Encryption is used everywhere in modern online communications – for most people, encryption is most often seen when being used to secure payments made when shopping online, or when logging in to an account, but there are many other places where encryption is used. For example, encryption is used by companies such as Google and Amazon when transferring information between data centres across the globe, encryption is used by ATMs when you make a withdrawal to connect to your bank securely, and encryption is used in mobile telephone networks to prevent eavesdropping on calls made. There is a term often used – "Ubiquitous encryption" – it means that encryption is everywhere (you just don't notice it).
Encryption is all about transforming data in such a way that it prohibits any unauthorised party from decrypting the data and revealing the original content.
To do this, a mathematical algorithm is used to transform the original data (the clear text) into the output data (the cipher text). At the heart of a good, strong encryption algorithm is a key – the key determines how the algorithm converts the clear text into the cipher text.
The key is the single most important part of the whole process, if someone can predict the key being used with an algorithm, then they can decipher the data.
The question therefore, is how do you make a good key?
The answer lies in randomness.
Many software programs use random numbers, but how random is random?
Any man-made program that produces a random number runs the risk of not being truly random, it will have an element of predictability in it. It is pseudo-random. In some applications, this pseudo-randomness will suffice, but in those situations mentioned at the beginning, the risk of someone being able to predict the randomness is not one that can be accepted.
So, how do we make a truly random key?
The answer, in most cases lies with physics.
Have you ever listened to a radio station that drops out of tune? The hiss you hear is static generated by many things such as fluctuations in the heat properties of different components in the radio itself, but mainly by the radio antenna picking up external noise, some of which is Cosmic noise – radio waves generated by the billions of stars in the cosmos.
Some cryptographic random number generators use this noise as a way of generating a seed value for their random number generator. This produces a very large, very random value which would be almost impossible to predict, or recreate.
The company Cloudflare, has a number of ways in which they generate randomness, in their San Francisco head-office they have a wall of lava lamps constantly bubbling away which is videoed 24/7. Snapshots of the video are digitised and the output is used to generate the random seed for the keys they use in the services they provide to customers all over the globe. In another office, they use another video stream of a 3-axis, chaotic pendulum to generate random patterns.
So, there are random values, and there are random values. How random something is relies on more than just thinking of a number, it relies on a multitude of tiny, imperceptible variables produced by the natural world around us, and there are some really cool ways of collecting them.
At QA we have developed the most comprehensive end-to-end Cyber Security training portfolio providing training for the whole organisation, from end user to executive board level courses as well as advanced programmes for security professionals.
Visit www.qa.com/cyber for more information
After leaving a career as a mechanical and electrical engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In line with his background as an engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics, a field he has remained in ever since.
As a natural progression of his career, Mark started to explore the security aspect of his existing competencies and since 2005 has specialised in the cyber security domain. Mark has been the author of a number of QA cyber security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH, a Certified EC-Council Instructor, and a CISSP.
More articles by Mark
What is a DDos attack? And how can I protect my devices against botnets?
Massive cyber attack on US government and companies underway
Pi-Hole: The DIY ad-blocker & malware defender all in one box
What is ethical hacking?
Mac attack! Apple malware on the rise
Sometimes an attack might be right in front of your eyes!
Who you gonna call?
Denial of Service attack for iOS devices