The Dark Side of Cryptography

In the days of the first cryptographers, namely – the ancient Egyptians, Greeks and Romans, the need to share strategic information without it becoming public knowledge became the trigger for the emergence of modern cryptographic theory
The Dark Side of Cryptography

Photo: Bigstock

From time immemorial, cryptography and encryption constituted the first line of defense against the exposure and leakage of information. Encryption was the most common technological method used for sharing private information in a public environment and for compartmentalizing it, while guaranteeing the reliability of the information and messages.

In the last decade, concerns about the vulnerability of data in transit led to significant developments in the field of cryptography and to the emergence of technologies that enable continuous encryption – from photonic encryption at the hardware level to applicative encryption. Technologies such as optical relay encryption and encryption applicatio ns that do not require user involvement started out as dedicated applications in the defense/security environments and soon became available to civilian organizations in the financial, medical and public sectors as well as in other fields.

The recognition of the changes in the modern threat model and the realization that weaknesses exist in every possible vector expanded the envelope of cryptography to include intra-organizational infrastructures and extensive applicative encryption, including encryption through access to local applications or to applications in the cloud.

In the field of on-line communication and content services, including media services and social media, the use of encryption has expanded significantly, and content providers currently use encryption to prevent leakage of usage patterns and incorporate it in identification and verification mechanisms. According to a report by the Sandvine Company, the volume of general encrypted traffic has increased and there has been a sharp rise in the encryption of contents from mobile devices, with such content providers as YouTube and Netflix continuing to increase the volume of encrypted traffic every year.

Encryption technologies were intended to operate passively, without actually analyzing the data being encrypted. They operate subject to the emphasis placed on securing the privacy of the data proper. It may be argued that the importance of such solutions has increased as an in-built element of the cyber defense concept as a whole. This may be attributed to the sharp increase in data leakage incidents that lead to the use of encryption, and as most of the encryption solutions are combined with other sub-mechanisms for data verification and imprinting and for activating powerful identification mechanisms.

Encryption as a Threat

Along with the obvious benefits of encryption applications, these applications also constitute a challenge with regard to the identification of complex threats and even create the conditions that enable the insertion of various threats.

Reliance on systemic encryption, as in the case of SSL VPN applications providing remote access to employees, associates and service providers, enabled organizations to be very flexible with regard to the mobilizing trend that has intensified over the last decade, while maintaining the confidentiality of the information over any medium in combination with cutting-edge verification mechanisms.

Many organizations regard encrypted access as "trust access". As far as they are concerned, the remote user, for example – the remote service or support provider, has successfully passed a multiple-stage identification process and an encrypted medium has been established for him. From that moment on, he is regarded as trustworthy.

Unfortunately, unambiguous identification of the user is not a guarantee for the identification of the user's intentions or to the quality of his communication content in terms of a threat-free medium. The increase in their encryption intensity notwithstanding, VPN networks constitute threat-saturated platforms. Whether it is a malicious operation by a remote user or a legitimate user who unknowingly carries in a sophisticated malicious code (a malicious code programmed to roam to new networks), the potential damage owing to the encrypted access in both scenarios could be massive.

For this reason, it is highly important to incorporate mechanisms for documenting and recording the traffic coming in through the encrypted medium, so as to identify unauthorized operations and neutralize threats before they reach the network core.

Another security challenge associated with encryption applications is directly related to the architecture of the cryptographic code. Data encryption normally requires a multilayered technological application capable of relying on known libraries and cryptographic software that might contain inherent weaknesses. These weaknesses may be exploited in order to insert complex threats or to steal encryption keys.

These threats make the platform that should protect us into a threatening element. In recent years we have been introduced to such inherent weaknesses as Heartbleed in SSL/TLS applications, Shellshock in SSH applications and the dangerous inherent weaknesses discovered in IKE and ISAKMP mechanisms in IPSEC applications.

As in most cases these weaknesses pertain to a large number of users, encryption equipment manufacturers promptly issue patches and updates as soon as such a loophole has been spotted. The combination of infrastructure and applicative encryption normally creates a certain difficulty in the exploitation of those weaknesses.

What You Cannot See – Cannot be neutralized

Another aspect is the masking of malicious traffic by using encryption. According to the latest studies, by 2017 about 70% of the Internet traffic will be encrypted (Sandvine), and about 50% of the cyber warfare attacks and threats will be based on an encrypted medium (Gartner). These trends, along with the sharp increase in the implementation of encryption in intra-organizational applications, are changing the traffic mix within the organization and the volume of encrypted data, particularly with regard to SSL/TLS applications.

A large-scale change such as this necessitates a process of adaptation to a reality where a substantial part of the traffic reaching the organization is permanently masked and might contain various threats. The strength of the security layout does not constitute a significant advantage in this case, as what you cannot see – cannot be neutralized. In this equation, a five year old IPS or a new analytical security system share the same starting point.

In response to this challenge, various methods, technologies and solutions have been developed in recent years. They were designed to enable focused decrypting of encrypted traffic and reconstruction of the encryption without adversely affecting the reliability and accessibility of the data.

"Peeling" the encryption enables security systems to analyze the contents of the original data payload so as to identify and neutralize various threats.

Today, various decryption alternatives are available. Some network security systems, like NGFW systems and Secure Web Gateway systems, offer this specialized capability. Similar features are also becoming more common in data collection platforms such as the Network Packet Broker (NPB) system.

Beyond the specialized solutions, dedicated platforms are available as well. They serve as universal decryption systems. These platforms may be connected to various security solutions such as IPS systems, analytical systems and content analysis systems. The decryption methodology will normally involve the Man-in-the-Middle (MIM) model or a functional division of decryption and encryption renewal, which offers a solution for SSL/TLS type encrypted traffic.

Decryption significantly improves the effectiveness of the security layout. It enables analysis of the entire data content as well as policy enforcing if so required. Another advantage offered by the dedicated systems in this category is their ability to decrypt a massive amount of links and encrypted traffic without adversely affecting the precious resources of the security systems.

***

Tomer Nuri is the CTO of the Malam-Team Company