Cryptography
Hardly any other area of IT causes as much uncertainty, confusion and even political statements as cryptography. Interested parties will find an introduction to the topic, some typical use cases and an analysis of the fundamental opportunities and risks of cryptography here.
What is cryptography?
Cryptography provides a wide range of excellent tools. They are used to protect data in uncontrollable environments (such as the internet). Some of them we already use on a daily basis without realising it, others require thorough preparation for their successful use.
Main topics of cryptography:
- Encryption prevents data from being viewed by unauthorised persons.
- Checksums (message digests) can be used to recognise whether data has been changed.
- People use signatures to confirm the authenticity of data and that it actually originates from them.
We go into more detail on the page Background knowledge on cryptography.
Areas of application for cryptography
The following applications are also of interest in a university context.
Discretion on the web – https
When you enter your password on the web or retrieve private data, it should be transported unobserved through the network. The lock symbol in the browser (technically the https protocol) stands for encrypted and unaltered communication including identity verification.
This process is ubiquitous and easy to use. More information under Confidentiality on the web with https.
Laptop lost
It can easily happen that a laptop, smartphone or tablet is stolen or lost. The material loss is painful, but it can be replaced and the contents can (hopefully) be easily restored thanks to a backup. To prevent the data on the lost device from falling into the wrong hands, you should activate hard drive or device encryption in advance.
Protecting e-mail
An e-mail message travels openly across the internet like a postcard. In theory, the message can be read by unauthorised persons on every system it passes through on its way to its destination. There is also unauthorised writing: Anyone who forges the sender and pretends to be someone else can cause some damage.
For more information, see Encrypting and signing e-mail.
Encrypted containers
Sometimes you want to protect data separately: either as a second line of defence because you don’t want to take the risk of a server error or password loss, or because the data is transported unsecured – for example on a USB flash drive or in an unencrypted e-mail. Encrypted containers are a good solution here.
Other applications
There are many other areas of application for cryptography that would go beyond the scope of this article. Examples include:
- Network access with VPN
- Signed PDF documents (such as certificates with official signatures)
- Encryption in Wi-Fi
- Hardware tokens and chip cards
Limits and weaknesses
Despite all the successes, there have also been cryptographic debacles. It is important to learn the necessary lessons from this and to arrive at a realistic assessment of cryptographic tools.
- Even the best technology is powerless against misuse. Anyone who ignores certificate warnings, for example, is committing digital hara-kiri. Tutorials provide a remedy.
- Lost or inaccessible keys render encrypted information useless. In a professional environment, you should plan for this eventuality and take precautions (e.g. by requiring the keys to be deposited or stored on another protected medium).
- Cryptography is not effective where it is not used. For example, if malware eavesdrops on the PC before the message is encrypted, even the best cryptography will be of no use. It is no coincidence that authorities and secret services rely on federal Trojans and eavesdropping software directly on users.
- Cryptography does not work if users circumvent it because they are influenced by means of occupation, coercion, violence, drugs, etc.
- Cryptographic software can have bugs. It is therefore important to look for trustworthy manufacturers and rapid updates and not to expose encrypted information more than necessary.
- A procedure that is considered secure today could be vulnerable in 10 or 15 years’ time. If confidentiality is absolutely necessary for a longer period of time, special measures are required.
- Encryption can be a security problem, for example, when it prevents virus scanners from recognising malware.
A number of unlikely but possible cases could lead to the failure of cryptography. Quantum computers, whose practical use is not currently imminent, could, for example, render existing procedures unusable in one fell swoop. The extent to which hypothetical threats are relevant for decision-making must be assessed on a case-by-case basis.
Tension between cryptography and control
The successful use of cryptography is problematic for at least three groups:
- the state
- political and economic spies
- IT security in one’s own organisation (as a virus scanner, for example, cannot scan encrypted data)
The popular demand in daily politics that cryptography should include backdoors for authorities is about as effective as demanding that 2 + 2 should be 3.997 by law. Cryptography is maths, anyone who does the maths will correct the result.
You could also stipulate that errors are built into the software used that are only known to the “good guys”. Would criminals really allow themselves to be prescribed broken security products? There is little to suggest that knowledge of the vulnerabilities could actually be kept secret from organised crime and foreign intelligence services – an incalculable risk that nobody can justify.
In a fully centrally managed organisation, it would actually be possible to break the cryptography at the firewall, so to speak. However, this is not an option at the University of Vienna, as both the will and the technical feasibility are lacking in this environment.
Checklist
Use the following checklist to check whether the usual cryptographic security precautions have been taken in your IT environment. Decide for each item on the list whether it is relevant for you. If yes: Is it fulfilled or is further information or other measures required?
Make a note of the result and take the measures noted. Repeat the procedure at appropriate intervals.
- security tips for https on the web are known
- e-mail clients use TLS or STARTTLS
- mobile phone encrypted
- tablet encrypted
- laptop hard drive encrypted
- saved passwords for this
- no confidential data in e-mail (e-mail encrypted if necessary)
- saved passwords for this
- particularly vulnerable or sensitive data saved in a crypto container
- USB flash drives and external hard drives encrypted
- saved passwords for these