CypherCon 2023
GUR RIBYHGVBA BS PELCGBTENCUL
Mr. Jeff Man
Abstract:
What’s been bugging me – crypto ain’t what it used to be from back in my NSA days (and I’m not just talking about digital currencies) I’m classically trained as a manual cryptanalyst – even earning certification as a Cryptanalyst from the National Security Agency. I’ve designed cryptosystems, a cryptologic aid, pioneered software-based cryptosystems and I’ve also broken codes and ciphers in my day.
Every time I see some mention of cryptography or encryption out here in the real world (the private sector) I grimace a little because very often people don’t really understand how the algorithm works, any of the math (not that I do), the differences between symmetric and asymmetric algorithms, critical issues such as implementation, key management and key distribution.
What is disturbing me most recently is the growing popularity of a “new” form or application of cryptography known as “Fully Homomorphic Encryption”. THIS IS NOT A TALK ABOUT FHE – but rather a talk about why the concept bugs the crap out of me!
I see “strong cryptography” bandied about in the PCI world all the time – and I’ve all but conceded that “strong crypto” in the private sector just isn’t the same caliber of cryptography that I was accustomed to in the DoD. Too often, I hear “well it’s good enough” – but really the security of the implementation TOO OFTEN relies on the bad guys not knowing how to get to the data or how easy it would be if they tried.
I had a “tipping point” moment a few weeks ago when I googled the meaning of “encryption” and found this definition on Wikipedia: “In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext.” Um…no, encoding produces code, enciphering produces ciphertext, encryption is more than just encoding, and so on.
Given the jumbling together of historically very unique and significant terminology I set out to find the actual, historical definitions and try to find a way to teach and/or demonstrate the differences in the foundational forms of cryptography.
But I quickly notices that some of this terminology is so often mis-applied in our digital age that I wondered if maybe there has been an evolution of the meanings of these terms? I might not like it, but I’m open to that possibility. This very quickly led me to the conclusion that my research on this topic would make for an interesting talk and so here we are.
I want to share the classical, historical forms of cryptography, discuss the etymology of the terminology, look at how the words apply today – and help the audience decide if the actual meanings even matter (or it’s just me). One important consideration is the tradeoff between keeping the data secret (security) and protecting the identity of individuals associated with the data (privacy).
I hope you’ll join me in this journey to victory (or defeat) in the ongoing battle of preserving the classic goals and objectives of data security.
Importance: IMO – part of the reason why cybersecurity has not been solved is because it’s never been taught well/received well by the private sector. Having lived and worked for an organization whose sole mission was Information Security, I feel that there is still value in what and how we used to conduct ourselves within the DoD. I think the historical context has meaning – and I would proffer that there is benefit to understanding where we’ve come from, successes and failures, what we’ve done right/wrong, etc. – all with the goal of making people think more and/or differently about our discipline.
Mr. Jeff Man
Wait.. the NSA?
Respected Information Security advocate, advisor, evangelist, international speaker, keynoter, former host of Security & Compliance Weekly, co-host on Paul’s Security Weekly, Tribe of Hackers (TOH), TOH Red Team, TOH Security Leaders, TOH Blue Team, and currently serving in a Consulting/Advisory role for Online Business Systems. Nearly 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified NSA Cryptanalyst. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing “red team” at NSA. For the past twenty-five years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation’s best known companies.