Understanding encryption (and why it’s not enough)

Bankers keep a lot of secrets, and they are able to do this in our modern world with encryption. For most, encryption is a mystery and taken for granted. We know it’s important. We know we’re doomed to be a criminal’s mark without it. Yet, we probably have little sense of when it’s in use or not. 

Fintech vendors will tell you they are often shocked at the legacy systems they encounter at banks, designed without data encryption in mind. As cyber criminals continue to collect victims, these systems won’t be around much longer. Having a basic understanding of encryption will serve a banker well and for the rest of their career. 

I must be honest: I can claim no deep expertise on this subject. I’m determined to change that. I’ll start by consulting with an expert at MIT, who offers a free online lecture series on the topic of cryptography, the umbrella discipline that includes encryption. It’s all very simple, really:

c = ek(m)

m = dk(c)

From the lecture notes: 

“Here c is the ciphertext, m is the plaintext, e is the encryption function, d is the decryption function and k is the secret key. e, d permute and reverse-permute the space of all messages.”

Hmm. Maybe I should start with Chey Cobb’s book, “Cryptography for Dummies.”

“Cryptography is about scrambling data so that it looks like babble to anyone except those who know the trick to decoding it,” writes Cobb. 

Now we are getting somewhere. Who needs those algorithm-obsessed professors at MIT? 

All of us who are interested in preserving our privacy online, it turns out. However, if you’re like me, the math behind cryptology shall remain a cold and lifeless planet. So “Dummies” it is. 

If you’re tasked with searching for fintech products eager to introduce their encryption services into your bank’s work flow, the first couple of chapters will help you understand what they are talking about. There’s no real need to know exactly how the math works in the standard algorithms and methods currently used if you absorb some basic terms, understand why cryptography is so, so crucial, and how it can — and does — fail. 

Criminals search for weak points and they invariably involve human error. Cobb likes to compare encryption to a magic act: The process of taking something, hiding it and then having a secret plan to make it reappear. Ta da! 

For bankers, a more helpful though imperfect analogy is a vault — once the vanguard of bank security. In this scenario, the customer has paper bills the bank can protect with a lock and key (encryption) but a bank robber (let’s call him Putin) can interrupt this relationship at several points along the way. Same with encryption: The criminal knows she has little chance of breaking the vault’s lock, doesn’t want to mess with armed guards, so she looks for weak points before the cash is locked away, like a customer approaching a bank with a big sack of money, complete with a big green dollar sign on the side. 

What are the known weak points of the technology you’re investigating? Like the vault scenario, what human interactions are required to make the service work and do those points of contact present a criminal a chance to get data, like credit card numbers, before they are encrypted? 

The recent Colonial Pipeline attack raises many questions, one of which is: If a company with (presumedly) so many resources is this vulnerable, where does that leave me? Colonial was using a lot of the same sorts of security tech any company uses, including loads of data encryption. How the breach occurred has yet to be revealed, but speculation surrounds a phishing email. Someone probably just had to click. 

By all means, dive as deeply as you are able into the project of encryption. Cobb’s book conveniently alerts you to the coming presence of the math beast, at which point I slip a comic book behind the covers and let people think I’m still reading about math. Cobb herself thinks this is fine and designates complex information as extra-curricular. 

With the basics, one can understand how encryption gets a lot of attention but is merely one step in a security process. The basics of cybersecurity haven’t changed: If it’s attached to the internet it is vulnerable, and a team’s analog humanity may be the weakest link in the digital chain. 

Also, I’ll take MIT at its word that e, d permute and reverse-permute the space of all messages.

Source link

Free Course

"Double Your Traffic in 30 days" + Secret Bonus

valued at $299

This amazing course will teach you, step by step, how to double if not triple your traffic over the next 30 days.

100% Privacy. We will never spam you!