03 Aug 2016

Russian Hackers and Pig Latin

With the recent media focus on cybersecurity, whether it is talk of Russian hackers scheming to influence US presidential elections or “Brexit” votes, or the pervasive pressure to comply with HIPAA (healthcare privacy regulations) or other consumer data privacy requirements, “encryption” is one of the solutions that is often introduced.

When sending email, email encryption can indeed protect your strategic dialog from potential exposure, and its mere use can demonstrate your best efforts to protect consumer data against data breaches. As reported by The Guardian, NSA whistleblower Edward Snowden has said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

Not all email encryption and methods of use are equally effective, though. And, one might prefer different types of encryption depending on the situation.


“Caesar Cipher” and “Pig Latin” are Forms of Encryption

Suppose Hillary wants to send a secret message to her friend Bill but worries that snoopy Vlad may intercept it. Hillary needs a way to scramble her message so that only Bill can read it. A simple way to do this would be for Hillary to replace each letter in her message with the next highest letter; shifting it by one (think “Caesar Cipher” or “Pig Latin“).

But, of course, that is too simple. If Vlad intercepts the message, he’ll be able to easily decipher it by looking for hidden patterns in the letters it contains. All it will take to crack the code is a little mathematics and a little trial and error.

And, of course, if Vlad uses a computer he’ll be able to crack the code even faster. So, just shifting (as is the case with Pig Latin) the first letter to the end and adding “ay” as a suffix (turning “HELLO” into “ELLOHAY” for example) isn’t a very strong cipher. Certainly Russian spies would crack this encryption. So, what can Hillary do?

Well, she can try to think up a more complicated mathematical formula to scramble the letters and numbers. And maybe she can use a computer to apply the formula. This will help, but the problem is that if Vlad hires clever mathematicians, or if he has a powerful enough computer, he will be able to crack the code eventually. So, it looks like it’s going to be an arms race with Vlad to see who can come up with the biggest computers and the most complicated formula. But because Vlad has nearly unlimited resources to pay mathematicians and to spend on computing power, it is a race Hillary and Bill are perhaps bound to lose.


What is Considered “Strong Crypto”?

We have established that more complex encryption patterns are more difficult for Vlad to decipher, unless Vlad can use a powerful computer to help figure out the pattern; yet they remain easy for Bill to read, because Bill has knowledge of the pattern (the decryption key). Most technicians understand that more complex algorithms are harder to “crack”, that is, they require more computing power to crack.


How does Computing Power Impact the Time to Crack the Encryption?

Let’s consider the example of using computing power to try to guess a 10 digit seemingly random alpha numeric password, such as: tjo9i0982d using a “Brute Force” attack (i.e. trial and error). This would be similar to trying to find a pattern in a universe of combinations of 36 digits (26 possible letters and 10 possible numbers). According to Gibson Research Corporation, in this example, there are 3700 trillion combinations, and the time to guess and test the right combination using trial and error in an online environment is one thousand centuries (assuming one thousand guesses per second). However, in what Gibson Research calls a “Massive Cracking Array Scenario” with one hundred trillion guesses per second offline, this password can be guessed in just 38 seconds.

Computing power does matter. But, not many, if any (today), can implement a “Massive Cracking Array Scenario”. One institution that could potentially implement such a system is the National Security Agency (NSA). In 2014, the NSA completed a $1.5 billion data center in Utah that reportedly has more than 100,000 square feet of computer and data storage equipment in a facility that spans a total of 1-1.5 million square feet.


Is Today’s Commercial Encryption Readable by the Russian Spies with their Computing Power?

This is a question that some people know the answer to. We do not. Most commercial encryption uses algorithms that the NSA has “approved” for “civilian, unclassified, non-national security systems”. These algorithms are what encrypt your email or financial transactions when using email encryption or secure HTTP web based connections with commercially available systems. Some of these NSA approved (unclassified) algorithms include DES, Triple DES, AES, DSA and SHA.

So, when it comes to using email encryption to protect “civilian, unclassified, non-national security systems” and information, what are the most important considerations? Learn how to choose the best email encryption service for personal or business use.