FEB. 15, 2018 | THE FRONT LINE

Are you a consumer who wants to make sure your personal data really is secure?

Are you a developer who wants to secure data in a new app or other piece of software?

Do you have an idea for a new kind of super-strong encryption you want to roll out?

Are you thinking about shipping a product and calling it “unbreakable”?

Are you involved in contracting or acquisitions and wonder how to evaluate an encryption product?

Or are you just curious how modern computer systems keep your data secret?

If you answered “yes” to any of these, then you’re in luck! This blog series will address each of these scenarios and more. Over the course of the next few months, you can look forward to learning and exploring:

  1. The basics of cryptography
  2. What problems various kinds of cryptographic algorithms solve
  3. Limitations of cryptographic algorithms
  4. Loads of examples of how cryptography impacts and can help in your own life



“Crypto” is most commonly used in the tech world to refer to cryptology, and when it does, it most commonly refers to cryptography. What are those? Glad you asked. Cryptology is the study of making ciphers (cryptography) and breaking them (cryptanalysis). A cipher is an algorithm, or series of steps, to transform a message (plaintext) into a form that cannot be easily read (ciphertext), called encryption, and then a series of steps to transform it back, called decryption. Normally to encrypt or decrypt requires a key.

Sometimes people use crypto to refer to cryptocurrencies. That’s not the focus of these posts.


Most of the time cryptography seeks to protect the content of messages from being learned by eavesdroppers who may see the messages (for example, a classic wiretap for phone lines or its digital equivalent, the span port packet sniffer). You may also want to prevent someone who stole your laptop from reading the files on the hard drive. These are examples of “threat models” – quick descriptions of capabilities and goals of an attacker that you want to be secure against. There are various common threat models that frequently come up:

  • Ciphertext-only attacks, in which the attacker can only see the ciphertext being sent and does not know anything else about it.
  • Known-plaintext attacks, in which the attacker knows at least some of the plaintext being sent, and can use the captured ciphertext to try to obtain the plaintext for the rest. This scenario is one of the most common in the real world, since hard drive filesystems, emails, web requests, and other messages begin with standard header data.
  • Chosen-plaintext attacks, in which the attacker can get the target to encrypt some data of the attacker’s choosing along with the secret data the attacker wants to decrypt. This is very common against web browsers, since any website can trigger a request to another website (by opening a link, etc.)
  • Man-in-the-middle attacks, in which the attacker can both see the ciphertext and modify it or replay it en route. These are also very common in the real world, and may be combined with other threat models.
  • Side-channel attacks, in which the attacker can glean some information about what is being encrypted by observing the effects the encryption or processing of the data has on other measurable quantities, such as power consumed, noise or heat generated, or time taken by various operations. Timing channels are especially notorious for being difficult to stamp out in a wide variety of systems.
  • Evil maid attacks, in which the attacker has unmonitored physical access for a duration of time to a device they wish to gain and maintain access to. In the variant where the attacker can surreptitiously add miniaturized malicious monitoring hardware, this attack can be nearly impossible to prevent, while in the event they can only read or write hard drive contents, or plug in external devices to a locked computer, there are ways of mitigating.

Defenses against some of these threat models, especially evil maid and the like, often has little to do with selection of cryptographic protocols and algorithms. For example, one of the best defenses against an evil maid is to use a web-connected camera that will alert you if anyone does come near the device. While many of these kinds of details are interesting, this post series will concentrate on the attacks and defenses not requiring physical access. Likewise, if an attacker can get their malware installed with sufficient privileges on the systems that are being used to enter or read the messages, they will be able to obtain the secret messages before or after they are encrypted. Defending against these kinds of attacks is also a significant concern, but not the primary objective of this series.

Instead, this series will focus on:

How to encrypt data with a secret key and how the algorithms that do that are used in different settings

  • How to use authentication algorithms to verify messages, and what happens if you do not
  • How asymmetric cryptography and supporting protocols can establish secure connections with little or no pre-coordination
  • Which cryptographic algorithms are key exchange algorithms, and how they can help you mitigate the threat of future key compromise
  • How to sensibly combine all the above types of algorithms
  • What quantum computers and quantum cryptography may change
  • Which remote attacks remain unmitigated by those algorithms

ABOUT THE AUTHOR: Matthew Weeks has extensive experience in cyber operations, as well as security research and software development He currently leads root9B’s research and development arm. Previously, he was the Officer In Charge of the US Air Force’s Intrusion Forensics and Reverse Engineering lab, a lead network defense tactician, and led the creation of the Air Force’s Defensive Counter Cyber forces, tactics, and mission. As a researcher, he has uncovered vulnerabilities found to have affected millions of networks. As a developer, he has placed in the top- ‐tier internationally in programming competitions and was the developer behind a significant portion of the Metasploit framework, the world’s most widely used vulnerability assessment suite. His work has been featured on CNN and in numerous national publications.