Data breaches are at an all time high. Where did cryptography go wrong? Maybe it’s time for a rethink
Cryptography is the math that secures our data — and yet the cost from cyber damage in 2021 is estimated to be a staggering $6trillion.
Data breaches have been normalized
Data breaches are so normal they rarely raise an eyebrow. Intellectual property and personal data can be bought for only a few dollars on the dark web — bad actors often prefer ransoming the data owners instead. Most big cyber attacks are settled outside of the media’s glare because it is easier for a Corporate to claim off an insurance policy than manage reputational damage, potential law suits by aggrieved stakeholders, stock price falls and GDPR related fines.
Data privacy and security is the biggest challenge technology faces today. It is also one of the biggest challenges individuals and corporations face too.
Cryptography is the math and the protocols that are supposed to provide the privacy and security protection (from SSL, PGP to RSA) and despite years of academic and real world application, it doesn’t appear to be doing what it is supposed to do — make it near impossible for bad actors to access our data. So what is going on?
Keep it simple, stupid
Despite most computer systems having some cryptographic security measures in place, when there are data breaches, Cryptographists and cyber experts blame human error — easy to guess passwords, raw text storage, default passwords, incorrect implementations, poor training etc. Many of these reasons are valid but it is not that simple.
Computer systems are just too complicated to offer 100% data protection— businesses often operate with multi vendor hardware and software; throw away mobile devices; unsegregated business and consumer apps; layer upon layer of code that is often poorly tested and written in many computer languages (300+ according to wikipedia); code outsourced to countries with poor security infrastructure; code using untrusted and untested third party libraries and services that may no longer be supported (‘open source’ doesn’t mean it can be trusted or will always be supported); data stored in the ‘cloud’ (do you know where the cloud servers are and who has access?); and with multiple entry and exit points in these complex architectures (APIs, VPNs, FTP, Websites, Email, Messaging, etc), a hacker has plenty of time and easy access to tools on the internet to find the points of weakness.
So what so Corporates do —they buy software to monitor their complex computer systems like Solar Winds which in turn is compromised and allows hackers full access to multiple large Corporates and government agencies. It seems like a never ending battle and old school solutions like pen and paper and the postal service is not only cheaper but much more secure.
It is not the fault of Cryptography there are so many data breaches — as a math protocol it has proven to be extremely robust. Even as computer processing has improved, protocols have moved on too: DES to AES for example, MD5 to SHA256. Key Management is a huge and growing industry.
How many passwords do you have?
You have many passwords. Corporates have many more passwords. However, most passwords (or passcodes) are held by third parties. When you are told WhatsApp encrypts the data you feel safe — but it is not you who owns and controls the password key, Facebook does. This is same for the SSL certificate in your browser (quite possibly controlled by Sectigo) or the encrypted files you keep on Sharepoint (operated by Microsoft). Do you trust these corporations when they too have been hacked or compromised in the past?
This has all advanced a new industry of cyber security and risk mitigation and yet the real problem is not cryptography or complex systems but …
— the raw data itself
Old school
Alice has some gold bars. Alice physically stores these valuable objects into a safe that requires a key to unlock it. Alice gives Bob a duplicate key incase the key is lost. Bob is a trusted friend.
If the valuable objects are worth stealing, additional measures can be put in place like armed guards or locking the safe in a freeport.
However….
- Can Alice trust the maker of the safe. Can the metal be penetrated?
- Can Alice trust the maker of the lock. Can it be broken? Do they have copy keys? Are the locks blue prints freely available? How long would it take someone to break the lock?
- Can Bob be compromised (bribed or blackmailed)? Are there other copies of the key?
- Can Alice trust the guardians of the safe. Is the safe protected from being physically removed?
- Can the armed guards be bribed or blackmailed? Can the location be comprised by turning the electricity off or tunnelling underground?
These are the risks and there are ways to control them. In the digital age, the risks are numerous and more difficult to risk manage.
Digital world
Alice has a password of a bank account. They cannot put this is a safe because it is needed on a regular basis so they store it in a digital safe — a Microsoft Word document — with a password.
However, just like the safe there are some risks to consider:
- To trust Microsoft, a big US tech company, has not put anything in to the software that would allow them to view the password, or the computer used to operate Microsoft Word is not copying key strokes and sending them off to someone without Alice’s knowledge.
- To trust the cryptographic algorithm that allows Alice to use a password to encrypt the document and to also decrypt the document, cannot be compromised
- To trust Alice’s ability to create a strong enough password so it cannot be guessed and to not forget it or misplace it.
The biggest issue with this scenario is the Word document can be emailed to millions of people, some who have time on their hands to guess the password or use trap doors or poorly executed code to get to the password.
So what about the password held as raw data in the document?
Real World Solutions
Image if the hacker opened the Word Document and found one or two characters? It would mean the password was not complete. The hacker would need to go on a treasure hunt and find the other characters and then work out if they are real (and not spoofs) and the sequential order they should be in. The hacker may also be confronted with another layer of encryption. Imagine if the other parts of the password were held on Dropbox, PasteBin, Twitter, Instagram images or Google Drive? In this case Alice would be diversifying the concentrate risk of relying on Microsoft to protect the password. Alice could threshold the password too to protect against downtime or other events not enabling the full password to be brought back together again. If any part of the password is cracked because of cryptographic weaknesses, the hassle and time and effort to find the other bread crumbs would put most hackers off. Imagine if a law firm did this to ALL their word documents? Well a solution does exist. It uses a blockchain too.
Check out Gvanta at grandeo.net
