7. The Bedrock of Cybersecurity: Cryptography 183 ones that have been in use for a long time. New cryptosystems should always be treated with suspicion until time proves them secure. 7.4.3 Simplicity and Security “Make things as simple as possible, but no simpler.” - Albert Einstein Cryptography inevitably becomes more complex over time as past schemes are broken and new schemes are devised to replace them. We saw this play out in classic cryptography as we went from the Caesar cipher to alphabetic shift ciphers to the Vigenère cipher to one-time pads—each evolution was stronger than the previous but required more work to implement. Although we did not go into the details of computer cryptography, it is far more complex than classic cryptography because it has to withstand sophisticated cryptanalytic attacks aided by computers. This creates a tension because more substituting and transposing can always be performed in an attempt to make the cryptography stronger, but it also adds time to encrypting and decrypting messages, and it adds extra complexity which invites more vulnerabilities. Cryptosystems should be as simple as possible but no simpler. Simpler cryptosystems are easier to understand. The fewer lines of code required to implement a cryptographic algorithm the better. Simpler cryptosystems are also easier to use. The more steps that people are required to perform to create secure messages, the more likely they are to make mistakes, and the more opportunities for adversaries to undermine the process. For cybersecurity in general and cryptography in particular, simplicity and security go hand-in-hand. In the same way that good knots are strong and also easy to tie and untie, good cryptosystems are easy to understand and efficient (see Figure 7.18). The best cryptographic algorithms are marked by an elegant simplicity. Figure 7.18 A complex tangled knot of dubious strength and a simple and elegant strong knot. Also due to the increasing complexity of cryptography, care must be taken to implement cryptographic processes correctly. Even when using libraries like OpenSSL that encapsulate the cryptographic algorithms, it is easy to make mistakes that result in cryptography that is not secure. For example, when using public key cryptography, people have been known to publish their private key instead of their public key! When using symmetric
RkJQdWJsaXNoZXIy MTM4ODY=