This month’s meeting featured a presentation on encryption and computer security.
Dr. Patrick Murphy talking about encryption at this month's meeting. pic.twitter.com/9ibQ2BsHMh
— CvilleWomenInTech (@CvilleTechWomen) April 13, 2016
For our April meeting, Dr. Pat Murphy from the National Radio Astronomy Observatory presented a history of encryption and its role in modern-day computer security.
Let’s meet our presenter.
Dr. Murphy was born in Ireland and has had a life long fascination with astronomy. He did graduate work on the top of a remote mountain in southern Arizona (dark skies there). After postdoc work at the (then) Multiple Mirror Telescope, he jumped ship, joining the ranks of what were then called “scientific programming analysts” (i.e., programmers). He spent a short time at the Space Telescope Science Institute before joining the National Radio Astronomy Observatory (NRAO) in 1984. Over his more than 30 years at NRAO, he’s spent time at three different sites in three different states (New Mexico, Arizona, and Virginia). Currently, he manages the Charlottesville site’s IT division, as well as serving as NRAO’s Information Security Officer.
Encryption: What is it?
The goal of encryption is secure communication: a message is encrypted (made into a cipher) so that its meaning can remain secret even as it passes through many insecure transmission channels (whether human hands or digital wires). The art and science of encryption—of keeping information secure—is cryptography. (Conversely, the art and science of breaking encoded data is cryptanalysis.)
Encryption is not new: it is as old as the need for secret communication. For example, the Spartans, who needed to transmit secure messages during military campaigns, used a kind of stick called a scytale to perform a transposition cypher.
You are probably familiar with substitution cyphers, where each character in a message is substituted for another. Such ciphers, while making casual reading difficult, aren’t very hard to break, since the key (which letter is substituted for which) is trivial to determine. This remained true even in the case of polyalphabetic ciphers (developed by the Arabs and rediscovered during the Renaissance) where the key was varied within the same message, simply because the change in the key (the key progression) was itself easy to determine. It took centuries for code makers to implement such ciphers well enough to be truly robust. The Enigma machine, used by the Germans in WWII, was an electromechanical implementation of a polyalphabetic cipher.
The Math Behind A Secret, Secure Key
For a message to be secure, the key has to be kept secret, but for a message to be shared, both parties must have the key. For the purposes of digital communications, this apparent conundrum has been solved via the principle of key pair: a private key and a public key. The private key, as you may have guessed, is never shared. The public key is made available to anyone who wants to securely send you a message. The public key can be shared because of the asymmetry between two mathematical operations: multiplication (easy) and prime factorization (hard). Essentially, the private key is a very, very large (hundreds of digits) product of two prime numbers. For a computer, that number is trivial to generate. However, it is prohibitively difficult (effectively impossible) for a computer to take that big number and determine the two factors that generated it. Therefore, the public key can be both public and secure. A wonderful video explains both this principle and the math behind it.
Devices in Motion: Securing Mobile Devices
While the Internet could not exist without secure transmission of data, our new reliance on mobile devices makes encryption of data at rest (that is, not moving across a wire) important as well. You have probably heard about the FBI’s legal attempt to force Apple to provide a way to access the encrypted iPhone belonging to one of the San Bernadino terrorists. Leaving aside the issue of the government’s right to a ‘back door’ into encrypted devices for suspected (or convicted) criminals, encryption is an essential tool for protecting the data on our devices when we cannot protect the devices from loss or theft (and let’s face it, we cannot). Encryption is now easy to perform on smartphones (iPhone or Android) and laptop/desktop machines, and should be a no-brainer when you consider that your personal information is more valuable to criminals than your credit card numbers.
The Importance of Securing the Human
While technologies such as encryption are essential to computer security, eighty percent of computer security is based on raising awareness and changing practices of human beings. Most of the attacks on computer systems today use humans as their transmission vectors by fooling them into giving the criminals access to the machines. Therefore the best defense is to train individuals and institutions to be vigilant. While it’s not cheap, the SANS Institute offers excellent Securing the Human training.