Julius Caesar used it. Mary, Queen of Scots, also used it, but lost her head as a result. Napoleon misused it, costing himself an empire. During the Second World War, all sides relied on it, with Allied superiority in mastering it widely credited for shortening the duration of the conflict. Spies deployed it throughout the Cold War, and still do. Yet there is someone who uses it more often, for a far greater diversity of purposes. Someone who completely depends on it for much, if not most, of their daily activity. That person is you. And this vital tool is cryptography.
You use cryptography to secure a host of everyday tasks. You use it when you make a mobile phone call, withdraw cash from an ATM, connect to a Wi-Fi network, log in to a computing device, search for information on Google, and watch movies using a service such as Netflix. Cryptography helps to secure more than a billion Apple devices,1 over 7 billion bank cards,2 and 55 billion daily WhatsApp messages.3 The Bitcoin digital-currency scheme and its associated blockchain are built entirely from cryptography.
Cryptography also protects over three-quarters of all global connections made to the World Wide Web.4 Did you know that when your web browser connects to a secure website, you are using cryptographic tools that helped to drive a computing revolution that led to the development of the internet we know today? Did you know that each time you open your car door, your car key fob is doing something beyond the capabilities of an attacker with access to the world’s most powerful supercomputer? Were you aware that messages sent from your phone are often protected by cryptography so strong that it worries some governments and intelligence agencies?
Cryptography is, essentially, an application of mathematics. However, few applications of mathematics have achieved the profile, social importance—even notoriety—of cryptography. Most of the time, mathematics does not provide a focus for blockbuster movies—but in the case of cryptography, it has inspired such films as Enigma, Skyfall, and Sneakers;5 such television series as CSI: Cyber and Spooks;6 and such bestselling novels as Dan Brown’s Digital Fortress.7 Nor does mathematics normally end wars or disturb world leaders.
What cryptography does is to provide a set of tools that can be used to protect information. Although it can be applied to information represented in physical space, such as words written on a page, it is our increasing reliance on digital information that has made cryptography so essential to our everyday lives. Cryptography enables us to keep sensitive information secret. It can detect when information has been accidentally, or deliberately, modified. It allows us to determine who we are communicating with. In fact, to establish the basic elements of digital security, cryptography is pretty much the only game in town.
Cryptography is like antibiotics. You can get through your life by taking antibiotics without any real understanding of them. Yet there are two important reasons for knowing what they do and how they work. First, the knowledge improves your understanding of human health, as well as helps you decide when to take antibiotics, for the good of both yourself and others. Second, our individual use of antibiotics raises important issues for the wider society, including concerns about overuse and the rise of superbugs.
Similarly, you can breeze through your life using cryptography without even being aware of it. However, I am convinced that a little bit of knowledge about cryptography can make a big difference to your life. First and foremost, I want to open your eyes to the critical role that cryptography plays in supporting your everyday life. By learning what cryptography does and how it works, I believe, you will acquire greater confidence in reasoning about your own personal digital security. Use of cryptography also raises wider social questions about how society should balance personal freedom with control of information, which I will also explore in this book.
Cyberspace
I will not make any significant attempt to define what cyberspace is8 other than to observe that anything you currently regard as being in cyberspace, for our purposes, almost certainly is. Cyberspace is “electronic stuff.”9
Cyberspace consists of computers communicating with other computers across networks. These computers include things clearly recognizable as computers, such as laptops. They also include gadgets such as mobile phones, gaming consoles, and voice assistants, which we mostly recognize as devices capable of accessing the internet yet do not always regard as computers.
Cyberspace also consists of millions of computers we directly interact with, such as sales terminals, automatic teller machines, and passport control gates, and many we don’t, such as computers that support business, defense, and industrial control systems. Perhaps most importantly, and to an extent alarmingly, many everyday devices that traditionally we don’t think of as having a digital element, let alone as being computers, are rapidly becoming devices in cyberspace. These include cars, homes, and domestic appliances. The networks connecting all these devices in cyberspace can be wired or wireless, short- or long-range, open to all or dedicated to specific purposes such as telecommunications. By far the most significant of these networks is the internet.
Of course, cyberspace and the physical world are not entirely different concepts. Aspects of the physical world increasingly interact with cyberspace. It is generally becoming hard to find people who do not use the internet,10 businesses without an online presence, or technologies not interacting with cyberspace in some way. And most things that happen in cyberspace occur because human beings press buttons on physical devices that execute instructions on machines in physical places.
Your Security in Cyberspace
Just for a moment, reflect on how much you depend on cyberspace. Consider how you communicate with your friends, where you get your news, and how you research your next vacation. Think about how you manage your money and how you pay for things. Don’t forget how you access music, movies, and personal photographs. Did you remember to include your car? It opens its doors at the click of a button, always knows exactly where it is, reports its problems to the manufacturer, and in the future it will undoubtedly drive itself. And this is just the tip of the iceberg. There’s all the invisible stuff you rely on every day that just seems to happen. Planes fly, electricity powers, and traffic lights change. These days, almost everything relies on cyberspace.
Because we increasingly live our lives in cyberspace, so, too, do criminals. Cyberspace is a wonderful place to commit crime. Freed from the tyranny of distance, cyberspace enables criminals from anywhere in the world to raid your home. It’s a place of smoke and mirrors, where a teenager in a bedroom can pretend to be your bank or build a website resembling that of a major department store. Hence the endless stories in the media about security incidents involving computers—and these are just the ones we hear about.
Exact figures are notoriously hard to establish, but cybersecurity firm Norton claims there were 978 million global victims of cybercrime in 2017 (altogether losing $172 billion),11 the professional services firm PwC reported that 31 percent of organizations victimized by fraud were affected by cybercrime in 2016 and 2017,12 and the research firm Cybersecurity Ventures reckons that cybercrime will cost the global economy $6 trillion by 2021.13 Cyberspace is invisible, out of sight, and, too often, out of mind. Just ask the Iranian scientists at the Natanz uranium enrichment facility whose centrifuges mysteriously started failing in 2010,14 or the executives at Sony Pictures who unwittingly became the stars of their own horror movie in 2014 when their internal emails, salaries, and unreleased movies were exposed to the world.15
We are physical beings who have evolved in a physical world in which we have a reasonable understanding of what security means (locked doors, passport controls, signed documents, etc.). However, we appear to lack the equivalent common sense to operate safely in cyberspace. The invisibility of cyberspace doesn’t help, but I suspect our main lack of intuition comes from a failure to understand even the basics of what security in cyberspace might mean. As a result, we’re all capable of doing daft things in cyberspace. We leave our front doors wide open, we hand over our bank account details to strangers, and we etch highly personal messages into tablets of digital stone that will remain legible forever. I will show you how cryptography attempts to address the heart of the problem of securing cyberspace and, as a result, will equip you with an ability to make much better judgments about your own cybersecurity.
Understanding the basics of cryptography will help you recognize the significance of some of the security technologies you rely on every day. Passwords are commonly used but have many flaws. Did you know, however, that your online banking is often protected by a “perfect” cryptographic password? Cryptography ultimately relies on secrets, known as keys. I hope to increase your awareness of how vital these keys are to your digital security, and to encourage you to look after them just as carefully as your physical keys—ideally more so, because for many of the things you do in cyberspace your key is the only thing that separates you from the 4.5 billion other users of the internet, so it is crucial to be aware of these keys and where they reside.
An appreciation of cryptography will also help you to respond appropriately to cybersecurity issues you encounter. What are the implications of connecting to an unprotected Wi-Fi network? Is it really so important to have different passwords for different accounts? If you are told a website does not have a valid certificate, should you click and proceed anyway? And what about all these news stories about cybersecurity that just keep coming? In 2017 it was widely reported that Wi-Fi networks running a particular cryptographic protocol were insecure16 and that Infineon cryptographic hardware was crackable.17 And 2018 began with a report that many Apple devices had a chip flaw.18 Should we panic? Do we need to take personal action, or is it someone else’s problem to solve? Should you be excited about blockchains? Or worried about quantum computers?
A rudimentary knowledge of cryptography will also aid you in making decisions about whether and how to engage with technologies, now and into the future. Is it safe to submit sensitive personal information to a given app? Could you lose all your money if you convert it to bitcoin? Which security issues should you consider when investing in a new mobile phone?
But it’s not just about you; we’re all in this together. When you leave your front door open and a thief grabs your diamonds, it’s your loss, not mine. The same cannot be said about cybersecurity. If you are inadvertently too trusting when opening an unsolicited link to an amusing video of a dancing sheep, then your computer could easily be inducted into a global network of machines conducting criminal activities. Your computer might end up attacking mine, so we all have a stake in your ability to defend yourself in cyberspace. Every reader who equips themselves with a basic knowledge of cryptography will, with luck, also make the rest of us a little bit safer.
A Social Dilemma
Cryptography is vital to our daily lives, something we can no longer live without. Yet there is a case for regarding cryptography as troublesome, even dangerous. Because it works so well, cryptography presents society with a social dilemma.
In May 2017, the network administrators of forty UK hospitals found themselves in a state of crisis. The computer systems that support their day-to-day operations were out of action because of cryptography. Attackers had hijacked these systems using cryptography within the WannaCry software to make the systems’ data inaccessible, and they were now demanding a ransom to restore the systems to normal. The cryptography that makes us so secure in cyberspace was, in this case, the cause of a serious problem.19
Even more problematically, while cryptography protects you in cyberspace, it can also be deployed to protect the communications of organized crime, terrorist cells, and child pornographers. For this reason, some national security agencies around the world have expressed concern about its widespread use. Former FBI director James Comey was particularly outspoken about this issue, repeatedly expressing his worries about the way cryptography hampers intelligence gathering.20 In 2013, former US National Security Agency (NSA) contractor Edward Snowden gave up his career and personal freedom to reveal a raft of techniques that the agency had been using in attempts to overcome everyday use of cryptography in order to support its surveillance activities.21
Some politicians partially blame cryptography for serious security incidents. Following the November 2015 terrorist attacks in Paris, UK prime minister David Cameron asked: “In our country, do we want to allow a means of communication between people that we cannot read?”22 In June 2017, Australian attorney general George Brandis announced that Australia would lead international discussions on the involvement of industry in “thwarting the encryption of terrorist messaging.”23 Around the same time, German interior minister Thomas de Maizière announced that his government was preparing a law to enable state authorities to access private encrypted messages, arguing that the state “can’t allow there to be areas that are practically outside the law.”24 And in May 2018, US attorney general Jeff Sessions claimed that it is “critical that we deal with the growing encryption or the ‘going dark’ problem.”25
All these political interventions are essentially suggestions that cryptography should be made less effective. However, the UN high commissioner for human rights, Zeid Ra’ad Al Hussein, proclaimed that without cryptography, “lives might be endangered.”26 Can these different viewpoints be reconciled?
Today’s political debates about the use of cryptography are, in fact, modern takes on a much older conversation about the tensions between freedom and control of information in civilized society. The invention of the printing press in the mid-fifteenth century heralded an era of political conflict over the control of book printing. Restricting who could print books, and for whom, allowed the governing authorities of church and state to manage wider society’s access to information.27 Today, cryptography protects the flow of digital information in a way that worries some governments.
There are no simple compromises between freedom and control here. Many politicians and journalists seem to struggle with this issue because they don’t appear to understand what cryptography does or how it works.28 By providing information about how cryptography benefits our lives, as well as the challenges it creates, I will help you to develop an informed opinion about its use. This knowledge will be useful both now and in the future, because we are only going to increase our dependence on cryptography in the years ahead. In all likelihood, the social tensions arising from its use will expand rather than be resolved.
My Approach
Even though cryptography is an application of mathematics, appreciating the fundamentals does not require readers to become armchair algebraists. The mathematics behind cryptography is not a primary concern of this book—just as it is possible to learn how to drive a car without understanding the mechanics of fuel injection.
In addition, although cryptography has an intriguing past, particularly its wartime use, this is not a history book. Past use of cryptography is excellently covered in other literature.29 Instead, I concentrate on today’s use of cryptography, reflecting on selected historical examples only when relevant.
Nor is this a book about puzzles.30 Some aspects of cryptography are about creating “challenges” that must be “solved.” Indeed, during the Second World War the UK government recruited trainee cryptographers by seeking people who were adept at solving crosswords. Unlike some authors, however, I will not present cryptography purely as a source of entertainment (cryptography, after all, is a very RDQHNTR ATRHMDRR*).
In Chapter 2 I explore what security means in cyberspace and how cryptography helps to provide it. In Chapter 3 I explain the different cryptographic roles of keys and algorithms. I then devote a separate chapter to each of the main functions of cryptography—namely keeping secrets, exchanging keys, detecting changes to data, and establishing who is out there. With the intention of understanding how to get things right, in Chapter 7 I look at the different ways that cryptography can go wrong. In Chapter 8 I then examine societal challenges arising from the use of cryptography, as well as political responses. Finally, in Chapter 9 I consider what the future might hold for cryptography and how we use it.
This book is about why cryptography matters to the whole of society and how knowledge about cryptography can keep us secure. I want to show you that cryptography, quite literally, provides the keys to cyberspace.
* If this ciphertext has defeated you, then try shifting the letters forward one position in the alphabet!