No products in the cart.
By Paulo Pereira, PhD, DFIR
Few persons can be made to believe that it is not quite an easy thing to invent a method of secret writing which shall baffle investigation. Yet it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve. (Edgar Allan Poe, Cryptography, Eureka and Miscellanies, p. 262, 1895).
I. Introduction
Modern cryptography played a key role during World War II, especially with the encoding of German messages by the Enigma machine. However, since 1932, the important work of Polish cryptologist Marian Rejewski, who used statistical analysis to break Enigma's encryption, contributed to the cracking of this cryptographic system by Alan Turing and his team. These days, encryption helps protect data in a variety of business and government endeavors. But assuming an attacker could have a quantum computer with enough computing power to factor a prime number of more than 300 digits in their hands, for example, encryption security as it currently exists would be threatened.
II. Classical Cryptography and the perfect security
There are people that still create their passwords with a pattern that is easily identified by an adversary, an attacker who will manage to break into an account, a cell phone, a server. When a weather forecast service always says that tomorrow it will rain, we do not need to wait for the next forecast as it will be the same as the previous ones. There is no variability in this information because the result is always the same. Therefore, there is no entropy in this information. The same can be said of a person who, when creating a password, always repeats the same procedure. An adversary who succeeds in discovering the procedure will discover the password. And this reality is not only due to people. There are reports of malformed passwords on servers and other critical systems. One of the most common procedures used to create a password is that people resort to information that is easy to remember, such as personal or family information, a birthday plus a digit, the father's name combined with the mother's name. Sometimes they’ll use a password based on a word that has the letters replaced by other letters.
Let’s assume as an example a world in which there are only three people: Alice, Bob, and Spy. Alice meets Bob and they both exchange messages between them. They both do not know Spy, but Spy knows of Alice and Bob's existence. Spy would like to find out the content of the messages between Alice and Bob and would like to impersonate one of them and tamper with the content of those messages.
A C cryptographic system that does not allow Spy to obtain information about a readable text T (sent from Alice to Bob and intercepted by Spy) from the encrypted text Te. has perfect security.
Alice and Bob come to consider that their messages should be protected from probable future eavesdroppers and together create quite a simple algorithm. Alice sends a message to Bob, "Hello Bob". Admitting that Alice and Bob want to make this reading more difficult and assume the simple algorithm in which:
H=O
E=R
L=W
O=Y
B=L
In this coding system, there is only a fixed identification of one letter by another. Consequently, the message would look like this: "ORWWYLYL". To an interceptor, these letters do not make any sense. However, Spy wants to find out if there is any information behind this sequence of letters. Spy will test the possibilities and, being an exchange of one letter for another, without other changes, then "H" will always be "O", which will allow the attacker a faster decryption of a message between Alice and Bob.
Now, suppose Alice and Bob decide that the letters defined above for "Hello Bob" are not fixed as has been demonstrated. That is, instead of the letter "H" having its exchange corresponding to the letter "O", it can take on any letter of the alphabet (perhaps including itself or not, depending on Alice and Bob's decision). Notice how complex this system has become for decoding the messages exchanged by Alice and Bob. If Spy were to decode this system without the aid of a computer, it would possibly take a long time before he could (or could not) decipher the message. To this end, if the system created by Alice and Bob allows the letters to be permuted with repetition of the use of each letter, then in an alphabet with 26 letters we will have 2626 possibilities, if a cipher is created that uses 26 repeatable letters.
Since the phrase "Hello Bob" has 8 characters (disregarding the empty space between each word) and, also considering the possibility of repetition of the letters, we have 268 (or 208, 827,064,576) possibilities for Spy to decode the message.
| 1º | 2º | 3º | 4º | 5º | 6º | 7º | 8º |
| 26 | 26 | 26 | 26 | 26 | 26 | 26 | 26 |
The same applies to numbers from 0 to 9. Some financial institutions only use passwords with numbers. For example, if the password is made up of six digits that do not repeat, the user will have: 10 * 9* 8 *7 *6* 5! possibilities to create a password. If the digits are repeated, then the user will have 106 combinations.
In this quite simple cryptographic system created by Alice and Bob, there is no guarantee that Spy will not impersonate Alice or Bob, stealing the identity of one or the other. The guarantee is that if the Spy manages to discover the system's coding mechanism, he will not be able to read the messages exchanged previously and those that will be exchanged in the future between Alice and Bob.
If Alice and Bob manage to store their messages on a server and that Spy manages to break into that server, no guarantee is in place to prevent Spy from stealing the message exchange sessions. So, Spy would be able to access messages exchanged in past and future sessions.
The foundations for this breakthrough in modern cryptography owe credit to other cryptographers, with special mention to Marian Rejewski (whose statistical analysis work helped military intelligence understand how Enigma rotated letters by position in each message), and to Alan Turing and team (whose machine accelerated the decoding of messages encoded by Enigma). Currently, with a conventional computer, this breakdown is done in a few hours, depending on the capacity of the procedure and the computer video card.
This is a hypothetical world, as has been mentioned. However, disregarding the algorithm chosen by Alice and Bob, how much of this hypothetical world do we find in the real world? Pretty much all that's been reported is what people are living in: a world in which they want to protect their privacy from lurking spies. An infographic study published by ENISA in November 2022 lists the major cybersecurity threats for 2030. The forecasting analysis appointment reveals that the third major risk is the rise of digital surveillance authoritarianism/loss of privacy. This is the most important challenge of digital security and cryptographic data protection.
Alice and Bob can decide on a method of replacing letters by choosing a shift. For example, shift ten letters. If the alphabet has twenty-six letters, then each letter has a position. The ciphering method is:
Y=ax+bmod n
These systems must choose a coprime of 26, the displacement of the letters and, finally, the result of the cipher created. This is the so-called affine cipher technique. Consider the message HELLOBOB. If a=5 (one of the coprime numbers of 26), x=7 (alphabet position of letter H) and b=10 (the position of the letter I in the alphabet), then, Y=5x+7mod 26.
Y=5*(7)+10mod 26
Y=45mod 26
Y=19
The formula is simple: we calculate a result that, divided by 26, gives us a remainder. This remainder is the new position for which one has a letter of the alphabet. When you have a value less than 26, you repeat that value without discarding it. Thus, HELLOBOB has a cipher that will be TENNCPCP.
The weaknesses of this system are:
I. Spy can figure out the pattern of the positioning exchange which, in the example above, was arbitrary.
II. This system has an inheritance that is the basis of an alphabet that presents a frequency of the use of the letters. Thus, the vowel e has a higher frequency of use in the English language.
III. It follows from I and II that the more consolidated the cipher pattern by this method, the lower the entropy of the information.
III. Post Quantum Cryptography and Cyber Security Paramount Challenges
In 2019, IBM launched Q System One, a commercial quantum computer. Companies and universities that are part of the IBM Quantum Network and the IBM Quantum Safe Explorer can test this technology in the cloud. One of the fundamental characteristics of this technology is the capacity for one qubit processing due to the superposition of the photon with infinite possible entanglements, which makes it possible to work with dimensions that go beyond the bit's current binary dimension of 0 and 1.
The application of quantum cryptography will be in the exchange of keys since a quantum state has the property of detecting any change in the measurement of that state. One question regarding the security of this system is whether, in the quantum state, it is possible to copy a photon and its base, duplicating that photon with the same superposition characteristics. If this were possible, an attacker could compromise the system's security.
Four fundamental questions will be considered (as a scenario for an attack seeking to bypass a cryptographic system) for the area of cybersecurity. These are the following questions:
- An attacker succeeds against systems that use some kind of cryptography that creates stronger keys.
- How is encryption implemented in the different endpoints, in networks in general, in older protocols and in servers that inherit keys that have already been used?
- Would an attacker be able to use a conventional computer to attack a key that a server has stored and is using again? What if this previously used key is shared with other servers?
- What guarantee do users of an online bank have that they are protected? If an attacker causes a breach, what data will be exposed?
According to Kaczanowski 2020, such attacks are possible on an academic or governmental level. But regardless of this, it cannot be ignored that there is some degree of fragility in the DH or RSA algorithms (faced in a quantic computer). From the points mentioned above, what is expected of a security protocol and the implementation of an encryption is that the state of forward secrecy is guaranteed. Assume the following example, in which an adversary uses a quantum computer, and gains access to an S session.
Session Key
S1 K1
S2 K2
S3 K3
Sk Kk
Each session has a key that should be random and not pseudo-random, so for each session, a key, with an ephemeral nature. This means that if an attacker breaks the key, he can see the S3 session dedicated to that K3 key. The attacker could not see the moment before and after the session where the key was broken.
The open discussion in post-quantum cryptography is whether at some point there will be a computer capable of breaking, for example, RSA. That is, if such a computer exists, all security based on RSA encryption can be broken. This would entail affecting all protection of e-commerce and financial systems since such a computer would halve the time for the breakdown of an AES-128 system. In this scenario:
Symmetric cryptography is also affected, but significantly less so. For systems that do not rely on mathematical structures, the main effect is that an algorithm, according to Lov Grover, from 1996, halves the security level. This means that breaking AES-128 takes 264 quantum operations, while current attacks take 2128 steps. While this is a big change, it can be managed quite easily by doubling the key sizes, e.g., by deploying AES-256. The operations needed in Grover’s algorithm are inherently sequential, which has led some to doubt that even 264 quantum operations are feasible, but since the remedy of changing to larger key sizes is very inexpensive it is generally recommended to do so (ENISA, 2021, p. 1).
The biggest challenge encountered by citizens and companies is the protection of stored data. An e-shop hosts credit card sales systems that need to be protected from data leaks and cyberattacks. The reliability of RSA algorithm lies in the momentary inability to break a digit with more than 300 digits, the so-called prime number factorization. However, quantum computing would solve this inability to calculate. It would take a bigger key to make factorization difficult.
If a post-quantum computer exists, then the most prominent challenge will be the creation of a post-quantum cryptographic algorithm that makes data security one of the most precious assets of the quantum age.
Since a quantum computer would be able to reduce the decryption time of a longer key from 2n to 2n/2, all reliability of a security system will fall on its protocols and the configuration of the exchange key.
However, the renewal requirement comes up against not only the mathematical part of encryption, but also the encryption protocols, the vitality of these protocols, the reduction of failures of these protocols, and ultimately the implementation of these protocols on a scale of multidimensional use of network traffic.
It is because of this that another challenge is the vitality of encryption protocols, such as TLS, for example.
As an example of this infancy, we point to the discussion in this document on TLS (Transport Layer Security) security (…). The TLS protocol is the protocol used to secure traffic from web-sites to browsers; despite a lot of effort on understanding this protocol in the last few years, basic protocol errors are still being found (e.g. Lucky13 j17l), as well as implementation errors (e.g. HeartBleed t87l). In this report, we focus on the former type of problems as opposed to the latter type of problems (ENISA, 2014, p. iv).
Legacy protocols do not tend to ensure data protection when exposed to multiple layers of use (i.e., multidimensional usage), causing a possible breach called forward secrecy:
Finally, a crucial requirement that is becoming more important in the real world is that of forward secrecy. A key agreement scheme is said to be forward secure if the compromise of the long-term static private key of a party does not compromise the confidentiality of the agreed key for sessions that occurred prior to the compromise of the key. Thus, we are ensured that the key agreed now will be secure against any future compromise of the static keys (ENISA, 2014, p. 5).
Therefore, the implementation of encryption protocols needs to be done by cryptography experts so that there is no vacuum between the development of the protocol and its large-scale use.
IV. Conclusion
With the possibility that we will have a quantum computer at some point, the perspective that presents itself to us is that we will also have quantum encryption systems enabling what is protected today to continue to be in the future: our privacy.
V. References
ENISA [2013]. Recommended cryptographic measures - Securing personal data. In: https://www.enisa.europa.eu/publications/recommended-cryptographic-measures-securing-personal-data. Last access 2, August, 2023.
ENISA [2014]. Study on cryptographic protocols. In: file:///C:/Users/cyber/Desktop/enisa/Study%20on%20cryptographic%20protocols.pdf. Last access 2, August, 2023.
ENISA [2021]. Post-Quantum Cryptography: Current state and quantum mitigation. In: https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation. Last access 4, August, 2023.
ENISA [2022]. Cybersecurity Threats Fast-Forward 2030: Fasten your Security-Belt Before the Ride! November, 11, 2022. In: https://www.enisa.europa.eu/news/cybersecurity-threats-fast-forward-2030. Last access 2, August, 2023.
ENISA [2022]. Post-Quantum Cryptography - Integration study. In: https://www.enisa.europa.eu/publications/post-quantum-cryptography-integration-study. 2022. Last access 4, August, 2023.
ENISA [2023]. Foresight Cybersecurity Threats for 2030. March, 29, 2023. In:
https://www.enisa.europa.eu/publications/enisa-foresight-cybersecurity-threats-for-2030. Last access 2, August, 2023.
Megan Kaczanowski. Encryption Algorithms Explained with Examples. https://www.freecodecamp.org/news/understanding-encryption-algorithms/, 2020.
About the Author
Paulo PereiraPaulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Author
- Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Latest Articles
OfficialOctober 24, 2023The LockBit 3 Black Forensics Analysis Part II
OfficialOctober 24, 2023The Lockbit 3 Black Forensics Analysis (Part III)
OfficialOctober 17, 2023Reflections on Artificial Intelligence and Digital Forensics
NewOctober 3, 2023Autopsy 4.21 Version
Subscribe
Login
0 Comments