A journey through the history of cryptography – Part 1

A journey through the history of cryptography – Part 1

A never ending story? Data breaches at major companies dominate the headlines throughout the world’s newspapers. They have increasingly become a permanent topic in public reporting, but along with that, companies are also becoming more aware of the need to protect sensitive data from third-party access. The Ponemon Institute has observed a steady increase in the implementation of encryption strategies in companies over the past 14 years.

However, legal regulations, especially within Europe, force companies to use encryption. An important factor here is the General Data Protection Regulation (GDPR), which has been enforced since May of 2018. Personal data must be encrypted as soon as it is transmitted over the Internet or stored in the cloud, while encrypted communication was hardly considered at all a few years ago, it is currently “in vogue”.

It is important to note that encryption is not a modern invention. From a historical point of view, the beginnings date back for centuries of time, as we know the Roman commander Gaius Julius Caesar already exchanged encrypted messages with his military leaders. In this article, we will take a look back into the past to better understand today’s cryptography.

Before we enter our time machine, tighten our helmets and set off on a hunt for clues, we want to point out that side effects such as nausea, headaches and confusion can occur during this journey. We will attempt to provide the best possible service during your trip through the history of cryptography. Fasten your seat belts!

Historical cover-up – also known as: lemon juice on parchment

In the year 480, we are in the middle of the age of antiquity. Roman commanders compete for the rule of the Roman kingdom. Intrigues, murders and other fraudulent activities must be planned and executed. But how can such a planned assassination be transmitted to the contractor, undetected? Have you ever heard of lemon juice on parchment? It represents a classic secret communication channel.

The text is written on parchment using lemon juice. After the lemon juice has dried, the parchment gives the impression of a blank sheet. The recipient of the message can still decode the message very easily. For example, in those days he would hold a candle behind the parchment and thus be able to make the lemon juice visible and read the message.

In addition, there were several other methods that were used in antiquity. Slaves were used to shave the hair off their heads, tattoo the message on the back of their heads and wait for the hair to grow back to deliver the message to the rightful recipient. Without question, this was one of the more radical means of communication, and was not suitable for urgent messages either.

The procedures just described belong to steganography, which is clearly distinguishable from cryptography. Steganography is based on the hope that an outsider does not notice that two private parties are communicating with each other.

Beginnings of cryptography: Asterix and Obelix visiting Caesar

Opposite of steganography, cryptographic communication happens between two or more communication partners with language that may be visible, but remains confidential. Only the information itself is not visible to outsiders, through the encryption of the message.

Let us stay in Rome. Let’s immerse ourselves in the world of the Gauls and Romans.

A popular encryption technique was developed by a very well-known historical personality: Gaius Julius Caesar. Known today as the Caesar cipher, the later Roman emperor communicated with his military leaders through encrypted messages. Neither unauthorized persons nor the enemy, in this case the Gauls, knew the purpose of the coded texts. But as time passed, this encryption method could be cracked in quite a few simple ways.

The Caesar cipher is a simple symmetric encryption method, and is based on a substitution. This means that each letter used in the message is replaced by a new letter. The substituting letter results from a letter offset within the alphabet that is determined in advance. For example, a shift of three digits. In this case, “Thank you” becomes “Gdqnh”. For the decryption a cipher disk was often used to avoid having to constantly repeat the alphabet. With this type of encryption, the recipient only had to be informed in advance about the offset with a secret key.

An unauthorized person could not initially get anything out of the message without the key, but once he or she has spent some time on it, it is easy to decrypt the message after an average of 25 attempts. This is because they had to check the alphabet at a maximum of once to discover the correct letter offset. Today’s computers would take less than a second to do this. The Caesar cipher is therefore no longer considered secure and has been replaced by newer methods. All aboard, we’re off to France in the 16th century.

Infographic Crytography

From Rome to France

One of the methods that replaced the Caesar cipher as a more secure alternative was the one developed by French diplomat and cryptographer Blaise de Vigenère in the 16th century, also known as the Vigenère cipher. It is comparable to the Caesar cipher, and is also based on the substitution of letters, but it uses several ciphertext alphabets.

How many alphabets are used, is determined by a key. Instead of a number, a keyword is chosen, which is written under the encrypted message. The keyword specifies the letter offset for each letter. The first letter of the keyword defines the alphabet for the first letter of the clear text, the second letter of the keyword determines the alphabet for the second letter of the clear text.

Example Vigenère Chiffre

Keyword: Present | Message: We give Tom a voucher for his birthday

W E G I V E T O M A V O U C H E R F O R H I S B I R T H D A Y

P R E S E N T P R E S E N T P R E S E N T P R E S E N T P R E

The “P” now gives a letter offset of sixteen letters, since the “P” is in the sixteenth position in the alphabet. The “R” shifts eighteen letters and so on. So the “WE” becomes a “MW”.

The safety of this encryption method is strongly related to the key length and whether the key is used multiple times. The keyword in our example is therefore not really secure.

However, some years later this encryption method turned out to be easily decoded. We will now take a look at another encryption method that was considered indecipherable for a long time.

Enigma and the Turing Machine

We make a stop in Germany in the 1930s. Similar to the Caesar cipher, encryption methods were mainly used in a military context. Therefore, it is hardly surprising that Germany also made use of encrypted communication during the Second World War. The special aspect of this type of encryption was that it was encrypted and decrypted by using a machine. The key was modified every day, so that it lost its validity after 24 hours. That machine is called Enigma.

Enigma was invented by Arthur Scherbius in 1918 as a special machine for routine cipher and decipher. The basic operating concept dated back to the years of the First World War. The First World War is considered the first war in which cryptography was systematically used. Already during the war and in the years after it, the first machines were developed which offered a significantly higher level of security than the manual methods. Enigma was offered for sale, but was met with very little interest from both the business community and government agencies. It was not until 1933, under Hitler, that Enigma became part of the standard equipment of the National Socialists. But how exactly does this odd machine work?

At first sight it resembles a classic typewriter, but inside it hides a rather complicated system. The operating principle is based on simple electric circuits, each of them connecting a letter key on the keypad to an electric light that illuminates a letter on the display. However, the “A” is not connected to the “A” on the display panel: all the rollers are interlocked according to a specific system. The message can therefore only be decoded if the recipient knows all the settings of the transmitting enigma.

Sounds like an insurmountable encryption, doesn’t it? But it was cracked by a British computer scientist in 1941. Alan Turing declared war on Enigma with a self-developed “Turing machine” and eventually won. Historians claim that this machine ended World War II prematurely and saved millions of lives.

Principle of modern cryptography

Before we now start our journey back to your offices, we would like to give you something to conclude:

As you have now learned at our various stations, even systems whose encryption algorithm was known only by the receiver and sender were able to be deciphered. One principle of modern cryptography, also known as Kerckhoff’s principle, therefore states that the reliability of a (symmetric) encryption method is based on the security of the key rather than on the secrecy of the algorithm. It is therefore advisable to use public algorithms that have already been sufficiently analyzed.

However, our journey into the history of cryptography is not over with this article, because one question remains open: Are there secure methods for encryption? To be continued …

Top 5 Cyberthreats in 2020

Top 5 Cyberthreats in 2020

We hebben dr. Yvonne Bernard, Head of Product Management gevraagd om ons een deskundig advies te geven over cyberthreats die we in 2020 op onze radar zouden moeten hebben.

Gevraagd worden om te voorspellen wat de volgende grote bedreigingen zijn, zal altijd tegenstijdig zijn: aan de ene kant heb ik toegang tot big data-analysehulpmiddelen die voorspellingen op een geweldig niveau mogelijk maken en ons eigen security lab geeft me alle soorten technische details. Aan de andere kant, voorspellingen vereisen ook een combinatie van intuïtie, ervaring en zelfvertrouwen … Maar het is een geweldige kans om mensen te waarschuwen alleen door in je kristallen bol te kijken, en ik ben bereid de taak op me te nemen.
Mijn algemene veronderstelling is dat e-mail de nr.1 aanvalsvector blijft, vooral voor het soort zakelijke klanten dat we dagelijks beschermen. Dat gezegd hebbende, mijn eerste voorspelling kan je verbazen:

1. Gehackte IOT-apparaten

Ik verwacht dat aanvallen op IOT-apparaten in 2020 verder zullen toenemen. Deze apparaten zijn goedkoop en zelfs nuttig in een industrie 4.0 of digitalisatie scenario. Ze missen vaak patch management en zijn gebaseerd op een standaard open besturingssystemen met bekende default gebruikers of admins (bijv. opeHAB voor Raspberry Pi). Ik maak me zorgen in zo’n omgeving dat het niet alleen een Chinese hacker is die je koffiemachine uitschakelt: deze miljoenen gemakkelijk te hacken apparaten met verschillende IP’s wereldwijd zijn de perfecte voedingsbodem voor botnets zoals reaper. DDoS en andere grootschalige wereldwijde aanvallen lopen via, veel kleine of grote bedrijven of via kritieke infrastructuren – door gebruik te maken van wereldwijd gehackte IOT-apparaten, zonder kosten.

2. Big data exfiltration aanvallen met Ransomware as a Service

We hebben Ransomware eerder als een service gezien: mensen zonder enige programmeer- of hacking vaardigheden kunnen hun eigen malware bouwen. Bouwpakketten voor malware zoals Philadelphia (worden verkocht voor $ 389) of de momenteel actieve Satan (via een revenu share verdien model) zijn enkele voorbeelden.

Dit en vergelijkbare simpele malware aanvallen kunnen de aanvallen op MKB-bedrijven vergroten, doordat het nu goedkoper en eenvoudiger is dan ooit. Een klein bedrijf zijn, betekent niet dat u geen potentieel slachtoffer bent van cybercriminaliteit, maar helaas betekent een groot bedrijf zijn dat ook niet.

We zien eerste aanwijzingen dat Data Exfiltration aanvallen op basis van ransomware sterk zullen toenemen. De laatste grote Ransomware afpers trend die is geschreven om gegevens te coderen en het slachtoffer te chanteren door tegen betaling de decodering sleutel te verkrijgen, is nog steeds actief … maar data exfiltration groeit snel: in plaats van te knoeien met de gegevens, worden de gegevens gestolen en verplaatst naar een externe opslag. Aanvallers (soms bewijzen ze zelfs het bezit van de gegevens) dreigen deze vervolgens te publiceren als u niet betaalt. Gestolen gegevens kunnen privégegevens zijn, evenals intellectueel eigendom, bedrijfsgeheimen of klantgegevens. Deze trend is vrij nieuw, maar zal naar verwachting snel groeien.

3. AI-verbeterde malware

Het gebruik van AI voor cyberaanvallen zal toenemen: Deepfakes b.v. om zelfs nieuwe stemherkenning voor de gek te houden zijn al gezien, ook verschillende technieken om het richten van aanvallen te verbeteren. Een van de belangrijkste bedreigingen gebaseerd op AI, is dat malware host systeem bewust wordt:

Nieuwe AI-versterkte malware kan het systeem waarop het is geïnstalleerd beoordelen, voornamelijk welk besturingssysteem het gebruikt en wat de kwetsbaarheden ervan zijn. Vervolgens leert het over de patch status van het systeem. Op basis van de kwetsbaarheden die op de geïnfecteerde host worden gevonden, download AI-verbeterde malware doelgerichte modules van de Command en Control servers. De malware weet al dat de gedownloade modules zullen slagen in de uitvoering, omdat het is ontworpen om de gedetecteerde kwetsbaarheden van het hostsysteem te gebruiken.

4. Slimme Phishing

​Phishing-e-mails worden slimmer, realistischer en meer geautomatiseerd. De hoeveelheid moeilijk te beoordelen phishing-e-mails zal dus in de in-boxen toenemen. Als voorbeeld, veel sociale netwerken bieden API’s waarmee hackers Business Email Compromise naar een heel nieuw niveau kunnen tillen – zowel realistisch als moeiteloos – volledig geautomatiseerd. Nogmaals, deze schaal van realistische aanvallen kan gevolgen hebben voor bedrijven van elke grote.

5. Malware met geencrypte verborgen bijlagen

Vanaf medio 2019 hebben we een toename gemerkt van de hoeveelheid encrypte bijlage waarin malware was verborgen, en dit groeit nog steeds. Dit klinkt heel abstract en onwaarschijnlijk, maar stel je voor dat je op de afdeling personeelszaken werkt en een e-mail ontvangt met een sollicitatie voor een vacature die je op indeed hebt geplaatst. De aanvrager schrijft een perfect passende sollicitatiebrief en hun cv is bijgevoegd in de PDF die kan worden geopend met het wachtwoord “yourjoboffer2020!”. Zou je ervoor vallen?