Cryptography in the Banking Industry

Programming becomes easier with all the frameworks. As a beginner programmer, we can code with less time and using more humane language rather than binary computer language. But at the same time, I feel insecure. If people who do understand the basic fundamentals of computers stand against us, I feel powerless to defend myself. If I made a bank app, and fortunately people like it, how can I protect me and my users from these people that are smarter and more experienced than myself?

This is what brought me to this topic, Cryptography in the Banking Industry. Cyber security is a very big topic in banking. There are many concerns in different aspects through the banking process. In this blog, I would like to talk about cryptography in specific.

Cryptography is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it. Think about when you initially set up your password(say, 1234) for a new bank account. After you click submit, the bank will receive your password(1234). In a perfect world, you can simply send the password to the bank just like you sending an email. Obviously, this is very insecure because these smart people who understand how internet and email work can easily interrupt and read this message with your password. And you lost your first saving $100.

What can you do to solve this? Here is an easy answer. You can physically visit your bank, write down your password on a piece of paper, examine the environment to make sure no one is snipping you, and secretly hand that to your bank, believing that they will take care of that piece of paper properly. This is, indeed, very secure, but also, not practical.

Then you realize that it is unavoidable to send your password through the internet. But instead of sending it as what it is, you encrypt it. So now, the bank tells you to multiply your passcode by 2, and then send it. Instead of 1234, you send 2468. When the bank receive your code, they decrypt it, dividing 2468 by 2 and get the real passcode 1234. You think this is a great idea, so you put in your second saving $200. Some smart people got tricked and gave up on you. However, there are still smarter people who not only got your 2468, but also the rule “multiply your passcode by 2” you and your bank had agreed on. Just like what the bank did, these smart people also decrypt your code by reversing your rule, or divide by 2. Now your second $200 is gone.

You might be frustrated but you are actually not that far away from the current solution. What you need to change is the cryptography algorithms, or some “rules” other than simply “multiply by 2”. “multiply by 2” is very easily reversible to “divide by 2”. What we want is some rule that is very hard to reverse. Other words, even if the smart people know what number I send to my bank, and the rule, they still can’t get the original number(my passcode), easily.

In the current banking industry, there are 3 main ways of cryptography, or 3 solutions to our problem. They are Public Key Cryptography (PKC), Symmetric Key Cryptography (SKC) and Triple Data Encryption Standard (TDES).

The public key cryptography algorithms was first proposed by James H. Ellis, Clifford Cocks and Malcolm Williamson (1972) and furthered by Whitfield Diffie and Martin Hellman (1976). This method is known as Diffie-Hellman key exchange. The Public Key Cryptograph can also be called asymmetric key cryptography, because you and your bank can hold different keys(or passcode) and still be able to verify.

Instead of just having me generate a passcode and send it to the bank, the bank would also need to generate a passcode. The algorithm looks like this.

Knowing this, you applied it and put another $400 in the bank account.

The reason why this mod algorithm works and our “multiply by 2” doesn’t is due to the complicity of discrete mathematics in computer science. The process technically is still reversible, and the smart people can still take away our $400, but the amount of computation needed to reverse this is magnificent to a degree that it is safe to say secure. The cost of electricity far exceeds $400.

Another solution, the Symmetric Key Cryptography uses a different algorithm called RSA. It follows the same purpose, making the reversing process super time consuming that exceeds the current computational power.

Just like Diffie-Hellman uses mod, RSA uses prime number to make it hard to reverse the process. While the computational time for simple multiplication grows linearly when the number gets bigger, the time for finding prime factorization grows exponentially. So on my end and the bank end, our computational time only grows linearly if we want extra security by adding another digit to our code. Unfortunately, for the smart people their computational time grows exponentially every time we add an extra digit. At this point, most smart people gave up on my $400. However, there are still cases where the RSA Symmetric Key Cryptography can be hacked. It is less secured than the Diffie-Hellman key exchange method, but it takes less computational power.

In today’s banking industry, both methods are used. Very often, Public Key Cryptography is used first to establish a link between a user and a bank. From there, the more timesaving Symmetric Key Cryptography is used for efficiency.

Triple Data Encryption Standard is basically doing Data Encryption Standard 3 times(it is not just 3 times more secure, but the 3 belongs to the exponent). There isn’t anything too fancy or exciting about the basic Data Encryption Standard, but simply giving it a triple ascends its complicity to the extent beyond the current computational power. After some upgrade of the computer power in the future, it is not hard to imagine the triple will retire and quadra and penta Data Encryption Standard will take over, until the algorithm is perpetually replaced by a better algorithm.

It is a never-end battle between the banks and the smart people who are trying to take away my $400. Cryptography are very interesting that even every smart person knows how it works but couldn’t do much about it. The limiting factor here is the computational power in order to reverse the encryption, so that even everyone knows how the computer can possibly solve it, the lack of computational power makes it impossible to solve it realistically.

Citations:

Kar, A.K., Dey, S.K. (2012). Cryptography in the Banking Industry. Business Frontiers, 1(1), 1–7

“10 Security Flaws in Mobile Apps Banks Should Avoid at All Costs.” Netguru Blog on Mobile, www.netguru.com/blog/mobile-banking-apps-security.

“Modern cryptography” Khan Academy, https://www.khanacademy.org/computing/computer-science/cryptography/modern-crypt/v/intro-to-rsa-encryption