2

Encryption and Its Applications

For most of recorded history, encryption has been used to protect the secrecy of communications between a sender and a receiver. Governments have historically been heavy users of encryption. The Caesar cipher goes back to the Roman Empire. Ciphers were used by both sides in the American Revolutionary War. Histories of World War II dwell at length on the contribution of defeating German and Japanese encryption systems to the Allied victory. At the same time, the Allies also relied on encryption systems, some of which were defeated by Axis codebreakers. Governments’ reliance on encrypted communications continues to the present day.

In recent years, encryption has become far more widely available on a wide range of consumer and business products and services. Increasingly, encryption is available by default—often without the user even being aware of it—and the keys for decrypting data are held by individual users. As a result, more data is routinely encrypted today than ever before.

Today, encryption protects the communications of individuals and organizations from unsophisticated and sophisticated criminals and repressive governments. It assures the security of electronic commerce transactions over the Internet—for example making it possible to transmit credit card numbers. It protects information stored on smartphones, laptops, and other devices. Encrypted communication capabilities are built into major computing platforms and in an array of messaging applications that are used by hundreds of millions of users.

Computer and communications systems use cryptography for three broad purposes—to protect the confidentiality of information (i.e., encryp-

tion), to protect the integrity of information, and to authenticate the originator or sender of information. Applications that require the secrecy of large volumes of information use symmetric cryptography. Asymmetric (public key) cryptography is frequently used to securely disseminate keys that are used in symmetric cryptography. For example, cryptography enables the secure distribution of regular software updates, including security patches, over a network and is used to verify the identity of individuals and organizations. This report focuses largely on the first application, encryption protecting confidentiality. However, it touches on another use of cryptography: schemes to provide exceptional access to information stored on smartphones or laptops that are locked with a passcode may involve modifications to the cryptography that implements the locking mechanism.

The increased availability and use of encryption—most notably to protect access to data stored on smartphones and to keep Internet messages confidential—means that it is increasingly encountered in investigations by law enforcement and intelligence agencies.¹

This chapter provides a basic introduction to encryption and its uses. It provides context for subsequent discussions of mechanisms that would afford government access and associated technical and operational risks. It begins with a description of the different kinds of encryption that are important today and with an overview of the ways that encryption systems are created. It then provides an overview of some of the ways that modern computer and communications systems use encryption to provide a secure experience to their end users. This is followed by a description of the issues and challenges of managing the cryptographic keys that encryption systems rely on. The chapter concludes with a discussion of the threats that modern encryption systems face and attempt to defeat.

WHAT IS ENCRYPTION?

Encryption schemes transform a plaintext message (or stored data) into a ciphertext in such a way that the ciphertext reveals little or no information about the original plaintext. Encryption schemes have the following three components: a key generation algorithm, an encryption algorithm, and a decryption algorithm. The encryption algorithm takes plaintext and an encryption key as input and returns a ciphertext. The decryption algorithm takes as input a ciphertext and a decryption key and returns the plaintext.

___________________

¹ See the section “Encryption as an Impediment to Investigations” in Chapter 4 for a discussion of data on how often encryption is encountered in investigations and its impacts.

In a symmetric scheme, the encryption and decryption keys are the same and must be kept secret. Without the secret key, there is no practical way to decrypt the data.

One can visualize the symmetric encryption process as putting plaintext data in a box and then locking the box using a secret key. The box can be opened only using the same secret key. Provided that one uses a suitable algorithm, a properly engineered implementation, and a sufficiently long key, the encryption is unbreakable (Box 2.1).

A physical box can be forced open with tools. By contrast, breaking encryption requires trying each possible key until the correct one is found; this can take an extremely long time. Knowing (including guessing or stealing) the key is the only practical way to retrieve the data unless one can circumvent the encryption by obtaining the information before it is encrypted or after it is decrypted (unless a flaw in the encryption software or cryptographic algorithm can be found and exploited).

In an asymmetric or public-key encryption scheme, the encryption and decryption keys are different, and only the decryption key must be kept secret. The encryptor uses one key, called a public key, while the decryptor uses a different key, called a private key. As the name suggests, the public key is public and enables anyone to encrypt messages. Only the corresponding private key can decrypt the resulting ciphertexts.

One can visualize the public-key encryption process as placing the data in a box that locks as soon as one closes the lid. Anyone can create such a box and lock it, but only someone in possession of the secret key can unlock the box. As with symmetric encryption, knowing the key is the only practical way to retrieve the data, unless one can steal the key or obtain the information before it is encrypted or after it is decrypted.

Under some circumstances, encryption schemes may provide for authorized third-party access to encrypted information. Following a 1996 National Research Council report on encryption, this report uses the phrase exceptional access to

___________________

² National Research Council, 1996, Cryptography’s Role in Securing the Information Society, National Academy Press, Washington, D.C., p. 80.

Exceptional access also applies in a business context, where an employer can access information encrypted by an employee, and in an end-user context, such as data recovery after an encryption key is lost.

DESIGNING ENCRYPTION

The design and standardization of secure encryption algorithms is a challenging task. Although there are encryption algorithms that are perfectly secure in the sense that they are unbreakable,³ these schemes are rarely deployed in the real world because they are not practical. Even though the encryption schemes that are deployed in practice are not perfectly secure, their security is supported by a rigorous design process backed by a mathematically sound framework that allows cryptographers to carefully study and analyze their strengths and weaknesses.

The process of reviewing and assessing the security of symmetric encryption schemes with the aim of endorsing a scheme as a standard for broad use in the United States and in much of the world generally occurs through a world-wide competition to which experts in symmetric encryption submit their designs. The algorithms are then cryptanalyzed (i.e., experts study their properties and attempt to defeat them) for years, and the most resilient one is chosen. For example, the widely used Advanced Encryption Standard (AES) and Secure Hash Algorithm-3 (SHA-3) cryptographic standards were evaluated and standardized through competitions organized by the National Institute of Standards and Technology (NIST).⁴ In the end, confidence in the security of these encryption schemes relies in part on their design and in part on the fact that they withstood years of cryptanalytic effort. Wide adoption of resulting algorithms, such as occurred with AES, results in increased security for all.

Encryption and other security functions are performed by cryptographic protocols, which describe how cryptographic algorithms are used to perform the tasks necessary to carry out that function. For example, a protocol for confidential communications must describe how a sender and receiver authenticate each other, how they agree on or establish encryption keys, and how the messages they exchange are encrypted and transported across the network.

The challenge of designing practical and secure encryption is magnified by the fact that encryption algorithms and protocols are notoriously fragile. Even a small and seemingly innocuous change in their design

___________________

³ One-time pad encryption cannot be broken but requires that a random and unique key as long as the message be generated and shared with the receiver.

⁴ Country-specific cryptography, such as that developed for use in China and Russia, does not follow such an open process.

can break them completely.⁵ Moreover, bugs in the software that implements the algorithms can go undetected for years.⁶ If a new encryption scheme were to be developed for the purpose of supporting third-party access, it would require similar attention to design and engineering and a comparable amount of scrutiny if it were to be trusted as much as current schemes.⁷

Cryptography is a very active research field in which new techniques continue to be developed, standardized, and deployed. For example, the most widely used symmetric encryption method, AES, was standardized in the year 2001. A common way to use AES, called AES-Galois/Counter Mode, was developed in 2005. A new method for encrypting credit card data, called format-preserving encryption, was standardized in 2013. Public-key ciphers designed to withstand quantum computers (which—if realized at large scale—would provide powerful new capabilities to attackers seeking to break encryption) are only now being developed and are expected to be standardized in the mid-2020s.⁸ Since 2008, new encryption methods have been invented that enable encrypted data to be processed without decryption. Such techniques—if their performance can be improved so that they are practical—could reduce, for example, the risk of using cloud computing to process confidential data and would also have implications for government access. One potential consequence of this continuing innovation to consider is whether government policies requiring the use of particular technologies may impede future advances. For example, innovation in the United States might well be inhibited if only a single method of encryption or class of encryption methods were allowed domestically.

___________________

⁵ For example, the addition of a compression feature for Transport Layer Security (TLS) packets introduced a significant vulnerability by opening up a powerful side-channel attack. See J. Kelsey, 2002, “Compression and information leakage of plaintext,” pp. 263-276 in Revised Papers from the 9th International Workshop on Fast Software Encryption, FSE’02, Springer-Verlag, London, U.K., http://dl.acm.org/citation.cfm?id=647937.741226. This vulnerability is the basis of the Compression Ratio Info-leak Made Easy (CRIME) exploit against secret Web cookies over connections that use data compression, allowing an attacker to hijack an authenticated session.

⁶ For example, a study of encryption keys used for Web traffic revealed vulnerabilities from poorly implemented key-generation algorithms. See A. Lenstra, J.P. Hughes, M. Augier, J.W. Bos, T. Kleinjung, and C. Wachter, 2012, “Ron was wrong, Whit is right,” IACR Technical Report, https://eprint.iacr.org/2012/064.pdf.

⁷ This point was made in a 1996 National Research Council report, but the recommendation to implement and test an exceptional access system at scale was never carried out. See National Research Council, 1996, Cryptography’s Role in Securing the Information Society, National Academy Press, Washington, D.C.

⁸ National Institute of Standards and Technology, 2017, “Post-Quantum Crypto Project: Workshops/Timeline,” April 24, http://csrc.nist.gov/groups/ST/post-quantum-crypto/workshops.html.

Real-world systems use a multitude of keys for many different purposes. Some are used to encrypt messages, some are used to encrypt other keys, and others are used to authenticate messages or users. Most often, encryption is used in the design of secure systems as a way to reduce the amount of information that needs protecting by other means. By encrypting data, it is possible to render components of a system incapable of compromising the data they process, thus reducing the portion of the system that requires deep security analysis.

It is critical to properly manage and secure keys. They must be securely created, stored, distributed, certified, backed up, updated, revoked, and deleted. Keys often have a finite lifetime, determined by their specific usage and their risk of exposure. For example, keys used to encrypt messages that are only retained for a short period of time (“ephemeral” messages) tend to have brief lifetimes. Other keys that are used to generate other keys tend to have longer lifetimes (often many years) and require especially strong protection. It is a best practice to delete all copies of a key when it is no longer needed.

APPLICATIONS OF ENCRYPTION

Computer applications, software, and hardware all integrate encryption to accomplish objectives that users value. A single laptop or smartphone today, for instance, commonly deploys encryption in multiple different ways, including in the hardware, the firmware that connects the hardware and the operating system, and a large portion of the software that runs on the device. The pervasiveness of encryption is relevant to public debates about exceptional access, because only certain uses of cryptography in a laptop or smartphone enable encryption of users’ data of potential interest to law enforcement or intelligence agencies. Thus a mandate for exceptional access would have to be targeted to specific uses of cryptography where the specifics vary according to the device. This section provides some highly simplified examples of some of these applications and the ways that they depend on encryption; the focus is on giving a sense of the role of encryption rather than full details of its implementation.

Protecting Stored Files

Applications that protect a single file or a few files almost always use symmetric encryption to protect the file content. The key for the symmetric encryption system may be entered into the program by the user, derived from a user-supplied password, entered from a hardware token, protected by an asymmetric encryption system in which the symmetric

encryption key is encrypted under a public key and decrypted when the corresponding private key is provided, or some combination of these. For example, in the Encrypting File System that is integrated into Microsoft Windows, the user’s private key is decrypted by the operating system when the user logs in.

A related use of encryption is to functionally “erase” data. If data is encrypted and the key is destroyed, the data becomes inaccessible as if it were erased. In fact, deleting the key is even better than deleting the data because deleting the key renders all copies of the data inaccessible (even backups) and obviates the need to wipe storage media.

Full Disk Encryption

Many modern operating systems support full disk⁹ encryption, which protects both user data and system programs from disclosure. As with the file encryption scenario outlined above, the files themselves are protected using symmetric encryption. Additional protective measures combining operating system software and computer hardware protect the system files from modification (so that modified program files cannot, for example, access encrypted data and transfer it to an unauthorized user once it has been decrypted).

Full disk encryption systems are complex. The underlying hardware or firmware must include a mechanism that verifies a digital signature on the first firmware and software components to run after the system is booted, thus ensuring that they have not been maliciously modified. After this validation has been completed, and after the user has authenticated to the system with a passcode, token, or both, the hardware provides access to a secret (asymmetric) key that the software then uses to decrypt a stored symmetric key that is in turn used to decrypt the contents of the disk.

Full disk encryption systems must meet a variety of real-world requirements. It must be possible to securely update signed firmware and software components in case errors are found. It must also be possible to change user passcodes—ideally without having to decrypt and re-encrypt the entire content of the disk. Full disk encryption systems are usually configured so the secret key protecting the disk encryption key is erased (and the decrypted contents of disk made unavailable) if too many invalid passcodes are entered (see the next section). If a mechanism for entering a recovery key (which should be physically protected in a physically separate location) is provided, it allows users to regain access

___________________

⁹ In this report “disk” is used to include the solid-state drives implemented with flash memory chips that are used as mass storage in smartphones and many laptops.

to their data in the event the key erasure feature is triggered or if a major hardware or software failure occurs. Meeting each of these requirements adds complexity to the full disk encryption system.¹⁰

Device Locking

Mobile devices and the data they contain are frequently protected by locking¹¹ mechanisms that ensure, by default, that phone data is encrypted whenever the screen is locked and that only the user can unlock the phone and its contents. For phones, this combination of cryptographic passcode protection and full disk encryption was introduced as the default setting in Apple’s iOS 9 and Android’s Marshmallow system, although not all vendors of Android phones implement this encryption.¹²

The key needed to unlock the phone is a combination of the user’s passcode and the phone’s hardware key. Each time an incorrect passcode is entered, the phone delays the next attempt. After a limited number of incorrect attempts, the key is erased, making the data inaccessible. Users can also configure their phones to use a biometric, such as a fingerprint or face, instead of a passcode; after a limited number of failed recognition attempts or a limited period of time, the phone reverts to the passcode unlock mechanism. These measures deter phone theft and protect users’ data but also can make it extremely difficult for law enforcement to access data that may be relevant to an investigation if the data is stored only on the locked device.

Virtual Private Networks

A virtual private network (VPN) is a way of creating an encrypted connection between a remote user and a site. By enabling remote users to seamlessly connect to the organization’s networks, VPNs provide a convenient way for organizations to operate across multiple locations. Thus a traveling employee can safely access his or her work network from a hotel room anywhere in the world. VPNs operate by using symmetric cryptography to encrypt packets of data to be transmitted between central and remote locations, and then embedding the encrypted packets in “outer” packets that are routed over the Internet. The encrypted packets include

___________________

¹⁰ In fact, the description provided here is simplified with respect to the number and relationships of the cryptographic keys and validations actually required.

¹¹ “Locking” has been used in various ways with respect to phones. Here “locking” simply means that users must enter a passcode or otherwise authenticate themselves before the device will function.

¹² Apple provides updates for all iPhones. Although Google develops the Android operating system, updates are handled by the manufacturers that use it.

routing and other information that enables them—once decrypted—to reach their destination within the organization’s network.

VPN systems include mechanisms that allow each end of the connection to authenticate to the other, either using asymmetric cryptography or symmetric cryptography with a shared key at each end of the connection. Keys may be derived from a user-entered password, from a code generated by a hardware token, or both. Authentication is important and authentication mechanisms must be designed carefully to prevent a “man in the middle” from masquerading as the “other user” to both endpoints of the communication and intercepting and decrypting all of the encrypted traffic.

Secure Web Browsing

Each time a user visits an e-commerce website or a Web-based email server¹³ such as Gmail or Hotmail, he or she does so through an encrypted connection. A protocol called TLS provides the encrypted connection. It uses authentication protocols based on asymmetric cryptography and signed certificates to verify that the server is the one whose name the user typed into the browser. It then uses public key encryption to negotiate a symmetric key for the browsing session and uses that symmetric key to encrypt the session traffic. Almost all Web browsers and servers support TLS or one of its predecessors, and many web servers have the public-key certificates necessary to support encrypted sessions.

The history of the protocols used for secure Web browsing provides a compelling illustration of how difficult it is to develop encryption protocols and the care that must be taken when adding capabilities to accommodate government requirements. In the early days of the Internet, government restrictions limited the strength of symmetric encryption that could be implemented by browsers and servers sold outside the United States. Although those restrictions have been removed, to ensure backward compatibility weak encryption remains as an option (and not by default) in many products. Although the weak encryption is not typically on by default, it is possible for an attacker to force browsers and servers that implement some protocol versions to “fall back” to older and weaker

___________________

¹³ Note that web-based email services are not the same as “e-mail encryption.” Although the user’s connection to the web-based email server is protected by secure browsing, the email message is available to the server in unencrypted form, in contrast to the email encryption scenario where the message is only unencrypted on the sender’s and recipient’s local devices.

encryption suites.¹⁴ Additionally, TLS and its predecessors are very complex, and bugs in implementations (and in the protocols themselves for earlier versions) have resulted in widespread weaknesses.

Operators of Internet services and suppliers of browsers and servers are aware of these limitations and continue to work to eliminate them by introducing new security features, conducting continuing analyses and attempts at formal verification of the TLS protocols, and searching for and removing weaknesses.

Secure Messaging

Secure messaging applications use end-to-end encryption protocols to prevent third parties as well as the messaging service provider from having access to the plaintext of messages. The Signal protocol, designed by Open Whisper Systems, is used in several widely used messaging applications including Signal, WhatsApp, secret conversations in Facebook Messenger, the “incognito mode” of Google Allo, and Skype. When a user registers for a messaging service, the app sends a public identity key, public session set-up key, and a batch of public one-time session set-up keys to the messaging service’s server and retains the corresponding set of private keys. To communicate with another user, the initiating app establishes an encrypted session. To do so, the initiator’s app requests a set of public keys for the recipient from a public-key server. Both the initiator and recipient use each other’s public keys to generate a master secret key for the session. Each message is then encrypted using symmetric encryption with a unique message key computed based on the master secret key. This message key is ephemeral: it cannot be reconstructed from the current session state after the message has been transmitted or received.¹⁵ As a result of this approach, known as forward secrecy and commonly used to protect communications, it is not possible to decrypt multiple past communications by finding or breaking a single key. That is, even if encryption keys from a user’s smartphone are compromised, they cannot be used to go back in time to decrypt previously transmitted messages.

___________________

¹⁴ B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J.K. Zinzindohoue 2015, “A messy state of the union: Taming the composite state machines of TLS,” pp. 535-552 in 2015 IEEE Symposium on Security and Privacy, doi:10.1109/SP.2015.39.

¹⁵ WhatsApp, 2017, “WhatsApp Encryption Overview,” July 6, https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf.

Protecting Confidentiality in Cloud or Third-Party Computing

Cloud computing and storage are changing how organizations use and manage their data and, of particular relevance here, the data of their customers. Familiar examples of consumer services that store data in the cloud include e-mail services such as Google’s Gmail and file storage and sharing services such as Dropbox. Cloud services are also used to back up and restore data on smartphones or laptops. Encryption is generally used to protect the confidentiality of that data. Depending on how the service is architected and the business model of the service provider, the provider may or may not have access to the keys needed to decrypt the data.

New and emerging techniques enable better protection of this data and will complicate future efforts by investigators to access data in some situations. For example, one indication of future technology trends toward greater protection of data in the cloud can be seen in the growing trend of cloud providers to support virtual machines where encrypted data is decrypted only at the time the data is actually used.¹⁶ In the long term, emerging techniques for computing on data without decrypting it, such as homomorphic encryption, will further protect data in the cloud and complicate efforts to access it. Because these techniques are likely to be more costly to use than other forms of encryption, it is expected that they will be used—if and when they are adopted—with especially sensitive types of data such as medical information.

ENCRYPTION AND THE EXPANDING CYBER THREAT

The United States faces a significant and growing cybersecurity threat. Indeed, it has topped the list of global threats in the Worldwide Threat Assessment of the US Intelligence Community since 2013. The 2017 threat assessment states:

___________________

¹⁶ This service uses new cryptography and trusted execution technologies that have been added to microprocessors. See Microsoft Corporation, 2017, “(Cloud) Tip of the Day: Introducing Azure confidential computing,” October 3, https://blogs.technet.microsoft.com/tip_of_the_day/2017/10/03/cloud-tip-of-the-day-introducing-azure-confidential-computing/.

¹⁷ Office of the Director of National Intelligence, 2017, “Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community,” May 11, https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf.

As more than a decade of high-profile attacks has shown, it is proving increasingly difficult to secure data or the computerized systems that control the nation’s financial services, communications, health care, elections, utilities, factories, supply chains, and transportation sectors. Attacks are being made against individuals, governments, universities, research organizations, and civil society groups. As digital infrastructure becomes more pervasive and interconnected, both its accessibility to attackers around the world and the consequences of successful attacks are growing. The threat environment continues to worsen, as evidenced by the attacks described below. In many cases, encryption is an important—and sometimes necessary—tool in responding to this challenge.

In considering the role of encryption in combating cyber threats, one important consideration is when and how much encryption can help counter a threat. Not all cyber threats can necessarily be prevented by encryption; see the discussion at the end of the following section. Another important consideration is how much additional risk is introduced by exceptional access mechanisms and whether that added risk is acceptable in the context of particular applications and threats and when weighed against the benefits. The section “Technological Approaches for Accessing Plaintext, Limitations, and Alternatives” in Chapter 5 discusses several possible technical mechanisms for exceptional access and some of the associated risks.

Another important consideration is the context in which a regulation to provide government exceptional access would apply. For example, a regulation that applies to mass-market messaging applications would not directly affect the use of encryption to protect credit card numbers in e-commerce applications. On the other hand, if smartphones are used to provide authentication codes in a multifactor authentication scheme, a requirement for exceptional access to unlock smartphones adds some degree of risk that the authentication codes could be obtained from a lost or stolen phone.

Cyber Threats

Network-enabled cyber threats first appeared in the mid-1980s.¹⁸ These were the opening wedge in what became an increasingly serious series of attacks. In the 1990s, attackers took advantage of poorly secured systems and the vulnerable security architectures in computer products, mostly to demonstrate weaknesses and gain public recognition.¹⁹ As the use of computers and the Internet grew, attacks became increasingly sophisticated and the targets more and more valuable. Criminal hackers jumped into the trade. Another change came with state-sponsored attacks. Digitization and the growth of interconnected networks created a ripe environment for espionage.

The number of places that contain potentially sensitive information continues to grow. The “big data” revolution has resulted in a great deal more information about individuals being collected, stored, and analyzed. Consequently, data has become an increasing target and encryption and other applications of cryptography have become important—and sometimes essential—tools for protecting data.

Beginning around 2005, industry and government began encountering advanced persistent threat (APT) agents—hackers who would mount repeated attacks against the same target over a period of a number of months or longer. Often the attack came through “spear phishing” emails that appeared to originate from legitimate sources and were tailored to specific targets. These were used to fool the recipient into providing access credentials for targeted systems (such a technique was used to hack e-mail during the 2016 U.S. presidential election). Many companies and government agencies around the world—including the U.K. Parliament, Oak Ridge National Laboratory, and Northrup Grumman—have fallen prey

___________________

¹⁸ An investigation over a missing 75 cents at the Lawrence Berkeley National Laboratory eventually revealed a German hacker stealing U.S. Department of Defense documents that he was selling to the KGB (C. Stoll, 2005, The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage, Simon & Schuster, New York). Several years later, in what was essentially an experiment that escaped the laboratory, the Morris Worm brought down the nascent ARPANet when an incorrect parameter caused the worm to proliferate far faster and more broadly than intended (see, e.g., H. Orman, 2003, “The Morris worm: A fifteen-year perspective,” IEEE Security and Privacy 99(5):35-43).

¹⁹ One example of this, there are many, is that the Melissa and ILOVEYOU viruses were in e-mail attachments but were able to access Microsoft users’ address books and thus mail themselves on to new victims.

to this form of attack. Even RSA Security, a leading provider of security tools, was victimized by an APT attack.²⁰

Many nations are experiencing cyber threats, but the United States is particularly threatened. In 2010, former NSA Director Mike McConnell noted, “The United States is fighting a cyber-war today, and we are losing. . . . As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking.”²¹ Since then, reported intelligence attacks on the United States have been growing in severity:

• In a 2015 attack attributed to Chinese actors, hackers gained access to 80 million customer records at Anthem, the second largest health insurer in the United States.²²
• In 2015, suspected Chinese hackers illegally accessed Office of Personnel Management computers and stole more than 21.5 million records including fingerprints of government employees and contractors holding security clearances. The stolen data included family, financial, travel, and health information about the people with access to the nation’s secrets.²³
• Russian intelligence agencies stole emails from the Democratic National Committee servers in 2015 and the account of the Democratic presidential candidate’s campaign chair in 2016.²⁴

Recent years have also seen the emergence of cyberattacks intended to have physical impacts, such as attacks on industrial control systems and public utilities.

Some threats have abated in recent years, while others have grown

___________________

²⁰ An attacker sent e-mails with the subject “2011 Recruitment Plan” to a number of RSA Security employees over 2 days. One employee opened the attached Excel spreadsheet, which installed malware that used a previously unknown bug—a zero-day vulnerability—in Adobe Flash software. Using this, the attacker was able to access passwords to other accounts. See RSA Fraud Action Research Labs, 2011, “Anatomy of an Attack,” April 1, https://blogs.rsa.com/anatomy-of-an-attack/.

²¹ M. McConnell, 2010, “Mike McConnell on how to win the cyber-war we’re losing,” Washington Post 28:B01.

²² D. Harwell and E. Nakashima, 2015, “China suspected in major hacking of health insurer,” Washington Post, February 5.

²³ J.H. Davis, 2015, “Hacking of government computers exposed 21.5 million people,” New York Times, July 9.

²⁴ Office of the Director of National Intelligence, 2017, A Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution, Intelligence Community Assessment ICA 2017-01D, January 6, https://www.dni.gov/files/documents/ICA_2017_01.pdf.

more severe. Some nations, including North Korea²⁵ and Russia, have viewed cyberattacks as an effective way to achieve national objectives without resorting to kinetic weapons. In 2013, Russia embarked on a plan to “[fight] a war without fighting a war,” and cyberattacks provided an excellent tool for doing so.²⁶ The activities in the 2016 U.S. presidential election are one example of this strategy.

None of the attacks listed above would have been prevented by encryption, although it may have made them more difficult to carry out. Some appear to have been conducted by using “phishing” emails to entice authorized users to give up their authentication credentials and then using the stolen credentials to gain privileges necessary to access, decrypt, and exfiltrate the targeted data. Others resulted from devices being protected only by unchanged default passwords. Several of the attacks point to the need for greater use of secure two-factor authentication. One widely used approach uses smartphones. Doing so securely depends on device locking, as described above.

Encryption can reduce the risk or consequence of attacks in several ways. It greatly reduces the risks when data is stolen or accidentally leaked or stored on a device such as a phone or laptop that is lost or stolen. It forces an adversary seeking to exfiltrate data to not only steal the device but also gain access to the keys used to encrypt it. Encryption thus forces adversaries to launch different kinds of attacks, making such attacks more difficult and costly to execute. In addition, the appropriate use of encryption may make it more difficult for an adversary to make use of the information it has taken. The next section provides details of the role of encryption in creating secure systems.

The Role of Encryption and Other Forms of Cryptography in Cybersecurity

In the face of this widespread and escalating threat, cryptography is an important tool for protecting data and systems, including reducing the volume and impact of cyber-enabled crime. Cryptography is used in a number of ways, but four are most critical.

First, encryption is used to protect stored data against disclosure. (Encryption does not protect against all threats—malware running on a phone or malware running with the privileges of authorized users of an encrypted database can see the unencrypted data.) This explains why

___________________

²⁵ North Korea obtained confidential information of Sony Pictures Entertainment, a U.S.-based company, in 2014. President Obama characterized the incident as a national security threat.

²⁶ C.K. Bartles, 2016, “Getting Gerasimov right,” Military Review 96(1):30.

the majority of the 48 states that have enacted data breach notification laws do not require notification if the lost or stolen data is encrypted: modern encryption renders the data effectively meaningless provided that the encryption keys are not compromised and there are no exploitable flaws in the encryption system. The security of encrypted data also explains why vendors such as Google and Apple have moved to default device encryption on mobile phones. As long as user passwords are sufficiently strong, lost and stolen devices do not reveal the data inside them.

Second, encryption is a crucial tool for protecting data in transmission. This is critically important for online banking, purchases, contracts, and telemedicine applications, where it is important not only that the data is not intercepted, but also that it is not altered. Encryption makes it possible to protect the data being transmitted—and to create simple mathematical “seals” than can alert either the sender or receiver (or an auditor or a court) if the data has been tampered with. The increasing shift from unencrypted to encrypted Web protocols is an example of moving to Internet connections that are secure by default. Encryption can protect communications from “man in the middle attacks” and prevent intrusions into organizational networks.

Third, cryptography provides a widely used tool for authenticating individuals and institutions: Using public-key cryptography, it is possible for one party to authenticate the identity of another. A sender “Alice” creates a message digitally signed with her private key. If the receiver “Bob” is able to decrypt this message using Alice’s public key, he knows that the sender possesses Alice’s private key.

Fourth, cryptography used to lock devices is an important enabler of multifactor authentication that uses smartphones. Multifactor authentication, which is the best available technology for defending against phishing attacks that seek to entice a user into giving up his or her password to a spoofed website makes use of several separate pieces of evidence for authentication. In a widely used scenario, the user provides a password to the website and also verifies intent to access the site by approving an authentication request on his/her smartphone or by entering into the website a numeric code that the website sends to the smartphone. The interaction between website and smartphone may be protected using cryptography, and each authentication attempt involves unique values that can be used only once. Encryption is critical to prevent an attacker from acting as a “man in the middle” between user and/or smartphone and server, intercepting the authentication data, and capturing control of the user’s session.

Another approach, which is becoming more widespread, is to use apps running on smartphones as trusted authenticators for accessing online services. Their security depends on keeping an unauthorized user

from being able to unlock the smartphone and access the authenticator app. Thus, any weakness introduced into the mechanism for unlocking smartphones can increase the risk that the authentication mechanism could be compromised.

Encryption is similarly important for maintaining the security of those biometric authentication mechanisms that rely on transmitting biometric information over the network.

The Limits of Encryption for Cybersecurity

Cryptography itself is a challenging science. Furthermore, correctly implementing and properly managing encryption systems is very difficult. For example, there have been many instances where the techniques used to construct public-private key pairs have been found to have had serious flaws.²⁷

Moreover, with the exception of specialized, emerging techniques for computing with encrypted data, for data to be used, it must at some point be decrypted into plaintext. At that moment, it is vulnerable to theft. Also, because encryption keys are usually long and complex, users often store them and then protect them with passwords, which are much more vulnerable because they must be something a human can remember and type.

Nonetheless encryption and other uses of cryptography remain an essential tool for enhancing cybersecurity against escalating cyber threats. They are critical parts of a system that includes multifactor authentication, biometric identifiers, and other security tools. Like all of those other tools, it remains vulnerable to errors by users and developers—risks that of course also apply to efforts to build systems that provide third-party access.

___________________

²⁷ See, for example, A. Lenstra, J.P. Hughes, M. Augier, J.W. Bos, T. Kleinjung, and C. Wachter, 2012, “Ron was wrong, Whit is right,” IACR Technical Report, https://eprint.iacr.org/2012/064.pdf, and N. Heninger, Z. Durumeric, E. Wustrow, and J.A. Halderman, 2012, “Mining your Ps and Qs: Detection of widespread weak keys in network devices,” pp. 204-220 in Proceedings of the USENIX Security Symposium, https://www.usenix.org/system/files/tech-schedule/sec12_proceedings.pdf.