Ask the expert: Jornt van der Wiel talks encryption

In the second part of our “Ask the expert” session, Jornt van der Wiel answers questions about encryption: how it works, what it is for, and more.

Disarming Flash exploits

Jornt van der Viel is the top ransomware expert of our GreAT — Global Research and Analysis Team. But he also has deep knowledge when it comes to encryption. We’ve offered our readers the opportunity to ask Jornt questions on these two topics, and there were so many of them that we had to divide the Q&A into two separate posts.

In the first part, Jornt answered questions about ransomware. Now it’s time to talk about encryption and other related topics.

I’ve been wondering what IT security is for. Is it for freedom? Or privacy? Or national security? It’s not easy to find the answer, but I’d like to hear your thoughts as an expert.

In my opinion, IT security is about protecting people’s daily life. Remember that automation and then later IT was basically invented to make life easier, to automate what humans normally had to do by hand. Unfortunately, many IT systems were not designed with security in mind — hence the situation we are in now. If IT is not protected, daily life would end up in chaos.

Imagine being rushed to the emergency room only to find they cannot help you because they have been breached. Or that you live below sea level and suddenly your house is flooded because a lock on a dam has been hacked. These are just a few scenarios that can potentially happen.

But it’s not just these larger scenarios; daily life is also about small things that matter to people. Think about someone losing the pictures of their recently deceased father because their computer got infected with ransomware. That sort of loss has a huge impact on the lives of people — and that’s what IT security is for, to protect those things matter the most to people.

How would you help a regular person, without much in-depth knowledge in computers, understand the importance of encryption in their daily life?

I think one of the best ways is by giving some examples of what would happen if there was no encryption. One thing that happens quite often is that people’s laptops and or USB sticks with sensitive data get lost or stolen. If the data were not encrypted, people’s personal files and data could be viewed by whoever has access to the laptop or the USB stick. You can also think about online payments and how the traffic could be manipulated if there were no encryption. And so on. Real-life examples are the best explanation.

Is it easy to create encryption algorithms? How much time does it take?

Creating a reliable encryption algorithm, the one that is mathematically safe, takes years of research, not to mention mathematical education. However, if you want to create something simple, that can be cracked within seconds, that takes almost no time.

How does decryption actually work?

Here we have to differentiate between different types of encryption: stream ciphers, symmetric cryptography, and asymmetric cryptography (the latter one is also known as public key cryptography).

For stream ciphers it is quite simple. Based on your key, an endless stream of random data is generated, which you XOR again with your cipher text (if you print both sets of data, you can just hold one against another). The result is the original plain text.

For symmetric ciphers you have to do the exact reverse of your encryption process. For example, in order to encrypt the data you had to do A, then B, then C. Then to decrypt it you have to do C, then B, then A.

And for asymmetric cryptography it is “pure magic.” It also really depends on the type of asymmetric cipher (ECC and RSA work completely different). But I wrote “magic” because of the mathematical properties involved. Knowing how to decrypt is different from truly understanding the math behind the decryption process.

Which cryptographic algorithm is the most reliable?

There are many cryptographic algorithms that can be used for different purposes. In general, I would go for the ones that won the NIST competition (AES/Rijndael and SHA-3/KECCAK). It also really depends on how the algorithm will be used and in what type of system. If you have limited storage, for example, then you can also opt for ECC, which uses smaller keys than RSA.

Which methods of encryption are resistant to brute force from a quantum computer?

Wow, I had to read a lot to answer this question (smiles). Here is what I have found out. First of all, the difference between a quantum computer and an ordinary PC is that the quantum computer works with so called “qubits” instead of normal bits. One qubit can hold two bits. Now to make a very long and complex story short, for symmetric cryptography doubling the key size would reduce the benefits of having a quantum computer for brute force decryption purposes.

For asymmetric cryptography, the story is slightly different. Peter Shor, a well-known mathematician, invented Shor’s algorithm, which can be used for integer factorization in polynomial time. In plain English, the integer factorization problem is one of the problems that many public key algorithms rely heavily upon. Being able to factorize integers in polynomial time (in this case log n), effectively reduces the security of these algorithms to zero.

How does one implement an encryption algorithm in one’s program?

Simply by downloading a cryptographic library for your programming language and using the API. You can then call cryptographic functions from that library and use it in your code.

Do all organizations use “strong” encryption algorithms, or do they prefer to take the code from the public sources and just tweak it a bit?

I assume you mean software development firms? I sure hope they don’t tweak code from public sources. In the past we have seen that this can go horribly wrong. You can take a look at the random number generator bug in Debian Linux, for example. In essence, they modified the code, making it weaker instead of stronger. What we see in practice is that many times SDKs are used that come with the package (for example a POS terminal), or those that are publicly available. That is also the reason why bugs in OpenSSL cause so many problems for so many vendors.

In the future, is encryption going to be obsolete or endangered as government agencies (such as GCHQ) will be trying to implement backdoors to harvest data, which means that encryption could become obsolete?

I do not think that encryption will become obsolete — and I certainly hope it won’t. For example, DES was invented long ago, and we still frequently see DES in devices. So you can imagine that it will take a very long time before those devices and the newer devices equipped with AES fall out of use entirely. There are also some countries, like the one where I am living, that recently made a strong stand against backdoors in software and affirmed that encryption is a good thing. Money was even donated to (if I remember correctly) OpenSSL development. So I don’t think it will become obsolete.

Is it possible to know the reliability of a system like TrueCrypt? Are there viable alternatives to be used — perhaps in the cloud, like Dropbox?

TrueCrypt was audited for backdoors and implementation mistakes. They haven’t found anything. A little bit later, the source code of TrueCrypt was published so that people could check it themselves if they wanted. Some vulnerabilities have been found, but nothing that looked like a backdoor. Later spinoffs based on the TrueCrypt code have been open sourced, meaning these can be and are audited as well. In short: Yes, the reliability is known because they have been checked. 

The advantage of a TrueCrypt-like solution over Dropbox is that you hold the keys yourself. Even though Dropbox encrypts your files when they store them on their servers, they still hold the key. Meaning they can access your data. On the other hand, the advantage of Dropbox over TrueCrypt is that they are responsible for the backups. My advice? Encrypt your files locally and then you can store them anywhere you want, as long as you hold the key.

Do games encrypt data they transfer from a client to the server and back? If not, can a user do something to secure the transferred data from cyberthieves?

I do hope that games communicate with the server over an encrypted connection. Failing to do so would open up the path for cheating. If it is not encrypted, then there is nothing you, as a gamer, can do. Simply setting up an SSL connection to the server won’t work, because the server won’t understand SSL. I do have a small side note, however: If the connection between the server and the client is unencrypted, and you happen to host both the server and the client, you can simply build SSL tunnels between the client and the server and thus have encrypted communications.

How can you create a reliable protection for the computer game?

If you really want reliable protection you would have to switch to a hardware solution with no backdoors. Here’s an interesting video about that:

If you want to do it purely in software, take a look at how Denuvo protects computer games (even though those have been cracked as well). You can get some nice ideas on how it works, and what can be done, here.

This wraps up our Ask the Expert session with Jornt van der Wiel, our principal ransomware and encryption expert. We hope you found the answers to your questions. Thank you all for participating in this session!