Privacy and security – Encryption is Not Enough

People believed that cryptography could be strong enough to provide protection, privacy and internet security. However, in all possible ways, protection against power attacks from hackers became like a simple dream that never comes real. Researchers tried their best trying to look for privacy and security solutions, but every trial became impossible until, all sort of computer encryption program, no matter how good it is, cannot prevent an attacker from going through someone’s garbage. Encryption and key management was the only hope for protection, isolation and control of personal data. Encryption was considered as the protection mechanism of last resort. However, it didn’t prevent intelligence security agency from collecting people’s data without their agreement.

Even thought people believed that cryptography could protect them from many threats, some of them were afraid to use what they called a complex system, with a concern that if they lose the key, they lose all of the data forever. According to Security Pitfalls in Cryptography, “A cryptographic system can only be as strong as the encryption algorithms, digital signature algorithms, one-way hash functions, and message authentication codes it relies on. Break any of them, and you’ve broken the system. And just as it’s possible to build a weak structure using strong materials, it’s possible to build a weak cryptographic system using strong algorithms and protocols. However, just because an encryption program works doesn’t mean it is secure. What happens with most products is that someone reads Applied Cryptography, chooses an algorithm and protocol, tests it to make sure it works, and thinks he’s done. He’s not. Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw.”

People argued that encryption program can have a secret backdoor, which may be government-mandated, used for convenience in recovery and other administrative functions. Other than government access, the primary hazard is that backdoors are often easily hacked by attackers. It has been proved that if any computer you use to store your encrypted data is infected by spyware, the decrypted data can easily be transmitted to an exploiter over the Internet.

Bruce Schneier said that Cryptography is harder than it looks: “Billions of dollars are spent on computer security, and most of it is wasted on insecure products. After all, weak cryptography looks the same on the shelf as strong cryptography. Two e-mail encryption products may have almost the same user interface, yet one is secure while the other permits eavesdropping. A comparison chart may suggest that two programs have similar features, although one has gaping security holes that the other doesn’t. An experienced cryptographer can tell the difference. So can a thief.”

2 Responses to Privacy and security – Encryption is Not Enough