Member preview

Is Cryptography the Ohm’s Law of Cyber Security?

For some reason, cryptography seems to be the weakest area of understanding in the Cyber Security profession. I’ve lost count of the number of times I’ve debated with a cyber security professional that public key encryption is not actually used to encrypt things, and it’s only used to sign for identity and in key exchange. No-one actually needs to know a great deal about the actual mechanics of cryptography, but everyone in the industry should know how it all fits together, and where the weaknesses are.

Few people, though, could actually tell you how RSA or Elliptic Curve actually work, but they are now fundamental parts of the security of most organisations. It is like a car mechanic knowing an engine from its specification, but not actually knowing how each of the component parts work. When it breaks, the knowledge of its specification is not going to help that much. Unfortunately, too, the professional certification in the area — including the premium CISSP — hardly scratches the surface, and many of those that study it, do not get past the basics.

From a business point-of-view, business leaders also seem to have a poor grasp of its importance within an organisation. Today, we see company after company announce that they did not encrypt sensitive data on data breaches, and where CEOs tell the world that they had no idea if data had been encrypted for not. This is equivalent to a company which sells toasters saying that they had no idea that the toast could catch fire.

I personally don’t understand why the lack of understanding of the basis persists, as it should provide the fundamental knowledge for everyone involved, in the same way that Ohm’s Law does for an electrical engineer. You wouldn’t want an electrician wiring your home, if they didn’t understand how to estimate electrical current flows.

For me it the privacy and access rights of data elements should be designed into a system at the earliest stages, and should not be seen as a bolt on. In an era of GDPR, we must admit that most IT systems are not design in a way which truly anonymises data, encrypts in the right way, and then also allows citizens to access it.

The greatest problem with areas such as homomorphic encryption and blockchain is to get over the technical barrier that is the technology itself, and actually explain the great benefits that these technologies will bring to our flawed infrastructure.

But I believe we should now be past the phase were cryptography is used to fix many of the problems that we have caused with our terrible protocols, and should now be in a phrase of rebuilding a new world with a solid foundation of trust. So rather than me just quoting things, I will quote from this article:

“As technology touches every single person’s life today, it’s important for everyone to understand the basic concepts that allow technology to operate, and appreciate thatcryptography has potential to propel us to new heights not even yet imagined.”

There you go, someone else said it … we have the change to change our society … with cryptography … and build a better world. And cryptography should now be seen as its basic building block:

“Our world is advancing faster than ever before and it’s easy to lose sight of thefoundational elements of technology that enable us to live our lives the way we do. Cryptography [has advanced to be] one of the cornerstones of the modern world.”

I love the subject. I’ve saturated my learning in most other areas, but cryptography grabs you, and provides you with a path of infinite learning … and as an academic I love that. Every single day there’s something new to learn.

When asked about the book that changed my life I say without a hint of hesitation:

It read it … and read it … and read it again … and then I got it. Everything clicked into place, and I could see the future clearly. I understood how hashing worked, and how public key integrated to provide signatures, integrity and identity checking, and how we integrated symmetric key, and I could see how everything could work together to create a new world.

Conclusions

Cryptography is fixing many of the problems we have created in our flawed Internet, but its core role is to provide a new foundation for a new world.