Image courtesy of plus.maths.org |
Ever since written communication was developed, humans
have always tried to hide, conceal, or scramble sensitive information from
prying eyes. Julius Caesar had his scheme where characters were shifted a
certain number of positions to scramble the message and this was dubbed the Caesar’s
cipher. For this to work the recipients had to know what the count was for the
shift. This method is of course very easy to break with the current technology.
During world war 2, the Germans had the famous (or infamous depending on what
side you were on) encryption device named Enigma. This machine was used by the
Germans to encrypt their messages and the way it worked was by providing
substitute characters for the letters entered by the operator. The only way
this message could be decrypted was through the possession of an enigma
machine. When speaking about the Enigma, the name Alan Turing also has to be
mentioned as he pioneered the cracking of the Enigma and this changed the
course of the war and perhaps the future of the world.
On February 20th of this year, Linux Mint was breached and hackers were able to point users to a compromised ISO (drive image) that was a modified version of the 17.3 Cinnamon (Linux Mint OS). This version allegedly has a backdoor according to Linux project leader, Clement Lefebvre’s post on the Linux Mint Blog. This is a classic case of awareness and using the available tools to ensure that you are downloading the safe versions of software. By verifying hashes, we can be able to know if a software version has been tampered with.
From the real world affairs to the digital landscape,
encryption touches 2 of the 3 aspects of the CIA (Confidentiality Integrity and
Availability) triad; confidentiality and integrity. Confidentiality is the
process of ensuring that information is only exposed to individuals who are
authorized to view that information. There are different methods that can be
employed to ensure that this comes to fruition, one way is through policies
such as training and awareness of the users, classifying the information based
on the level of risk to the business were it to be exposed, and a through
technical controls like encrypting this information. Integrity on the other
hand is the process of ensuring that data is not tampered with; it involves maintaining
the consistency, accuracy, and trustworthiness of the data over its entire life
cycle.
For both confidentiality and integrity, the data may be at rest for
example stored in hard drives, tapes, databases etc., in transit meaning that
it is traversing the network for example emails being sent, files being
transferred, and the last state that data can be in is in use which is data that
is in memory and being processed. All three data states need to be secured and encryption
is a method that can be used to achieve this security control.
Other elements of security that encryption provides is
authentication and this is when the origin and originator of the message can be
verified. Non-repudiation is also achieved through encryption and this is when
the sender of the message cannot deny sending the message. The way encryption
achieves this control is through digital signatures. Before technology, official
seals were one way of authenticating the letters sent from for example a
business or government agency. In the Internet world, digital signatures are
used to perform this task. One key area where digital signatures are common is
in software signing. When you download software over the Internet, how do you
verify that this is legitimate software from the true publisher for example Microsoft?
Digital signatures. The software publishers provide the public with a hash
which is a representation of the entire contents of the software posted on
their site. If any modifications are made to the software, the hash value would
change and the end users can know that there has been tampering therefore the
integrity of the software has been compromised.
Although enforcing encryption controls may
be cumbersome to the business or even our home systems, it adds an extra layer
of protection for our data. Encryption helps to protect the data against
physical threats as well; if we lose our devices, it’s hard for the adversary
to read our sensitive information if the files or hard disks are encrypted.
References:
https://plus.maths.org/issue34/features/ellis/enigma_in_use.jpg