Page 77 - CDM-Cyber-Warnings-March-2014
P. 77
3'1$$ 23$/ /1."$22 3. $-241$ 3'$1$ (2 -. ! "*#..1 ""$22 3. 8.41 $-"18/3$# # 3 Is there such a thing as a device or software that can’t be hacked via a backdoor? Maybe. There is however an approach and a methodology that will get you very, very close to the ideal. When we are considering an issue such as ‘no backdoors’ we are considering the very fabric of trust and one of the most essential aspects of business – keeping your data safe. To ensure your data remains safe one must go beyond encryption. The mathematical algorithm that encrypts the data is only useful if you create and store that key in such a way that it can not be retrieved. This is one of the most critical issues to get right in order to lock up your data in such a way there is no potential for backdoor access. First let’s look at the problem of backdoors with a simple brick and mortar analogy. Recently I locked my keys in the car and had to call a tow truck to come to my rescue. A friendly guy showed up thirty minutes later and using a variety of tools available at any hardware store was able to get me into my car without needing to break the window (which was the first approach I considered.) So, let’s just call this locksmith guy a reasonably trained professional. He would make an exceptional car thief. He could get into any car, bypass any alarm system and then drive away. So, we have a locking system on our cars that, in theory, should only let those in who are supposed to have access. Is there a backdoor? Absolutely. If you lose your key you can pretty easily get the manufacturer to issue you a new key. If some criminally minded person at either the towing company, a locksmith or the car company decides to “go rogue” and gain access to my car, put it in a shipping container and send it off to Africa there would be very little I could do to stop them. Fear of prosecution? Sure, if you are a teenage joy rider. What if you are employed by the mob? Are you afraid of the police? No. What if we are talking about encryption? What if the adversary is no longer a bored teenager, but a team of 1,000 hackers who work for a nation state? How can you know for certain that your data remains safe? How can you be sure there is no backdoor? There are many examples of telecom companies and software vendors caving to pressure from various governments to allow them backdoor access to data. Without delving into the moral, ethical and legal ramifications here I’d like to take a practical approach. Can you ensure your data remains encrypted when it’s out in the wild? Sure. Let’s consider the basics of encryption. In order to encrypt data you will first select an algorithm such as 3DES, RSA, AES etc. You can certainly create your own, but the benefit to selecting a publically available algorithm is obvious: It’s been out in the world for a very long time with very smart people beating on it to see if it can be cracked. Clearly if you are concerned that there is a backdoor in the algorithm itself you would be well advised to find another. You choose a solid algorithm and think in terms of what it might take to beat it using existing computing power and then ponder the future of both mathematics and computing power. There is some guesswork here and this is certainly no small task, but the gist of this remains glaringly obvious. If you chose a very tough algorithm you are off to a very good start. " # % " $ " # ! !
