Lost in Boelter: Cracking the code behind encryption

NK DTZ’WJ WJFINSL YMNX RJXXFLJ, NY’X UWTGFGQD STY JSHWDUYJI

Don’t worry, this isn’t a mistake. That line above is in fact gibberish. But, what if I told you that those seemingly random characters actually map to the following message?

IF YOU’RE READING THIS MESSAGE, IT’S PROBABLY NOT ENCRYPTED.

What I have just demonstrated is encryption, or the act of converting a message into one that is incoherent and hard to understand. And this fundamental practice is responsible for keeping virtually everything from our passwords to our credit card numbers secure in our ever-digitalizing world.

Enter Alice and Bob

While encryption may sound complicated, it essentially boils down to keeping out the nosy. This is best shown through an example:

Suppose we have two friends, Alice and Bob. Alice decides she wants to mail a secret note to Bob, but the two are worried that their mutual annoyer, Trudy, will intercept it midway, getting in on the secret and potentially spreading it to unwanted ears. Let’s assume that Trudy is somehow able to intercept the letter, but will only read it before placing it back in the intended destination mailbox.

There are several avenues that Alice can pursue to ensure that her message to Bob is kept secret. She could mummify the envelope in duct tape and superglue it shut to keep Trudy from opening it, but that inconveniently keeps Bob from opening it as well. A more effective solution would be to shroud the message with a code to ensure that even if Trudy intercepts the letter, she won’t be able to uncover the secret message, though Bob can understand it.

For example, if Alice wants to send the message,

IF YOU’RE READING THIS MESSAGE, IT’S PROBABLY NOT ENCRYPTED

she could shift all the letters by five characters in the alphabet – “A” would go to “F”, “L” would go to “Q”, “Z” would go to “E”, and so on – and send the encoded message,

NK DTZ’WJ WJFINSL YMNX RJXXFLJ, NY’X UWTGFGQD STY JSHWDUYJI

,while ensuring that Bob somehow knows that he needs to shift the characters in the original message by five in order to retrieve the true secret message.

This process of converting interpretable information – passwords, private data or credit card numbers – into gibberish is the cornerstone of encryption. You can think of encryption as a mathematical lock-key system where the original message, called the “plaintext,” is locked up, or encrypted, before being sent off to the destination. In order to extract the plaintext from the locked-up message, the recipient must use the key, or the agreed-upon mechanism for deciphering the nonsensical message – the ciphertext – in order to decrypt it into the original comprehensible one.

This digital lock-key scheme is virtually ubiquitous in our daily lives, where everything from signing into Facebook to scanning an LA TAP card uses encryption. While this is usually a good thing, as the prevalence of encryption means that confidential data is less likely to be floating around in plaintext form, it raises the question of relevance – why really should we care about encryption if it’s already so widespread?

It’s because no encryption scheme is perfect. And, considering that there are a lot of easy-to-break cryptographic systems floating around in cyberspace, the issue of data security concerns us all, perhaps more so than you know.

Decrypting the problem

A major challenge with designing any security system, be it physical or digital, is the trade-off between security and ease of use. While cryptographers may come up with the most advanced and durable cryptographic schemes, the fact of the matter is that unless those systems are easy to implement – and, more importantly, fast – there’s little hope that they will be utilized in our everyday consumer items or applications. This might seem odd, but taking a look at the history of Wi-Fi encryption systems will show you this.

In 1999, Wi-Fi security standard known as Wired Equivalent Privacy, or WEP, was ratified as the Wireless Network Security standard, and became quite prevalent in routers and Wi-Fi systems in businesses and homes. WEP uses an encryption scheme known as “Temporal Key Integrity Protocol”, or TKIP, which, among other things, is fairly quick in encrypting and decrypting data passed across the network – a convenience users stress heavily when using Wi-Fi networks.

Beginning around 2001, however, notable vulnerabilities were found in the TKIP architecture that allowed malicious users to easily decrypt network data and “crack” Wi-Fi passwords – a major security concern, as that allows for network packets passed between machines and routers be intercepted and examined for sensitive information. In fact, any amateur hacker can download a WEP-cracker application, walk up to a WEP network and crack into it in less than an hour.

In response to this, new Wi-Fi standards such as WPA and WPA2 were developed, the latter of which uses a stronger encryption system than TKIP known as “Advanced Encryption Standard,” or AES. However, despite these innovations, a large number of public networks and corporations today still use WEP to avoid the inconvenience of switching to routers that use WPA2 – negligence that usually ends badly for them.

What this means for us users is that we have the added responsibility of being aware of the vulnerabilities of the encryption schemes employed by the websites and networks we use.

For example, when you connect to Starbucks’ free Wi-Fi hotspot, you’re probably more concerned about the network speed than you are about the security of your data. However, that gentle disregard for security is all it takes for your personal information to become anything but. Because it’s a public network, anybody with the right software can capture inbound and outbound network packets, and if the store is still using a WEP router, that shady guy in the corner probably needs only little more than 20 minutes to decrypt the packets and find out what your Facebook account’s password is. And if your web security practices are anything like the rest of ours, that password probably unlocks five other online accounts.

Of course, not all public networks are unsafe to connect to, and most Starbucks Wi-Fi hotspots probably use WPA or WPA2 routers. However, the message still remains the same: Vigilance is key. Taking that extra time to learn if that website or Wi-Fi network you’re connecting to is using strong encryption oftentimes makes the difference between an everyday occurrence and an embarrassing spectacle – much like making sure your backpack is zipped up before you bolt down Bruin Walk to get to class.