ï»¿
Cryptography Overview and Background

PDF
version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader is available for free
download.

Cryptography Overview and Background

by Faulkner Staff

Docid: 00021373

Publication Date: 2111

Report Type: TUTORIAL

Preview

For enterprise and institutional purposes, cryptography has
two uses: to ensure privacy and to secure digital assets like data and
intellectual property. This has become vastly more difficult as the
nature of threats has evolved, sources of attack have burgeoned, and
the excessive reliance on aging encryption techniques has driven
innovation in hacking and dark communication.

Executive Summary

[return to top of this report]

For an
enterprise, the Internet can be a battlefield populated with highly
adaptive,
determined opponents. Creating well thought out, durable
defenses and
strategies is harder than it has ever been. We are currently seeing
advances
in both encryption and code breaking techniques occur at a fierce
pace. It is crucial to stay abreast of these because game
changing
breakthroughs on both sides are not very far off. One thing is
certain:
Security and privacy can neither be created nor sustained by encryption
technologies alone. Success demands ongoing expert evaluation,
executive
level policy making, and a means of ensuring security policy
compliance
from the top to the bottom of the organization.

Key Defensive Mandates Going Forward

Become literate in threat assessment tools and
technologies. Good
resources include the Baldridge Cybersecurity
Excellence Builder, available as a free
download from the US
National Institute of Standards and Technology.
Create specific, verifiable accountability within the
organization for
securing all connected devices. Mandate the use of unique, frequently
updated hard passwords and two-factor authentication (2FA) measures .
Be as aware of what leaves enterprise networks and systems
as what
enters. Many techniques for exfiltration of stolen data are
subtle,
gradual, and rely on exploitation of apparently innocuous media files.
Practical Quantum Computing is coming, with some already claiming to have
useful designs in the works or nearing completion. When it happens,
current public
key encryption techniques will fail. New techniques will be required. Stay abreast of developments in post quantum
encryption techniques now under development by
Google, IBM, and others.

Key Defensive Strategy Principles Near Term

Cryptography is only one element of a security ecosystem.
Maintaining the security, integrity, and privacy of
enterprise data
and communications is a top-to-bottom, mission critical requirement of
an enterprise.
Securing all devices that have wireless access to the
enterprise
network – even those that are only intermittently connected – should be
an auditable, frequently measured top-tier enterprise objective.

Description

[return to top of this report]

Since the mid-1970s, online data transfers have been secured
with encryption using public key cryptography.
Public key cryptography not only supports data encryption but also the
management of cryptographic keys and the creation of digital
signatures. (Key management is the means by which secret keys used in
cryptographic algorithms are distributed. Digital signature
authenticates the source of data and guarantees data integrity.)

For nearly four decades, public key cryptography has been the
pillar of secure communication and data storage. Though the math has
evolved over time, most encryption relies on two basic techniques:

Hard Problems: In
cryptography, something called a
“hard problem” doesn’t mean that it is difficult to conceptualize a
series of steps that yield a correct solution to the problem; rather,
it
means that finding the correct solution is computationally intensive
and
demands such large amounts of time and resources that it is
impractical. One of the most common kinds of hard
problems involves factoring large numbers.
One-Way Functions: Some
mathematical operations are
simple to do but very difficult and time consuming to
reverse. For
example, if computing the solution to a one-way function takes
milliseconds but recreating the original function and its inputs takes
an indeterminate period of time (weeks, months, or even years) then
that
original function is considered to be one-way. Of key importance here
is
that no one has yet devised a way to mathematically prove
any
specific function is always one-way.

In practice, virtually all public key cryptography systems in
use today (including browser-based security, encrypted data storage,
and secure communications channels) are based on a combination of hard
problems and presumptive one-way functions.

Current View

[return to top of this report]

Privacy and Security In a World of Ubiquitous
Connectivity
Historically, using encryption to maintain the privacy, security, and
integrity of enterprise communication and data has been an outward
looking strategy. The assumption was that, if handled well, it could
provide a nearly impregnable defense. In fairness, this was always
naive. But today, it is a dangerously narrow vision of a rapidly
changing set of circumstances where “inside and “outside” are sometimes
indistinguishable. The big issue: Where are the boundaries of the
Internet and is it possible to identify and control them?

The Internet is many things to many people, but increasingly,
one of those things is a theater of war. In war, an adaptive opponent
can be counted on to turn your best defenses and strategies to their
advantage. Predictably in such an environment, excessive institutional
focus on hardening aging encryption techniques has rapidly driven
innovation in hacking and dark communication.

Techniques for exploiting “soft targets” to undetectably move
data and create invisible communication channels are flourishing and
often involve little or no mathematically based
encryption. Very little of this innovation is publicly
attributed to US sources. This is concerning because there is no reason
for a US innovator not to take credit, since
without reliance on mathematical encryption, no export controls apply
to such tools.

Information Hiding Versus Encryption

The first thing to understand about the darker and more
secretive aspects of the net is that encryption is only one
of many digital techniques for what is today known simply as
Information
Hiding (IH). To help make the significance of this clear,
let’s start with a definition of encryption. The particular
aim of
encryption is to allow parties to a conversation to exchange
information
in such a fashion that an eavesdropper can’t understand that information. This
strategy has a few very serious shortcomings:

It is inherently knowable to any observer that a secret
conversation
is taking place.
The conversation’s endpoints are identifiable.
Encryption implies that the information being exchanged is
valuable,
thus inviting attack.

For these reasons, relying on encryption for privacy and security
demands
that management of encryption infrastructure, networks, and data assets
be
near perfect. In a practical sense, this is almost impossible to
achieve.
Over time, it is completely impossible to sustain. It is, however,
pretty
much exclusively what most people trying to protect information do to
thwart
attacks. Since it is broadly recognized that this kind of IH just isn’t
going to be completely effective at preventing data captures, the
second line of defense must involve preventing exfiltration of stolen
data. This
is a big challenge.

If you want to move data invisibly, there is an IH technology
that is nimble, lightweight, and obviates the shortcomings of
encryption as a privacy tool: Steganography. And
though steganography hasn’t got a lot of utility for
enterprise, it is certainly a very useful weapon against
enterprise. In fact, for data exfiltration, it is nearly perfect.

Steganography 101
In simplest terms, steganography is a means by which a secret is hidden
in something that appears to be innocent, unrelated to the
hidden content, and very commonplace. The basic concept has been in
documented use for well over a thousand years. For example, consider
this low-tech steganography example: During WWII, resistance workers
knotted Morse code messages in yarn and knitted the yarn into sweaters.
The only way to see the message was to completely unravel the sweater
and find the pattern of knots. It was secure, reliable, and low risk.

In similar spirit, modern digital steganography is
accomplished by hiding almost any kind of information in files that
seem to contain something else. Because steganographic payloads use
either existing empty fields in a file format (such as unused portions
of IP packets, file headers, and the like) or overwrite bits
with very low information content in image, sound, or video
files, they are insidiously difficult to detect. Their sheer appearance
of normalcy makes it very unlikely they will trigger alarms in data
exfiltration monitoring systems.

There are dozens of open source tools and apps available for
generating and manipulating steganography. Perhaps the most mature,
sophisticated, and widely adopted of these is the OpenPuff toolsuite,
which can generate steganographic messages where the payload is
distributed across multiple files; can defend the secret payload with
many layers of obfuscation; and can engineer payloads to be very
resistant to statistical detection techniques.

Good steganographic packaging makes it a simple matter to
exfiltrate stolen information by uploading to social media and other
public sites which host images and video. This gambit also
makes it virtually impossible to identify the intended message
recipient. The “hidden in plain sight” nature of the packaging
significantly reduces the urgency of data exfiltration, which is a
great tactical advantage for the invader.

This is very, very tough to get ahead of, but at the least:

Verify that your anti-malware systems can identify and
quarantine
steganographic tools.
Monitor and log uploads of all media files from enterprise
assets. Use
the accumulated information to define “normal” patterns.
Pay particular attention to video files: Where they live,
when they
are generated, when they are updated, where they go if they leave
enterprise networks for the wild.
Stay abreast of the news and developments concerning
steganography
attacks on mainstream enterprise globally. This is very much a
transnational issue.

Securing the Internet of Things with
Lightweight Cryptography
As a result of the burgeoning growth of the Internet of Things, the
connected world has become as vulnerable as it is vast. Homes,
autos, office buildings, healthcare facilities, factories, self
evaluating infrastructure – innumerable things, in fact – are now
sprinkled with functioning automatons tethered to control systems via
the Internet. Millions and millions of these devices are naively
installed and passively managed. This makes the Internet of Things a
safe harbor for massive device armies, ready and waiting for
instructions from anyone of any intent.

This vulnerability was demonstrated in a relatively benign
October 2016 denial of service attack on Dyn, a New Hampshire-based
Internet traffic handler that serves Twitter, NetFlix, Amazon,
Tumblr, PayPal, and others. For nearly eleven hours, those
sites and others handled by Dyn were down. Postmortem analysis
revealed that the attack had co-opted tens of thousands of Internet
connected “zombie” devices secured only by factory default passwords,
no passwords, or very brittle passwords. It was a simple matter for the
attacker to gain control of these. Though the intent of the Dyn attack
appears to simply have been a show of capability, it spotlights a
potential problem that is both ominous and complex.

Defense against future zombie device attacks is not simply a
matter of persuading consumers to secure baby monitors, automated
thermostats, and the like. A very large share of the components that
make up the Internet of Things are tiny, technically primitive,
extremely power-constrained and intermittently connected. They are on
track to be completely ubiquitous and can live for long periods of
time, even after they are abandoned by their original
masters. Some examples are inventory tags, hotel room keys,
anti-shoplifting devices, infrastructure status sensors, and the
like. They can connect to the
Internet directly or indirectly, but many of these
cannot be secured using standard cryptography and
authentication algorithms. They lack required processing, power, and
local storage capacity for that. These types
of intermittently used lightweight computing devices are a wide open
door to networks and backend computing resources.

The need to secure tiny, passively energized computing devices
of the IoT is well understood in the technosphere, but it demands a
completely different approach than the techniques in use for larger
devices. The bad news: The effort will take time. The
good news: The effort to build workable IoT security infrastructure is
well along. It is being coordinated by the National Institute
of Standards and Technology (NIST). NIST’s Lightweight Cryptography
research project is a broad stakeholder-based collaboration that draws
upon the best talent and deepest resources in the world. It
will deliver new tools, frameworks, and APIs to secure very small
computing devices. Ultimately, its goal is to develop
effective security and privacy solutions for even the most severely
resource constrained devices such as 4-bit operating systems, minimal
instruction sets, and batteryless passive power devices that wake up
only when their reader interrogates them.

Outlook

[return to top of this report]

The Quantum Internet Is Coming

Advances in quantum communication technology have
been
very considerable and definitely render it possible that we could soon
see
working elements of a quantum internet, including quantum
routers.¹ This would make continental scale quantum internet a
reality, possibly within a couple of years. Specialized, short range
applications could appear much sooner.

Quantum physics is famously arcane, having been described by
Albert Einstein
(who doubted the underlying theories ) as “spooky action at a
distance.”
Fortunately, for the purpose of evaluating the state and role of
cryptography in a quantum cybersphere, it is not absolutely necessary
to
understand the how and why of quantum communication. However, it is
vital to
understand the way in which this will change the cyberscape, shifting
the
field of battle for data privacy and integrity.

As is often the case with very advanced science, it is useful
to just think
of quantum communication as “magic”, like in Harry Potter or Tolkien,
where people can communicate at great distance without having any
apparent
material connection. Thus, there is no transfer of information for a
listener (spy) to eavesdrop. Quantum communication between two
endpoints is
absolutely private, not just in practical terms, but at the
deepest levels of physics. No incremental scientific or
computational advance
could change this.

The physical phenomenon underlying the magic is called Quantum
Entanglement,
and has been confirmed for a considerable time, but is very difficult
to
achieve and highly ephemeral when it takes place. However, recent
discoveries of a University of Vienna team lead by Ralf Reidinger have
overcome key obstacles to making the entangled state a bit more stable
and
making it possible for entanglements to be established over much
greater
distances than previously thought possible. That combination of
advances makes a cross continental internet a real, near term
possibility. But this is much bigger news than just that,
really. Here is Reidinger’s own vision of his technology’s future:
“Combining our results with
opto-mechanical devices capable of transferring quantum information
from
the optical to the microwave domain could provide a backbone for a
future quantum internet using superconducting quantum computers.”²

Recommendations

[return to top of this report]

Cyberwarfare Is Real and the Cost of Ignoring It Is Incalculable

“I don’t think you get it…. What
we’re talking about is a cataclysmic change. What we’re talking about
is the beginning of a cyber warfare.”

— Senator Dianne Feinstein to representatives of Google,
Facebook, and Twitter at US Senate hearings on Russian exploits of
their systems, platforms and data assets.

Senator Dianne Feinstein was in no way exaggerating when she faced
down the representatives of Google, Facebook, and Twitter in October
2017 hearings about Russian disinformation and hacking. This is indeed
warfare; it’s just difficult to see, because the US has shown no
coherent inclination to show up for the battle, let alone fight back.

One of the experts who testified at those hearings was Dr.
Thomas Rid,
Professor of Strategic Studies at the Johns Hopkins School of Advanced
International Studies.
He presented information contained in
his whitepaper entitled
“Disinformation: A Primer in Russian Active Measures and Influence
Campaigns.” Here is an opening quote (emphasis added) from
that paper that should command the interest of every
C-Suite in the US:

“Active measures are
semi-covert or covert intelligence operations to shape an adversary’s
political decisions. Almost
always, active measures conceal or falsify the source.
Intelligence operators try to hide behind anonymity or behind false
flags. Active
measures may also spread forged or partly forged content. “

The
information in Rid’s testimony is based on the best, most current and
most comprehensive research from the top minds in the field, world
wide. There is no reason whatsoever to doubt anything he says. It is
backed up by mountains of data and validated by an army of his
scientific and intelligence community peers. A complete and attentive
read of his testimony, even by someone without a strong technology
background tells us this:
Reliance on encryption alone as a defense of assets, intellectual
property or corporate secrets will be about effective as the Maginot
line.

New Adversaries, New Risks, New Battlegrounds

Assume Universal Compromise: For the last several years,
we’ve seen
the disclosure of one large scale breach after another, often involving
hundreds of millions of personal exposures each. Countless others
certainly occurred but went unreported or even undetected. Thus, on
the one hand, virtually everything digital has been or could have been
stolen. But on the other hand, these breaches provoked significant
defensive
activity to harden attack surfaces and prevent data exfiltration if a
breach
does occur. This sounds like progress, but it may actually be a set up
for an even bigger catastrophe. Here’s why:

This isn’t just
about keeping valuable data in; It’s also about keeping forged and
false flag data out – something that hasn’t even been part of the
discussion until now.
It doesn’t matter that you can prevent theft if your data
and IP are riddled with forged and altered content.

A key objective for Dr. Rid in his testimony was to impress
upon the
Senators who and what they are up against. To this end, he quotes one
of his greatest adversaries, Colonel Ralf Wagenbreth, acknowledged
grand
master of disinformation and head of the East German Stasi’s Active
Measures
program for over twenty years:

“A powerful adversary can only be
defeated through […] a sophisticated, methodical, careful and shrewd
effort to exploit even the smallest “cracks” between our enemies and
within their elites.”

We’ve seen how easily and repetitively some of the most high value
systems
in the US have been invaded and exposed. This has had serious
consequences,
but they pale in comparison to the nightmare scenarios of forged,
partially
forged and false flag content infesting those same systems. In the US
we
say “If you can’t beat ’em, join ’em”. In Moscow they say “If you
can’t beat ’em, make them beat themselves.” This is everybody’s
problem. We
have to acknowledge that, and work together to solve it. Soon.

The Byzantine Generals Problem: “The
Byzantine Generals”
is a grand challenge computer science problem in which you have several
inputs that disagree about a value they each measure and report. How
do you tell who is lying and who is telling the truth? Imagine the
ramifications for a large institution or corporation if five percent of
its data
holdings were actually forged, partly forged or created out of thin air
to
serve the needs of an active measures attacker. That small percentage
could
be quite difficult to detect; but on the other hand, accuracy of 95
percent sounds
pretty reassuring. That is, until you consider how small some tranches
of
crucial data are, or how some assets must be absolutely sanitary:
Critical
safety systems in nuclear facilities; Automated manufacturing processes
for
pharmaceutical products; Air Traffic control and navigation support.

Probably the least often considered but most vulnerable
example, though, would have to be the vast libraries of code that power
the digital devices that run the developed world. There is hardly an
institution, corporation or government that doesn’t own a huge codebase
that could be co-opted by a “
sophisticated, methodical, careful and shrewd effort
” to cause great harm. The ramifications of becoming what Thomas Rid
calls “unwitting agents” are very, very serious – far beyond damage to
the brand.

Consider this scenario: Every so often, lithium batteries
explode in flames because of what are widely assumed to be
manufacturing defects. People still buy smartphones, hoverboards, and
plane tickets, though. If, however, all of the sudden, it seems
believable that they explode because a piece of trojan code can be
activated to force a particular battery to overcharge, you have a very
different problem, and it is a problem that has impacts that reach far
beyond the boundaries of the hoverboard market.

A free and democratic society operates on many layered bonds
of trust – a shared belief that things which are safe, reliable, and
true will stay that way. If there is one take-home lesson of the
peculiar debacle of the 2016 election, it is this: Russian hacking was
not primarily about politics. It was about economics. It was a frontal
assault by one of the world’s failing economies against what is
arguably the worlds most successful economy. These attacks won’t stop
on their own, and they won’t be limited to political manipulations
going forward. American brands and enterprises will certainly become
targets. We need to unite, combat these attacks and make timely and
appropriate counter measures.

References

¹ “The What, Why and When of Quantum Cryptography.” IDG. November 15, 2018.
² Dom Galeon. “Physicists Just
Quantum Entangled Two Silicon Chips That Can Share Information.”
Science Alert. November 18, 2017.

Web Links

[return to top of this report]

Existing Standards and Infrastructure:

FAQ: The National Security Agency’s ECC License Agreement with
Certicom Corp.: http://www.certicom.com/pdfs/FAQ-TheNSAECCLicenseAgreement.pdf
NIST Overview of Lightweight Cryptography: http://csrc.nist.gov/publications/drafts/nistir-8114/nistir_8114_draft.pdf

Enterprise Resources for Applying Best Practices
In Encryption
Technology:
National Institute of Standards Guide to Bluetooth
Security: http://csrc.nist.gov/publications/drafts/800-121/sp800_121_r2_draft.pdf
Baldrige Cybersecurity Excellence Builder: Key Questions for Improving
Your Organization’s Cybersecurity Performance: https://www.nist.gov/sites/default/files/documents/2016/09/15/baldrige-cybersecurity-excellence-builder-draft-09.2016.pdf
Assessing Threats to Mobile Devices & Infrastructure: The
Mobile Threat Catalogue: http://csrc.nist.gov/publications/drafts/nistir-8144/nistir8144_draft.pdf

Key Theoretical Activities:
Entanglement of Separate Nanomechanical Devices Heralds
Quantum Internet:
https://www.technologyreview.com/s/609462/entanglement-of-separate-nanomechanical-devices-heralds-quantum-internet/?utm_campaign=Technology+Review&utm_source=facebook.com&utm_medium=social

Emergent Threats: Steganography References
Steganography Overview for Computer Forensic Examiners: http://www.garykessler.net/library/fsc_stego.html
Association for Computing Machinery Information Hiding Workshop 2016: http://ihmmsec.org

[return to top of this report]