When Encryption Fails by Eva Summerfield

so hello everyone my name is eva and this is my first ever talk so equal parts nervous and excited um but today i want to talk about how we can secure encryption beyond just using really strong algorithms it might be a bit of a different talk because i'm here just to explore a problem rather than to come up with solutions so really i'm just rambling on about what i find really interesting so a bit about me um i've been in cyber security for a couple of years now so i'm still a newbie i did a technical apprenticeship i'm finishing off my masters in cryptography and here are some of the really interesting um things i study so

this doughnut here with all the sprinkles on top that's an example of elliptic curve um cryptography which is one of the more resilient cryptography types against quantum computing i'm not going to boy with the um technical details but i promise it's really interesting aside from that i've got a very very mischievous cat called misty i collect ping pong goldfish and i'm a rugby forward so quite an interesting life [Music] but it follows that through my technical experiences and my academic experiences the one thing i've learned is that i don't know very much at all and without sounding harsh i don't really think anyone does um especially with cyber security it's such an interconnected massive field and

especially when you come to events like this it's very overwhelming you don't know where to look especially when you're new but this means that to get an overall idea of your security picture you're going to rely on multiple people for multiple domains and people speaking different technical languages and this is really complex and also even if you did spend all your time researching the time researching on one subject takes away from researching another so it's just not feasible to know everything and that's okay this also maps quite nicely to a cognitive bias called the dunning-kruger effect which essentially says incompetent people tend to not realize they're incompetent because they're incompetent and actually i find this

quite reassuring because the fact that i don't think i know very much just shows that i'm a bit self-aware and i more wanted to put this on to say that everyone has limitations and actually being aware of your limitations is really powerful so this leads me on to the problem that i'm doing my talk on which is although these technical advancements are really interesting and really excitement they are exciting they do come with some new problems so as this technology becomes more and more advanced we're going to have to rely on more more people for more more domains to um properly develop and implement them and this isn't a one-to-one mapping it's not as this becomes a little bit more

intense this becomes a bit more intense because you've got to consider the links between these people and services so to have a holistic view of our security which is what we always aim for so we can pick out the weaknesses we need to access assess security at and between each stages and then we need to use that to build systems and processes so that the individual individuals and links don't become points of failure and i'm sure you're aware this is a massive task so on the previous slide i spoke about different stages so i thought maybe i would go a little bit more into how we might partition um an encryption services life cycle so first of all encryption relies on

mathematics so imagine a big university loads of cryptographic experts have crowded around a whiteboard and it's full of loads of symbols no one really understands and bad handwriting this is where the mathematics is derived so this here is an example of what we call textbook rsa which is essentially just rsa we use strip back but it still relies on the prime factorization of really large numbers again at this point this is the only stage where you have to worry about the mathematics and i'm not going to go into mathematics here because i know none really wants to hear about it but next once the mathematics is determined it's packaged packaged up and it's sent over to the software

developers and here they pass it on and then software developers in hoodies alone in their bedrooms will hunch over their computers until the early hours of the morning and they'll turn the algorithms into a usable product again i'm really simplifying here because there's so many different aspects to um you know actual coding there's the architects there's the assurance but for the sake of keeping this within 15 minutes the algorithms are now turned into a usable product so now we can flip over to the um the customer side so imagine we've got a big company they've got a lot of money they've got a big shiny office and a high-rise apartment in london they had a security breach last year and

they're ready to put some money and time into their cyber security practices they will employ cyber technicians to research services um install them [Music] configurate them you know maintain them and then eventually remove them at this point we'd like to think they're doing some form of security checks as well but now they've taken the usable product and they've configured it for local devices and finally they're used by the end users and at this point there won't be really much interaction between the end users and the cryptographic services um this is an example of connecting by ssh the end user would probably just see the public key most likely not really understand what's going on behind the scenes but they'll

say yes and then they'll be connected so the reason that i go through it like this is because i quite enjoy looking at problems when it's kind of broken down into chunks and this gives quite a nice flow diagram so again to be holistic we want to make sure that every stage is secure because what a lot of people tend to think when they come to cryptography is oh we need to make it resilient to quantum computing and in reality putting all of your effort up here and not really putting enough efforts in here and here is far less secure than having a uniform approach where you distribute all your efforts evenly um so i'll give an example of where

things can go wrong oh here we go and these are downgrade attacks so downgrade attacks are where you kind of spoof not spoof you overload um a server so it pulls back to an encryption method or a service that is exploitable hackers are lazy and we all know this why would you spend years trying to break a really hard encryption service when you can just exploit something in seconds so one example of a downgrade attack which i found really interesting was with the um us military drones us military drones i think it was 2012 and iran managed to capture a military drone from the us now iran claimed that they'd managed to break the really strong py military

encryption but this was never approved and it's a massive massive claim so i'm skeptical and you can make your own opinions but one way that they could have done this was if they managed to have a successful downgrade attack now i don't know if this is still how gps works but at the time gps signals were sent over to radio frequencies so radio frequency number one was used for civilian access code and then one and two together were used for the secure military py code now originally the gps was intended to be used over the military code but if you could overload that military code and jam the encryption altogether then by default the drone would run as

autopilot and it would use the civilian access code and that is ten times weaker if not more so if they were able to do a downgrade attack they'd be able to much easier spoof those gps coordinates and get the drain get the drone to prematurely land in iran and i think that's much more likely but again if you have done a downgrade attack why not just say that you've done the more impressive one so here is an example of really really military-grade encryption but it's just not properly implemented a little bit um and that means that it can be completely um taken down so it's just an example of it's really important to have uniform security

throughout another example of this might be uh ssh keys so again i'm not sure if it's still the case but i know a couple of years ago by default your um private ssh key would just not be password protected unless you configured it and that's an implement implementation error as well and i don't think i have much time left so i'm pretty quickly going to go over some side channel attacks we all know that you can never be properly secure and you've got to stay realistic so you might have really strong algorithms you might have really secure coding you might have a really excellent implementation team and you might your users will just use it

take an example you had a suspected command center and an attacker was able to see that loads and loads of information was coming in and out they can't break the encryption it's really strong encryption but they know there's a lot of communication there they're not interested in what it says they're just going to want to deny access so even though in these cases absolutely everything is perfect and kind of an output of actually using the service is vulnerable so we actually need to stay realistic and even in cases where we have to just accept the risks we need to consider them so this is another reason why i think a model like this is really useful

so one of the big problems that we face now the company i work for at the moment does a lot of work about cross domains so we look into how can we show the in cyber picture in the intelligence picture and working across domains is really really difficult you have overlapping terminology you know the hyperconfabulating void effect where no one really knows what he's on about which sounds impressive um we have translator bottlenecks not many people are an expert in cyber security and in intelligence those people are expensive and rare and it takes time so i'm not going to go into too much detail i'm just going to leave that there but the point i'm making here is

you need to consider both these points and the links between them and because of this i'm hesitant to call this a framework basically to get a holistic view you can't just look at that look at that look at that look at that you have to look at the relationships and dependencies within them so this means you can't think of it like a to-do list you have to think of it like an active system so i'd encourage everyone when they're looking at their holistic cyber picture to look into systems thinking techniques this is another topic i could spend hours talking about but it's really really useful and we need to question how we're thinking about how we're thinking about

cyber especially with encryption so finally because i know i've probably been speaking for too long i just wanted to have a nod for security as a disabler especially within cryptography so with cryptography everyone puts emphasis on you know having codes that can take um brute force attacks for 100 years when reality if we only want to secure a message from out of time for example if the message might be shoot that man over there in the next minute we only want to secure it for a minute because once that man's dead they know what the message was so in that case there's no point in you know employing cyber uh encryption that will take 10 years

and one really nice example of this is that tanks don't have keys i was quite shocked when i found this out it turns out in the same way that if someone can run through a battlefield and get through all of the physical defenses manage to clamber actually into the tank and do the strange setup to actually take the tank they deserve the tank and also having keys is a bit useless anyway because what if two people had keys and one of them died over there and one of them died over there then you'd be left without a tank and you'd have to send more people to get the keys so throughout this talk i've been saying

good enough encryption rather than strong encryption and actually in many cases good enough is better than completely secure so thank you for letting me ramble on i hope there was something in that um i've just been talking about what i find interesting and i hope you find it interesting too thank you