The text brought up an important point about cryptography that I believe is often lost among organizations and Internet users. Despite cryptography being a highly valuable tool that makes brute-force attacks useless, as well as man-in-the-middle attacks, it is still vulnerable to human error. Cryptography is only useful if the enterprise creates an organizational structure that enhances the protection cryptography offers rather than weakening it. For example, not implementing strong policy and procedures to protect cypher keys, encryption machines, and other elements of cryptography can result in little to no real protection. Therefore, it is essential that organizations educate their employees and departments on cryptography to ensure it does not lose its value. I believe a simple educational seminar on cryptography controls would be effective.
You make a very important point. What good is a lock on your front door if you’re just going to put the spare key underneath the mat? Security with cryptography has to come full-circle.
While reading this chapter a couple of topics on cryptography stood out to me in that currently NIST recommends a symmetric key to be at least 112 bits long to be considered strong. The number of permutations a key of that length is an astronomical number (5,192,296,858,534,830,000,000,000,000,000,000) and in less than 10 years NIST says the new minimum key length to be secure will be 30 bits. This really shows how quickly our computer’s computing power is increasing every year and how we need to keep up with our encryption algorithms. Also, what stood out to me was that cryptography is not automatic and you cannot just set encryption and be done with it. It will only work if the key is properly protected from attackers or else you may think your messages are encrypted, but in reality they were compromised.
One aspect I found interesting was the point that SSL /TLS is inexpensive to utilize. SSL allows users and hosts to communicate securely. Companies who utilize it only have to pay for the processing power to implement it. On the user side, all users already have the software that SSL requires, as it only requires a browser. This means neither the client nor the user needs to pay any extra to securely do things like online shopping. I also was not aware that SSL sometimes is utilized in email.
I enjoyed learning about all of the processes that happen within the system that the user is unaware of, such as encrypting an email or the authentication process when logging into a computer or VPN. What stood out to me was the information related to VPNs given the number of individuals that are working virtually and remote access VPNs are a commonly used method of connecting securely to a network. Due to this increase in usage, coupled with the cyber-threat landscape, it is more important than ever to ensure a secure connection. It was also interesting to read about IPsec as it is considered the “gold standard” in VPN security and how the different cryptography means can be layered onto of one another in order to configure the security the way it works best for each individual or organization, balancing the benefits with the costs. For example, since the transport mode is very costly to implement, tunnel mode can be used at a much lower cost, but does not provide the complete end-to-end security that transport mode does. A user or organization can then layer additional security in top such as encrypt the data that is being transmitted and/or implement firewalls or other methods to ensure the security of the site network.
Hi Christa – I also find the different ways to combine the various encryption methods very interesting. The idea that two encryptions methods might each only achieve one security objective individually, but can be combined to meet both requirements at once, is valuable to understand. The fact that different varieties of VPN can be combined with additional encryption methods is also useful.
The key takeaway from this chapter was understanding the technicalities behind encryption, different types of encryption, the history of encryption, and deciphering them. It was interesting to learn about the different formulas of encryption and how complex they can be, when from a user perspective it’s as simple as hitting “encrypt message.” It was also good to know that encryptions are not automatically protected, user must set up protection and it only works if companies have and enforce organizational processes that do not compromise the technical strengths of cryptography. We learn that symmetric key encryption is fast and inexpensive but requires secure distribution of session keys. No prior keys are needed for public key encryption, however they are slow and expensive to use, it takes 100-1000 times longer than symmetric key encryption, it is also only used for very short messages. RSA and ECC are the most popular public key encryption ciphers. ECC is most efficient and becoming more popular. Longer key length means more processing time which means longer time and more costs.
An interesting take away from this reading is on the topic of digital certificates, that is, CA cannot speak to the honesty of a party listed on the certificate, just that they are associated with a particular key. These digital certificates are like online documents that merely authenticates the identify of a user associated with a public key. That is, validating that the individual is who he/she claims to be when encrypted messages are sent by that user.
What stood out in this chapter is the nonrepudiation process where there is proof that a sender sent a message to the receiver and they cannot deny that they sent it. It is widely used in the legal system and provides proof of who the originator of the message is and the authenticity and integrity of the data that was sent. Digital signatures give nonrepudiation, which would give an impostor a difficult time to send a message to the receiver because there is a private key needed, that only the sender knows about.
I find the methodology of public key encryption to be interesting and an important takeaway from the reading. As the only encryption method (described in the text) that provides confidentiality alongside authentication, it is valuable and widely-used. The fact that any given message can be encrypted with the receiver’s public key to ensure confidentiality and can also be encrypted with the sender’s private key to ensure authentication is an incredibly clever concept, and enables an organization to protect multiple security objectives with one encryption system.
I find that Virtual private network (VPN) encryption is quite interesting. Especially important during this pandemic which most of the people are working from home. It can ensure location and space privacy by encrypting the data. It is the way to protect the user from man-in-the-middle attack by ma using a cryptographic system. It can secure communication over an untrusted network. There are different types of VPN. A host-to-host VPN connects a single client over an untrusted network to a single server. A remote-access VPN connects a single remote PC over an untrusted network to a site network. And Finally, the site-to-site VPNs protect all traffic flowing over an untrusted network between a pair of sites.
This last year really highlighted why VPN’s, and encryption are so important and useful. One thing I thought about while reading this chapter was the sheer amount of transactions that businesses conducted in the last year. Without encryption, these transactions would have never been able to occur. Ive also noticed more ads for VPN’s for private use. Individuals have been using them more to anonymously browse the internet and to access Netflix shows that are unavailable in their country. All of this would not be possible without encryption.
What’s interesting is the different types of VPN configurations and their different purposes, such as site-to-site, remote access, or host-to-host. I think most people assume that using one of the popular VPN software products hides their Internet traffic from everyone. In reality, you’re just funnelling everything through that VPN endpoint so whoever runs the VPN can see it if there’s not also encryption between your browser and the web server, for example. The most common circumstance I use a VPN is if I have to use public WiFi at a hotel or coffee shop.
Even though cryptography has come a long way, it suffers from the same weakness that all technological controls do: humans. As the textbook explains, “With sufficiently long keys and a well-tested cipher, symmetric key encryption for confidentiality is impractical to crack from a technical standpoint. However, if the sender or receiver fails to keep the key secret, the eavesdropper may learn the key and read every message.” The Japanese sent unnecessary messages during WWII and used the same greetings, which allowed the codebooks to be broken. Also in WWII, had their encryption machine stolen and reverse engineered. Sure researchers and hackers are always working to break encryption mechanisms, but it’s easier to take advantage of the human elements still involved to get around the encryption.
Great point, Jonathan. That human element in administrative controls will always put well tested technical controls at risk through their actions, in this case sharing the key.
In the book, the authors mentioned the human issue in cryptography. The example of a known plain text attack underlined a fundamental shortcoming of cryptography – humans. Too often people choose passwords that are common words, which can make the password vulnerable to dictionary attacks. Rainbow table, which uses a precomputed table for caching the output of hash functions, is also something that came to my mind.
One thing that stood out to me from the reading was the illustration of a padlock to explain public key encryption. I thought it made a lot of sense to think about the public key being a padlock you could distribute out to others and the private key being something that only the owner has to unlock the padlock. This stood out really clearly in my mind. The reading acknowledged that later this illustration would break down, but this was a really good way to conceptualize how public key encryption worked, particularly since I think encryption is one of the most complex security concepts.
This chapter explain the concept of cryptography, describe in detail of symmetric key encryption, and the importance of key length. It is interesting to know that nearly all encryption for confidentiality uses symmetric key encryption. It is one of the popular encryptions due its fast and efficient processing ability. However, as the power of cryptanalysts’ computers continues to grow, the longer symmetric keys will be needed for strong encryption. In the 1970s, strong symmetric keys only had to be about 56 bits long for symmetric key encryption. Today, symmetric keys need to be at least 100 bits long to be considered strong.
My biggest takeaway from this chapter isn’t anything specific to the actual content, but the delivery. The authors do a great job of explaining cryptography in a way that someone who absolutely no prior education could make sense of it. They do a great job providing examples and relating cryptography to non-technology situations like WW2. This chapter as a whole is a great resource for a crash course on cryptography.
Hi Panayiotis. I agree with you completely the authors, Boyle and Panko, were great at explaining cryptography in basic terms. I got a better understanding of how keys work in cybersecurity and the importance of encrypting data, especially when transmitting emails. I also like the author’s example and thought it was interesting to learn that cryptography has been around for many years now. I also thought that learning that AES cryptography was the strongest and fastest type of cryptography would be beneficial for IT auditors.
For me, the most important takeaway from this chapter on cryptography was that cryptography is the use of mathematical computations to protect messages traveling between two or more parties. One key point that stood out to me in this reading is the human issues in cryptography. You may think long complex keys and encryption for confidentiality would be always impossible to crack. That has been proved to not be that case especially since sometimes due to human error some people fail to properly encrypt the message or protect the key.
Taylor Trench says
The text brought up an important point about cryptography that I believe is often lost among organizations and Internet users. Despite cryptography being a highly valuable tool that makes brute-force attacks useless, as well as man-in-the-middle attacks, it is still vulnerable to human error. Cryptography is only useful if the enterprise creates an organizational structure that enhances the protection cryptography offers rather than weakening it. For example, not implementing strong policy and procedures to protect cypher keys, encryption machines, and other elements of cryptography can result in little to no real protection. Therefore, it is essential that organizations educate their employees and departments on cryptography to ensure it does not lose its value. I believe a simple educational seminar on cryptography controls would be effective.
Panayiotis Laskaridis says
Hi Taylor,
You make a very important point. What good is a lock on your front door if you’re just going to put the spare key underneath the mat? Security with cryptography has to come full-circle.
Nicholas Fabrizio says
While reading this chapter a couple of topics on cryptography stood out to me in that currently NIST recommends a symmetric key to be at least 112 bits long to be considered strong. The number of permutations a key of that length is an astronomical number (5,192,296,858,534,830,000,000,000,000,000,000) and in less than 10 years NIST says the new minimum key length to be secure will be 30 bits. This really shows how quickly our computer’s computing power is increasing every year and how we need to keep up with our encryption algorithms. Also, what stood out to me was that cryptography is not automatic and you cannot just set encryption and be done with it. It will only work if the key is properly protected from attackers or else you may think your messages are encrypted, but in reality they were compromised.
Charlie Corrao says
One aspect I found interesting was the point that SSL /TLS is inexpensive to utilize. SSL allows users and hosts to communicate securely. Companies who utilize it only have to pay for the processing power to implement it. On the user side, all users already have the software that SSL requires, as it only requires a browser. This means neither the client nor the user needs to pay any extra to securely do things like online shopping. I also was not aware that SSL sometimes is utilized in email.
Christa Giordano says
I enjoyed learning about all of the processes that happen within the system that the user is unaware of, such as encrypting an email or the authentication process when logging into a computer or VPN. What stood out to me was the information related to VPNs given the number of individuals that are working virtually and remote access VPNs are a commonly used method of connecting securely to a network. Due to this increase in usage, coupled with the cyber-threat landscape, it is more important than ever to ensure a secure connection. It was also interesting to read about IPsec as it is considered the “gold standard” in VPN security and how the different cryptography means can be layered onto of one another in order to configure the security the way it works best for each individual or organization, balancing the benefits with the costs. For example, since the transport mode is very costly to implement, tunnel mode can be used at a much lower cost, but does not provide the complete end-to-end security that transport mode does. A user or organization can then layer additional security in top such as encrypt the data that is being transmitted and/or implement firewalls or other methods to ensure the security of the site network.
Mitchell Dulaney says
Hi Christa – I also find the different ways to combine the various encryption methods very interesting. The idea that two encryptions methods might each only achieve one security objective individually, but can be combined to meet both requirements at once, is valuable to understand. The fact that different varieties of VPN can be combined with additional encryption methods is also useful.
Quynh Nguyen says
The key takeaway from this chapter was understanding the technicalities behind encryption, different types of encryption, the history of encryption, and deciphering them. It was interesting to learn about the different formulas of encryption and how complex they can be, when from a user perspective it’s as simple as hitting “encrypt message.” It was also good to know that encryptions are not automatically protected, user must set up protection and it only works if companies have and enforce organizational processes that do not compromise the technical strengths of cryptography. We learn that symmetric key encryption is fast and inexpensive but requires secure distribution of session keys. No prior keys are needed for public key encryption, however they are slow and expensive to use, it takes 100-1000 times longer than symmetric key encryption, it is also only used for very short messages. RSA and ECC are the most popular public key encryption ciphers. ECC is most efficient and becoming more popular. Longer key length means more processing time which means longer time and more costs.
Lakshmi Surujnauth says
An interesting take away from this reading is on the topic of digital certificates, that is, CA cannot speak to the honesty of a party listed on the certificate, just that they are associated with a particular key. These digital certificates are like online documents that merely authenticates the identify of a user associated with a public key. That is, validating that the individual is who he/she claims to be when encrypted messages are sent by that user.
Christopher Clayton says
What stood out in this chapter is the nonrepudiation process where there is proof that a sender sent a message to the receiver and they cannot deny that they sent it. It is widely used in the legal system and provides proof of who the originator of the message is and the authenticity and integrity of the data that was sent. Digital signatures give nonrepudiation, which would give an impostor a difficult time to send a message to the receiver because there is a private key needed, that only the sender knows about.
Mitchell Dulaney says
I find the methodology of public key encryption to be interesting and an important takeaway from the reading. As the only encryption method (described in the text) that provides confidentiality alongside authentication, it is valuable and widely-used. The fact that any given message can be encrypted with the receiver’s public key to ensure confidentiality and can also be encrypted with the sender’s private key to ensure authentication is an incredibly clever concept, and enables an organization to protect multiple security objectives with one encryption system.
To-Yin Cheng says
I find that Virtual private network (VPN) encryption is quite interesting. Especially important during this pandemic which most of the people are working from home. It can ensure location and space privacy by encrypting the data. It is the way to protect the user from man-in-the-middle attack by ma using a cryptographic system. It can secure communication over an untrusted network. There are different types of VPN. A host-to-host VPN connects a single client over an untrusted network to a single server. A remote-access VPN connects a single remote PC over an untrusted network to a site network. And Finally, the site-to-site VPNs protect all traffic flowing over an untrusted network between a pair of sites.
Charlie Corrao says
This last year really highlighted why VPN’s, and encryption are so important and useful. One thing I thought about while reading this chapter was the sheer amount of transactions that businesses conducted in the last year. Without encryption, these transactions would have never been able to occur. Ive also noticed more ads for VPN’s for private use. Individuals have been using them more to anonymously browse the internet and to access Netflix shows that are unavailable in their country. All of this would not be possible without encryption.
Jonathan Mettus says
What’s interesting is the different types of VPN configurations and their different purposes, such as site-to-site, remote access, or host-to-host. I think most people assume that using one of the popular VPN software products hides their Internet traffic from everyone. In reality, you’re just funnelling everything through that VPN endpoint so whoever runs the VPN can see it if there’s not also encryption between your browser and the web server, for example. The most common circumstance I use a VPN is if I have to use public WiFi at a hotel or coffee shop.
Jonathan Mettus says
Even though cryptography has come a long way, it suffers from the same weakness that all technological controls do: humans. As the textbook explains, “With sufficiently long keys and a well-tested cipher, symmetric key encryption for confidentiality is impractical to crack from a technical standpoint. However, if the sender or receiver fails to keep the key secret, the eavesdropper may learn the key and read every message.” The Japanese sent unnecessary messages during WWII and used the same greetings, which allowed the codebooks to be broken. Also in WWII, had their encryption machine stolen and reverse engineered. Sure researchers and hackers are always working to break encryption mechanisms, but it’s easier to take advantage of the human elements still involved to get around the encryption.
Lakshmi Surujnauth says
Great point, Jonathan. That human element in administrative controls will always put well tested technical controls at risk through their actions, in this case sharing the key.
Xiduo Liu says
In the book, the authors mentioned the human issue in cryptography. The example of a known plain text attack underlined a fundamental shortcoming of cryptography – humans. Too often people choose passwords that are common words, which can make the password vulnerable to dictionary attacks. Rainbow table, which uses a precomputed table for caching the output of hash functions, is also something that came to my mind.
Megan Hall says
One thing that stood out to me from the reading was the illustration of a padlock to explain public key encryption. I thought it made a lot of sense to think about the public key being a padlock you could distribute out to others and the private key being something that only the owner has to unlock the padlock. This stood out really clearly in my mind. The reading acknowledged that later this illustration would break down, but this was a really good way to conceptualize how public key encryption worked, particularly since I think encryption is one of the most complex security concepts.
Wei Liu says
This chapter explain the concept of cryptography, describe in detail of symmetric key encryption, and the importance of key length. It is interesting to know that nearly all encryption for confidentiality uses symmetric key encryption. It is one of the popular encryptions due its fast and efficient processing ability. However, as the power of cryptanalysts’ computers continues to grow, the longer symmetric keys will be needed for strong encryption. In the 1970s, strong symmetric keys only had to be about 56 bits long for symmetric key encryption. Today, symmetric keys need to be at least 100 bits long to be considered strong.
Panayiotis Laskaridis says
My biggest takeaway from this chapter isn’t anything specific to the actual content, but the delivery. The authors do a great job of explaining cryptography in a way that someone who absolutely no prior education could make sense of it. They do a great job providing examples and relating cryptography to non-technology situations like WW2. This chapter as a whole is a great resource for a crash course on cryptography.
Elias Harake says
Hi Panayiotis. I agree with you completely the authors, Boyle and Panko, were great at explaining cryptography in basic terms. I got a better understanding of how keys work in cybersecurity and the importance of encrypting data, especially when transmitting emails. I also like the author’s example and thought it was interesting to learn that cryptography has been around for many years now. I also thought that learning that AES cryptography was the strongest and fastest type of cryptography would be beneficial for IT auditors.
Elias Harake says
For me, the most important takeaway from this chapter on cryptography was that cryptography is the use of mathematical computations to protect messages traveling between two or more parties. One key point that stood out to me in this reading is the human issues in cryptography. You may think long complex keys and encryption for confidentiality would be always impossible to crack. That has been proved to not be that case especially since sometimes due to human error some people fail to properly encrypt the message or protect the key.