Digital Transactions Authoritative, insightful and timely information for payments professionals
Gideon Samid • Gideon@BitMint.com
The Brits invented the tank in World War I, but it was the Germans who later realized that, instead of using it as an anchor for widespread infantry attack, it should be used as a spearhead in a devastating blitzkrieg. It was only when General Patton realized it too that the fortunes of war turned.
Modern cryptography was largely invented in America, but we Americans fail to grasp that it is the only strategic weapon in our Unending Cyberwar (as I argue in my book of the same title). Instead, we practice “wall protection,” a “fence philosophy,” a “castle practice.” Imagine a castle with dozens of gates and thousands of walkthroughs. What is the chance that the enemy would manage to sneak in an agent?
Target Corp. (and most other companies, too) kept its data in a “castle” like that, buzzed with data traffic 24/7. No wonder, then, that thieves crept in. And once inside, they found what they were looking for: mostly stark-naked, exposed, unencrypted data. Even the mighty National Security Agency overtrusted its fences and stored its crown jewels as plaintext. You would expect the high priest of cybersecurity to realize that gates cannot ensure that everything that goes through is bona fide.
Crypto defense, by contrast, is a “defense within,” not without. It is intrinsic. It clings to the data wherever they go. Had the millions of documents that Edward Snowden stole been properly encrypted, it would have spared the NSA a very big embarrassment.
It is time to understand that we are at war. All of us with data privileges of any kind are targets for evildoers around the world. There is no good reason for data to lay naked, unencrypted, whether in storage or on the go, whether in transit or in retrievable mode. Data should be encrypted as a matter of course, except for the limited time when it is being humanly reviewed or algorithmically crunched. Modern cryptographic innovation allows data to remain encrypted while it is being processed.
But is encryption a panacea?
Not really. Cryptography is data protection that distinguishes between those who possess a piece of data called a “key” and all others who don’t. Cryptography is ignorant as to whether the keyholder is bona fide or a thief. In other words, cryptography makes no distinction between the rightful owner of a key and someone who stole it, stealthily copied it, or smartly guessed it. Cryptography assumes that the differentiating key is well protected—castled off.
So if we are again into building fences around data, what’s the difference with encryption, you may ask. Size. It is easier to guard a small bit of data like a key than a large volume of data. The downside is that that precious key is sent out with every encrypted message we send. Indeed, this is true with respect to all the mainstay ciphers in our arsenal. We hope that it is well hidden, that our adversary will not be smart enough to extract it. But keys are quite durable, and if any encrypted piece of data somehow contains a flaw, the key is compromised, and with it all the data that were, or will be, encrypted with it. Today’s hackers are smart enough to hide the fact that a key was compromised. Only if the hacked key continues to be used does it do any good for its compromiser.
Unfortunately, most cryptographers cannot accustom themselves to the humility necessary to assume an adversary who is smarter than they are. The rest of us resort to a different class of encryption where the key is not included in the released ciphertext (the encrypted message). This so-called equivocation-based cryptography precedes all the modern ciphers. Patented as early as 1917 by Gilbert S. Vernam of Bell Labs, it was largely ignored in the U.S. But the Soviets used it to steal our atomic secrets and launch the Cold War.
Granted, equivocation-based cryptography is much less convenient to use than the common type, the so-called intractability cryptography, but once we fully realize that cryptography is our only strategic weapon, we will treat it accordingly.
The first order of the day is to get a better understanding of encryption. Unfortunately, too many of us are scared stiff of this subject. For starters, join the 30,000 viewers and 280 subscribers who study cryptography on the Internet at WeSecure.net/learn.
