three main ways - encryption, integrity and authentication.
Encryption - Scrambling data using a key and a complex algorithm. A key is usually a very big, very random number. An algorithm is just a step by step set of rules that determine how the data will be scrambled.
How Does Basic Encryption Work?
Step 1: Turn a message into a series of 1s and 0s (binary).
Step 2: Swap the bits around so you can’t remember what went where.
Step 3: Now turn some 0s into 1s and some 1s into 0s.
Step 4: Turn the key into binary, and throw that into the mix.
Step 5: Repeat steps 1-4 multiple times and turn the binary back into text.
Now you have a message that looks like complete gibberish and can only be turned back into plain text if you know what the key was and how it was used.
Today’s computers can’t calculate the original key in any meaningful time frame – it can be done, but you might have to wait many lifetimes before you have your answer. With Quantum computing this could be reduced this to seconds.
Why is this a problem?
A malicious hacker could store an encrypted message to decrypt it sometime in the future – when a sufficiently powerful quantum computer exists.
Information with a medium or long lifespan (i.e. it will still require protection in 10 or more years) could therefore be at risk of decryption.
Integrity.
Integrity, the guarantee that it has not been modified or altered, is vital in business communications.
How do we achieve integrity?
Step 1: Take piece of text; an image, a sound file, a movie, or a piece of software and convert it to binary.
Step 2: Take a key - a very big number - and turn that into binary too.
Step 3: Mash them together using a ‘hash’ algorithm. Now you have a fixed length string of characters that looks like total gobbledegook (called the digest).
The Important Bit:
Changing just one bit of the original message then the output (or the digest) looks completely different.
The recipient can run the message through the same hash algorithm and pick up the slightest change to the file whilst in transit – perhaps to plant malware, for example.
So What’s The Problem?
The power of Quantum computers means they should be able to crack these hashing algorithms quickly and easily. A hacker could change the contents of a file or a message and the digest would look legit.
Without quantum computers, the growth in computing power means we have already cracked MD5, SHA 1 and potentially SHA 2. These are, or have been, the most commonly used hashing algorithms to date. Indeed, they are also used to store usernames and passwords.
Authentication
For example, when you visit the bank’s website, you need to know that you are actually talking to the bank. To confirm our identity, we use cryptography.
It works like this:
Step 1: The website generates two keys that are inextricably linked together. One key they keep for themselves (called the private key), and the other is published for the world to see (called the public key). If you encrypt something with the private key, only the public key can decrypt it and vice versa.
Step 2: Take a message.
Step 3: Encrypt it with your private key (this is called a digital signature)
Step 4: If the recipient decrypts the message with the public key, they must be talking to someone who has the linked private key.
So What’s The Problem?
Using sufficiently powerful quantum computers, a hacker could derive the private key from the public one, something that is not currently feasible, and impersonate a trusted organisation or vendor.
Mitigation Strategies
Evaluate the sensitivity of your organization’s information and determine its lifespan to identify information that may be at risk. Never keep information longer than it is required.
Review your IT lifecycle management and develop plans to transition to quantum-resistant cryptography when available. This is known as QKD.
Budget for potentially significant software and hardware updates, as the timeframe for necessary replacement approaches.
Educate yourself and your teams on the emerging quantum threat and future quantum technologies.
Ask vendors about their plans to implement quantum safe cryptography. Do vendors plan to include quantum-safe cryptography in future updates, or will you need to acquire new hardware or software?).
Ensure that your vendor is using standardized, validated cryptography.
Determine how and when able to implement post-quantum algorithms in life-cycle plan.
Update and patch systems frequently.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).