Skip to main content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

Security Tools: Encryption and Security Certificates

First in a series on security tools, this guide discusses encryption, security certificates, and Public Key Infrastructure

Encryption Explained

What Do Sherlock Holmes and Ralphie Parker Have In Common?

In "The Adventure of the Dancing Men" Holmes is presented a message with odd figures on it:

undefined

Holmes realizes that the message is encoded using a simple substitution cipher, i.e., each figure stands in for a letter of the alphabet. Wth copies of several messages, he is able to use frequency analysis, based on the relative frequency that a given letter of the English alphabet appears in words and in combination with other letters, to decipher the messages.

In "A Christmas Story," one of the subplots involves Ralphie's avid following of the "Little Orphan Annie" radio program episodes and the coded message given at the end of the show. He anxiously awaits the arrival of his decoder pin, and upon receiving it, discovers that the message is an ad urging him to drink more Ovaltine. The pin creates a simple substitution cipher by its user rotating one half to align one set of the alphabet with different letters in the other set.

A more sophisticated cipher is used in the Enigma machine, featured in the story of mathematician Alan Turing in "The Imitation Game." Enigma used multiple alphabet rotors and turned a rotor on each keypress to create a "polyalphabetic substitution cipher." The use of an electrical plugboard introduced an additional element of simulated randomness in the selection of the rotor turn.

Today encryption is a the key component of data security and privacy in digital communications.

 

Digital Encryption 

With digital encryption, a computer algorithm, i.e. a sequence of operational functions, is applied to data, such as text, to change the representation of the data into apparent gibberish. Encryption algorithm designers rely on a mathematical concept called "the law of large numbers" to develop the particular sequence of operations that will be used. The logarithm is "seeded" with a key that is unique to the individual or entity on whose behalf it is run.That key is needed to decrypt the resulting encrypted content. Several algorithms have been used over the past three decades. RSA, first described in 1977, uses large prime number factoring to create a key. Data Encryption Standard (DES) was among the earliest schemes. Although it was relatively weak, it led to the development of stronger versions and schemes. Pretty Good Privacy (PGP) was released in 1991 and initially was offered as open source and at no cost for noncommercial use.

Strength of Encryption

Factors that determine how difficult it is to crack an encrypted message depend on the inherent strength of the encryption algorithm and the length of the key, the latter expressed in bits. The race between encryption developers and those who seek to break the cipher is a perennial one, in large part because of the increasing capacity and speed of computer processors, which is expressed as Moore's law. Since it is unlikely that a given encryption scheme can be truly impossible to break, as a practical matter one makes the scheme strong enough to withstand an attack by a computer or multiple computers that is so costly and so time-consuming that it is unlikely to be broken for the time period that secrecy must be retained. Under Moore's law, the cost of such computing power has decreased rapidly, requiring the continuing improvement of algorithms and keys to maintain a useful resistance to attempts to crack the scheme. A recent article discusses the latest efforts to crack encryption schemes.

Common Uses for Encryption

Transmission of Data
An obvious use for encryption is securing data from eavesdropping during transmission. WiFi networks are a prime target for hackers who want to steal data. Public WiFi networks that do not use encryption, obvious to the user because they do not require a password to access, can be readily intercepted by a computer that is in range of the network. Network data travels in discrete packets, which include metadata, i.e., the information needed to properly route the packets, and the data content created by the sender. For example, an email message that you send is broken into hundreds or thousands of small data packets, and each may take a separate route across the Internet before being reassembled into a coherent message at the recipient's email server. Software called a "packet sniffer" can grab data packets from the network and assemble the data for the hacker's review. For this reason alone, users of WiFi networks need to be aware of the encryption tools available to them. In reality, data traveling over wired networks is also subject to interception, but doing so requires a physical network connection to a local segment of the network to obtain enough of the packets to reassemble the data.

One form of encryption often encountered is the "HyperText Transport Protocol Secure" or https protocol used by websites and browsers.The underlying scheme started out as SSL, for Secure Sockets Layer, and is now TLS, for Transport Layer Security. Banks and commercial sites have used https since they first began serving customers on the Internet. SSL and TLS are generally reliable, but cracking them is not unknown. A version called Open SSL, which appears on many servers using Linux, had a vulnerability to a hacking method. Once discovered, the authors of the software distributed a patch, but some server operators failed to install the patch. The best known of these is Equifax, the credit reporting company, and its failure resulted in the release of social security numbers and other restricted data belonging to millions of people.

You can add additional layers of security by using an app that creates a Virtual Private Network (VPN) between your computer and the server at the other end. VPN software wraps each packet in a layer of encrypted security, a method known as tunneling. UNC requires the use of its VPN when accessing sensitive sites, such as ConnectCarolina, from off campus. Commercial VPN products are available for securing your connections outside of the UNC context. You should always use a VPN when you are on a public WiFi network.

 

Data at Rest

The data on your computer or mobile device is also subject to theft, by the theft or loss of the device itself. It's relatively easy to lose a phone, and not that hard to misplace a laptop, especially if you are in a hurry to make a flight. You should encrypt the device's hard drive so that anyone finding it cannot access your data. Windows 10 offers BitLocker and MacOS offers FileVault. iOS and Android phones will encrypt the data if you set up a lock code or PIN. By default those devices will erase the data if a hacker tries to defeat the PIN ten times. This is designed to prevent a "brute strength attack." After all, a four-digit pin would take no more than 10,000 tries to break the code, and it might be worth it to a hacker to apply some effort to that task if the data it yielded could be sold or used to access your property.

The encryption codes are not truly impossible to defeat, but they make it impractical for most hackers. The NSA and FBI and their counterparts in other countries are believed to have broken some device codes. Since the Clinton administration, the U.S. government has sometimes argued that Congress should require manufacturers to create a "back door' that "only the government" could use to grab data off encrypted devices. This concept was called the "Clipper chip" when proposed in the 1990's, and it resurfaces from time to time.

The iPhone of the one of the shooters in the 2015 San Bernardino, California attack was involved in a tug-of-war between the FBI and Apple, when the federal agency sought Apple's help in decrypting the phone.