Saturday, July 4, 2009

What is it with encryption?

"In Congress, July Fourth, one thousand seven hundred and seventy six. A declaration by the Representatives of the United States of America in Congress assembled. When in the course of human events..."

No, this is not a citation from the Declaration of Independence, though it is close and would be appropriate today. This is the encrypted message that Robert Patterson, a mathematics professor at the University of Pennsylvania has sent to President Jefferson over 200 years ago. It was cracked recently by Lawren M. Smithline of Center for Communications Research in Princeton, N.J., a division of the Institute for Defense Analyses(see http://www.math.unc.edu/Faculty/petersen/Coding/Articles09/jefferson2009.htm).

The story in WSJ online (http://online.wsj.com/article/SB124648494429082661.html?mod=yhoofront) was the last push to write this post. As the 'security guy', who provides answers to countless compliance questionnaires on details of encryption implementation in applications - it has always bothered me why was it so difficult for software engineers to implement cryptography correctly. Why almost nobody bothers to use initialization vectors? How come developers rarely go beyond copy/paste of the first sample code they come across? Virtually no research and complete disregard of key management. I have my theory now. Cryptography is a fusion of science, engineering and business. Typically, people get the science (the algorithm as in AES or SHA) and engineering part, and completely miss the key management. Maybe because key management system is a business application, some might argue a mission critical one, that is difficult to implement if there is none available. Maybe the reason is in not allowing enough time for proper research and design.
There is no justification, even if for the first time implementing encryption in an application, for not reading up on the subject, though.
In any case, I have seen just one application so far that has gotten it right without using HSMs (hardware security module - used to secure encryption keys).
They used to treat cryptography with more respect in the past be it some 200 years ago or 20 years. James Sanborn has erected Kryptos sculpture, at CIA headquarters of all places, and nobody has solved the fourth and the last part of the cryptic message contained in it(see http://www.wired.com/science/discoveries/magazine/17-05/ff_kryptos). A sculptor has had enough foresight to create a message that even the CIA were not able to decipher for 20 years! Maybe this will get engineers' attention.