Privacy and security – Encryption is Not Enough

People believed that cryptography could be strong enough to provide protection, privacy and internet security. However, in all possible ways, protection against power attacks from hackers became like a simple dream that never comes real. Researchers tried their best trying to look for privacy and security solutions, but every trial became impossible until, all sort of computer encryption program, no matter how good it is, cannot prevent an attacker from going through someone’s garbage. Encryption and key management was the only hope for protection, isolation and control of personal data. Encryption was considered as the protection mechanism of last resort. However, it didn’t prevent intelligence security agency from collecting people’s data without their agreement.

Even thought people believed that cryptography could protect them from many threats, some of them were afraid to use what they called a complex system, with a concern that if they lose the key, they lose all of the data forever. According to Security Pitfalls in Cryptography, “A cryptographic system can only be as strong as the encryption algorithms, digital signature algorithms, one-way hash functions, and message authentication codes it relies on. Break any of them, and you’ve broken the system. And just as it’s possible to build a weak structure using strong materials, it’s possible to build a weak cryptographic system using strong algorithms and protocols. However, just because an encryption program works doesn’t mean it is secure. What happens with most products is that someone reads Applied Cryptography, chooses an algorithm and protocol, tests it to make sure it works, and thinks he’s done. He’s not. Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw.”

People argued that encryption program can have a secret backdoor, which may be government-mandated, used for convenience in recovery and other administrative functions. Other than government access, the primary hazard is that backdoors are often easily hacked by attackers. It has been proved that if any computer you use to store your encrypted data is infected by spyware, the decrypted data can easily be transmitted to an exploiter over the Internet.

Bruce Schneier said that Cryptography is harder than it looks: “Billions of dollars are spent on computer security, and most of it is wasted on insecure products. After all, weak cryptography looks the same on the shelf as strong cryptography. Two e-mail encryption products may have almost the same user interface, yet one is secure while the other permits eavesdropping. A comparison chart may suggest that two programs have similar features, although one has gaping security holes that the other doesn’t. An experienced cryptographer can tell the difference. So can a thief.”

2 Responses to Privacy and security – Encryption is Not Enough

  1. And just as it’s possible to build a weak structure using strong materials, it’s possible to build a weak cryptographic system using strong algorithms and protocols.

    This is particularly interesting, as Matt Curtin today touched on the topic that there is a possibility that hashing functions that we use today may all be based on some of the same flawed logic. If a crypto system is broken by design, but is the standard that we use to derive other crypto systems, I think there’s a huge problem here.

    Consider storing your data in the cloud (online in encrypted form)

    While storing your data online could be appealing, once you’ve given your data to someone else even if it’s encrypted all bets are off. While individuals have certain rights in legal proceedings, companies have much less. There are many options to keeping data secure, such as full disk encryption (pgp from synmatec, or LUKS, or others really) or selective encryption (ecryptfs, pgp/gpg). If keeping as much control over your data as possible is the goal, then it would be best to follow such procedures.

    An additional but only slightly related note is Cryptolocker, a virus that encrypts vital parts of a computer and then holds the person hostage until they pay a sum to who presumably authored the software. This new class, called ransomware, has further ethical implications as it decreases happiness and may infringe on the moral rights of individuals… It’s like using cryptography for evil!

  2. Michael Hammons

    Cryptography can be overwhelming especially for people who aren’t computer science majors. Which I think is a big reason why there is so little privacy and security on the internet. Protecting your privacy on the internet requires a lot of time and information that people don’t have.

    If the average person knew how easy it is for the government or anyone else for that matter to collect all of their personal information online they would be alarmed. I also think that they would want to do something to help protect themselves. But, then they learn that it takes a lot more than just logging onto google to protect your privacy.

    Another problem with privacy online is if you take actions to protect it, you look like you’re hiding something. I don’t think anyone wants to bring unwarranted attention to their self from people like the NSA.

    Cryptography needs to get to a place so it is easy to use for everyone. A user friendly way to encrypt information without needing a good deal of prior computer knowledge would be a great way to increase everyone’s privacy.

    Also, the Cryptography is Harder Than it Looks is a pretty good article for anyone interested.