Beast Touched Simplified Encryption

Alice and Bob Are Such Betas

"My dearest Alice, ever since I saw you typing away in your cubical across the aisle, I have been longing, yearning, that one day we will exchange public keys. I have visions of the day I offer you my 3.5-inch floppy disk and your generous heart would import it into your key ring. For then I when you gently return my floppy disk into my accepting palm I would gently slide it into my drive and gaze upon your public key written there. It would be the glorious day in which we begin our new relationship filled with encrypted messages intended for our eyes only."

Seriously it just continues to go on like that. Even to this day presentations introducing the complex infrastructure of public key cryptography begin with this story. Overlooking mathematician's refusal to migrate away from the Romance of Alice and Bob in the face of continued encouragement from Human Resources to do so, the field of Software Engineering has evolved the proven security PKI offers in ways that mitigate the fundamental flaw Alice and Bob repeatedly play out: Lack of User Awareness.

tl;dr

Deep understanding of public/private key cryptography
Expertise in understanding certificate use
Knowledge in asymmetric/public-key (RSA, ECC) cryptography
Focus on protection of symmetric (AES, DES) cryptography keys
Integrity checks through digital signatures and hash functions
Packaged with High-level C++ coding

Give Her a Certificate Bro

Fun Fact: Public Keys (or Asymmetric keys) are standardized in the form of X.509 Certificates and everyone is using this cybersecurity component, they just don’t know it. Certificates are in play for every connection between the web browser and the server and while no one is aware of it, everyone sleeps happier at night knowing they are.

True story: while configuring these domains there is knowledge of DNS and the contents of various record types in DNS tables. While fudging a DNS record to test a redirect domain to the primary domain an "A" record was replaced with a "CNAME" record. In the days of HTTP (the protocol of the web) this would have worked. The primary domain however is configured to use HTTPS, a certificate that contains verified information of the domain registrant and the domain name itself. When the URL of the redirect domain was entered and properly went to contact the primary domain, Firefox shut that connection down. The certificate of the primary domain identified itself as the primary domain, not the URL that was entered by the web surfer. This could have been bad! Chalk one in the W column for Public Key Infrastructure. The domain name server sits out of mind of the Web Surfer and is an exposed vulnerability for any Internet connected device not implementing an API on a secure protocol.

A shield with a lock preventing unauthorized access

The same technology is used in data protection and integrity (fancier words for encryption and digital signatures.) There was a point in time cloud backups had merit as an offsite location to recover lost or stolen files. The fundamental issue is the cloud (fancier term for someone else’s computer) exposes vulnerabilities by network engineers. Microsoft will claim that all files stored in the cloud on one drive are protected by bit locker but unlike the keys provided with Certificates, bit locker keys are readily available and easily viewed at accounts.micorsoft.com. To counter that cybersecurity practices are to overlay an extra layer of data protection on top of most systems. In a world where tech companies are updating terms of services to state that creator’s do not own their own creations, the need to protect digital assets from individuals to business no longer is an option.

The Public-Key Infrastructure way provides better protections from unauthorized access and detection of data modifications by enforcing the rules of requiring something that you have and something that you know. The something that you have would be the associated Private-Key. As the name implies, this key is to never leave your device. The something that you know would be how you access the device. While this can be passwords it can also be facial unlock and biometric readers. To borrow an analogy from Jurassic Park, private keys are DNA strands that contain gaps. The only way to properly complete the key and access encrypted intellectual property is to fill in the gaps with the something that you know.

Glass lock rising from the ring of security over a motherboard

The challenge with Public Key Infrastructure, while the best option for implementing security, is complex. The standards have measures to provide automation in as many cases as possible but it is still up the Engineers to incorporate this level of security as seamlessly as the HTTPS protocol. The biggest obstacle to providing cybersecurity isn’t a technological problem, but a people problem. The solution that is best engineered is the one that can be put in place without requiring user awareness, one that integrates into a work flow.

The most intricate solution will be one that allows for key exchange to happen organically and without effort. Past solutions included integration with the Lightweight Directory Access Protocol (LDAP) to perform searches for people’s keys. Around these parts, this solution is hated. LDAP requires queries which require a level of nerd to implement properly. Even if the Engineers were to use the "most common" settings to hide the complexity, the administrator is under no obligation to configure the server in this manner. It enables results to include results that may look correct but instead not be the sought result. These lead back to vulnerabilities not unlike the DNS story shared above.

4 Layers of cybersecurity that are practiced

Romancing the Story Canon

With 30 years of Public-Key Infrastructure career experience everything has been seen from utility apps that require being intrusive to the end user to desktop integration that requires no user awareness. There have also been attempts along the evolutionary progress, some ideas that worked, some ideas that ended up meeting feasibility requirements when in the end they did not.

Alice and Bob can ride off into the sunset. For the rest of us who don't want to turn our creativity into corporate property there is a bad moon rising.