There are many attempts, wrongly, to stop using cryptography for sending and receiving messages over the Internet because these are useless and potentially dangerous attempts for the security and privacy of millions of users.
Government entities, often in countries governed by totalitarian regimes but recently also in what should be democratic nations, authorities with control tasks and some private companies have long been hoping to introduce standards that allow decoding encrypted messages exchanged over the Internet.
Russian authorities have repeatedly urged the creators of messaging app Telegram to provide keys to decrypt messages sent and received by app users ( India blocks Telegram, but for people with a disability, dozens of third-party services; early December 2018, the Australian Parliament approved a law that obliges private companies to provide the tools for the eventual decryption of encrypted communications; in countries such as Russia, Turkey and China, services that use end-to-end cryptographic mechanisms are even banned (see below).
In the United Kingdom, former Prime Minister David Cameron repeatedly reiterated his conviction about the opportunities and the need to ban encrypted communications end-to-end or in any case to obtain, from the developers of the various apps, the tools to carry out checks on the data exchanged; many government agencies have frequently requested, over the years, the inclusion of backdoors within communications software.
The legislation approved by Australian parliamentarians in December 2018 effectively requires developers of applications that use cryptographic mechanisms to insert backdoors.
The legislation will almost certainly be modified during the final approval process. Still, it is disconcerting to learn how often the exact requests are made by legislators who need more technical knowledge.
Apple immediately commented: ” someone believes that exceptions can be made regarding cryptographic protections and that an access channel can be activated that allows visibility on the communications exchanged by those who represent a threat to the public good. They do not it is Encryption is mathematical: any process that weakens the mathematical models used to protect the data of a single user makes the defenses used by anyone else easily attackable.
It would be wrong to undermine millions of people’s security to conduct investigations on a few subjects “. We couldn’t have said it better. Bruce Schneier, a bigwig in the world of cryptography, harshly criticized the measure promoted by the Australian government, defining the comments subsequently shared as “embarrassing”.
We add that the possible “blocking” of individual applications that implement end-to-end cryptographic solutions is just a drop in the bucket. Hundreds of software solutions allow, for legitimate purposes, to protect user privacy and prevent anyone from accessing messages containing personal or confidential information. Experts, among which – in addition to the name of Schneier – also those of Whitfield Diffie and Ronald L.
Rivest (the first name that appears in the acronym RSA of the algorithm of the same name) stand out have always remembered that any attempt to grant privileged access to government bodies as regards the content of encrypted communications would risk putting confidential data and high-profile information (such as those managed by credit institutions) at risk of theft and alteration by third parties. In most cases, such interventions are not technically feasible.
Encryption: What It Is And How It Works, In A Nutshell
The history of cryptography is lost in the mists of time. The first documented use of cryptography, i.e. methodologies aimed at making an incomprehensible message to people not authorized to read it, dates back to 1900 BC when an Egyptian scribe used “non-standard” hieroglyphics to prepare an inscription”.
However, some experts are convinced that cryptography was born spontaneously after the invention of writing to be used in the most diverse applications: from delivering diplomatic letters to battle plans. “Historical” examples of the use of cryptography are the “Cesar code” or “Cesar cipher”, an algorithm that is operated by monoalphabetic substitution (each letter of the source text was replaced, in the ciphertext, with the letter found in the alphabet, several places later) and the “Enigma code”, used by the Nazis during World War II.
Encryption has now become essential in telecommunications and in all those applications that require the guarantee of high data protection. On the Internet, the risks that are run by conveying unencrypted information without therefore using any form of Encryption are significant. The possibility of accessing the Internet by anyone implies considerable security problems since malicious people can also use the Internet, and the applications have become increasingly delicate (think, for example, of commercial, banking and tax applications ).
For this reason, for some time now, all the big names in IT have been pushing for the adoption of the HTTPS protocol, which, to the traditional HTTP protocol (with which data always travels unencrypted), adds the use of a cryptographic algorithm (TLS) and a valuable digital certificate for declaring the identity of the remote server and of the person who manages it: see Switching from HTTP to HTTPS: the importance of the SSL certificate.
In the case of an email, for example, it is advisable to activate only accounts that allow the use of the TLS protocol so that the data is exchanged in encrypted form: Email: SSL, TLS and STARTTLS. Differences and why to use them. When it comes to a cryptographic algorithm, it must offer the following:
- Authentication. The process allows the identity of each participant in a communication to be certified.
- Secrecy. Ensuring that no one can read a message except the intended recipient is essential.
- Integrity. Protection against unauthorized changes made to the transmitted message. The material sent to the addressee must be kept from being altered before delivery.
- I do not repudiate. A mechanism designed to provide the certainty that whoever sends a message cannot deny having sent it.
On the network, an attacker can carry out the so-called sniffing, i.e., trying to “spy” the contents of the data packets in transit in search of helpful information. This attack is straightforward to implement on LAN networks since the Ethernet network cards in promiscuous mode allow you to manage all the data packets in transit. Packet sniffing is not necessarily illegal. For example, a network administrator can monitor which protocols and, therefore, which applications are used within the LAN to “unmask” any suspicious operations.
One of the best packet sniffers is the open-source WireShark. Another method of attack is IP address spoofing, which generates IP packets containing the sender’s IP address. This false address does not correspond to the one used by the attacker. Encryption protects transmitted data from being altered or stolen by attackers and can also be used to authenticate a user.
Symmetric Encryption And Asymmetric Encryption
When it comes to cryptography, there are three schemes to which we refer: symmetric key cryptography, public key (or asymmetric) cryptography and the use of hash functions. In all cases, the starting message is defined as clear text or plaintext; this message is encrypted (becoming ciphertext ) to be incomprehensible to unauthorized persons and finally can be decrypted and restored to plaintext.
In symmetric key cryptography, messages are decryptable only by the person who knows the correct password or passphrase. These cryptographic schemes are generally not used on the Internet because the password obviously cannot travel on the same channel (otherwise, it would fall easy prey to malicious users interested in decoding the message).
The password can be shared using other channels, but there are better approaches to exchanging messages with remote users. If the keys are identical and secret in symmetric key algorithms, a public key known to anyone is used in public key algorithms. In contrast, another – private – is known only to the rightful owner.
The characteristic of asymmetric cryptographic systems consists in the fact that for each person who wants to initiate “secure” communication, two keys are generated: one called “public” and the other “private”. The “private” key is used to decrypt a document and must always be kept secret by the owner; the “public” key, on the other hand, must be distributed and made known.
Any person will use the latter to encrypt an email or any other message intended for the subject to whom the public key refers. Therefore, to encrypt a text with asymmetric cryptography, it is sufficient to use the public key of the message’s recipient. At the same time, the latter must necessarily have his private key for decoding.
End-To-End Encryption: What It Is
End-to-end Encryption refers to the secure, encrypted communication established from one end to the other between the sender and recipient of the message (and vice versa). If correctly implemented, it prevents the message exchanged using an intrinsically insecure medium such as the Internet from being “intercepted” and read by third parties. This prevents the possibility of a man-in-the-middle (MITM) attack along the entire journey of the message.
In other words, only the recipient (and the sender) can read the content of the message automatically, preventing any reading or modification by other users, investigative agencies, government bodies, network operators and providers. In the case of WhatsApp’s end-to-end Encryption or Telegram’s secret chats, for example, the developers’ technicians cannot examine the encrypted messages.
This is because sent messages are encrypted using the recipient’s public key, and the recipient can only read them using his private key. Just like algorithms that use asymmetric or public key cryptography do. As mentioned at the beginning, the most short-sighted and backward legislators have often tried to block, at a regulatory level, the use of end-to-end algorithms because the private key essential for decrypting messages is permanently stored on users’ devices.
And sometimes, it is not even recoverable because it is saved in areas of the system (think of the Secure Enclave of Apple devices) whose content is encrypted in hardware. The primary attack used to break a cryptographic algorithm is the brute force attack: the complexity of this type of operation is closely related to the length of the key used. How to defend yourself against such attacks?
Increasing the length of the key, for example, using keys with a higher number of bits. It is also always good to use software whose source is known, and above all, the functioning of the cryptographic algorithm used has been carefully documented. When the code is not open source, it is decidedly more challenging to control, and it is very complex to establish whether it is free of backdoors.
Mathematical concepts, as Apple observes, must be addressed. Instead, it is much more likely that some government agency will be able to persuade a software house to implement cryptographic standards incorrectly.
ALSO READ: Learn All About Information Security!