Skip to main content

Author: Justin Hale

Symmetry in motion: How math is used in cryptography to fortify cybersecurity

Symmetry isn’t just the key to a beautiful painting or a pretty face – it’s also a key concept in cryptography. Cryptoloc chief executive Melissa Crossman explains how the mathematics of symmetry are used in cryptography.

When Cheryl Praeger, Emeritus Professor of Mathematics at the University of Western Australia, won the Australian Prime Minister’s Prize for Science in 2019 for her contributions to pure mathematics, it wasn’t just a great victory for women in STEM. It was also an important recognition of the role that symmetry has come to play in cryptography.

Professor Praeger specialises in the mathematics of symmetry, and developed algorithms that have since been built into computer systems and used by scientists and mathematicians around the world.

“I was very lucky that early in my career an immensely powerful mega-theorem was born, identifying all the mathematical atoms or building blocks of symmetry – the so-called finite simple groups,” Professor Praeger says.

“I was one of the first to exploit this watershed result to build new fundamental theory and new methods to study groups and symmetrical structures like networks and designs.”

One area where symmetry has been instrumental is in the development of cryptographic keys. Essentially, a cryptographic key is a long word that looks like random letters and numbers. It encrypts confidential data using a complex mathematical equation that is only solvable with the appropriate cryptographic key.

When the person encrypting and sending the data and the person receiving and decrypting the data have the exact same key, it’s called a symmetric key. Because both parties have access to the key, the process is referred to as symmetric key cryptography.

The most commonly used symmetric key algorithm is the Advanced Encryption Standard (AES), a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology in 2001.

Other popular symmetric key algorithms include Twofish, Serpent, Camellia, Salsa20, ChaCha20, Blowfish, CAST5, Kuznyechik, RC4, DES, 3DES, Skipjack, Safer and IDEA.

Symmetric key cryptography is useful for exchanging private information between known parties – but it’s not without weaknesses.

The symmetric key must be transported between parties, and is at risk of interception in what is known as a middle-man attack. A third party can intercept a copy of the symmetric key when it is first shared, and can decrypt any of the confidential data it protects.

Asymmetric key encryption – also known as public key cryptography – was created to solve this vulnerability by creating a unique key for each user, while also offering the benefits of being able to identify individual users.

Both the sender and the receiver have their private key that they keep secret. A one-way mathematical equation is then used to create a public key for each user. The public keys by themselves cannot be used to decrypt the information and can, therefore, be easily shared without creating a vulnerability.

The sender of the information then encrypts the data using a combination of their private key and the intended recipients’ public key. From then on, only their private key can decrypt the data, ensuring security.

When different keys are used to encrypt and decrypt that same data, the keys are said to be asymmetric. Whenever you access a secure website – in other words, a site with a URL that starts with https – your browser communicates with that site using both a symmetric key and an asymmetric key.

Today’s secure data cloud storage and sharing systems, such as Cryptoloc, tend to use a combination of several types of encryption keys and mechanisms, including symmetric, asymmetric and private-public cryptography, in order to avoid falling prey to the security weaknesses of any one particular mechanism.

“Mathematics underpins every part of our digital technology,” Professor Praeger says.

“In particular, secure communication of our private data depends on novel protocols founded on the mathematics of symmetry, like those used by Cryptoloc.

“I am excited to think that my research in group theory may lead to future breakthroughs and innovations in cybersecurity and encryption solutions.”

What’s the difference between a digital signature and an electronic signature?

With each passing year, the act of adding a ‘wet ink’ signature to a physical contract feels more and more like an arcane ritual from a bygone age. Replacing manual, paper-based processes with digital alternatives isn’t just more convenient and more efficient – in a post-COVID world, it’s a virtual necessity. But is it legal?

First of all, it’s important to understand what a digital signature is – and what it isn’t.

What is a digital signature?

People often use the terms ‘digital signature’ and ‘electronic signature’ interchangeably, but they aren’t quite the same thing.

All that’s needed for an electronic signature is a mark. Depending on the standards set by the vendor, you can add an electronic signature to a document by using a touch screen or your keyboard to make your mark, or uploading a pre-existing image of your signature.

digital signature, on the other hand, sets a higher standard for security. In practice, it’s less like a traditional signature and more like a fingerprint. It uses an encryption process that standard electronic signatures lack to identify, verify and authenticate each party signing a document and to create an audit trail.

With a digital signature, you can guarantee that the person signing the document is who they claim to be; that the signature hasn’t been forged; and that the content within the document hasn’t been tampered with after the signature was applied.

Electronic signatures are popular because they’re quick, convenient and easy to use, but a standard electronic signature is nowhere near as secure as a digital signature, which ensures authentication, integrity and non-repudiation.

How do digital signatures work?

Most, if not all, digital signatures utilise public key infrastructure (PKI) to authenticate the signer’s identity and the document’s validity.

The basic premise behind PKI is that an algorithm generates two long numbers, called keys. One key is public, and the other is private. The private key is only used by and known to the person it belongs to; the public key is shared, well, publicly, and is visible to the person receiving the signed document.

When the document in question is signed, the signature is created using the signer’s private key. The algorithm then creates a ‘hash’ – data that matches the signed document – and encrypts that data. This encrypted data, which is marked with the time the document was signed, is what’s referred to as the digital signature. Crucially, if the document is changed after it is signed and the hash is generated, it will no longer match the encrypted data.

The digitally signed document is then sent to the other party to the contract, who also receives a copy of the signer’s public key. If the public key is able to decrypt the digital signature, the signature is valid.

If the public key isn’t able to decrypt the signature, it means one of two things – either the signature isn’t the signer’s, or the document has been altered since it was signed – and the signature is invalid.

As long as you don’t share your private key with anybody or allow it to fall into the wrong hands, it’s essentially impossible for a valid digital signature to be forged.

Is a digital signature legally binding?

The short answer is yes – electronic and digital signatures alike are a valid and legally enforceable way of executing agreements, both in Australia and in most international jurisdictions.

The more detailed answer is that electronic transactions in Australia are governed by the Electronic Transactions Act 1999 (Cth) and similar State statutes, which take a minimalist, technology-neutral approach.

This means that Australian law doesn’t specify that any particular technology is required to create a legally enforceable electronic signature, and contracts don’t need to be made in any specific form. Instead, the Electronic Transactions Act merely requires that the following requirements are satisfied for a signature to be valid:

  • Identification – The signing method identifies the signer and indicates an intention on their part to sign the document.
  • Reliability – The method used to sign was as reliable as possible for the purpose of the communication.
  • Consent – The other party has consented to the signer signing the document through the use of electronic communication.

In practice, Australian courts have repeatedly asserted the validity of signatures signed via electronic means. The most authoritative statement came from Justice Harrison in Stuart v Hishon [2013] NSWSC 766, in ruling that a simple exchange of emails satisfied the requirements: “Mr Stuart typed his name on the foot of the email. He signed it by doing so. It would be an almost lethal assault on common sense to take any other view.”

In Getup Ltd v Electoral Commissioner [2010] FCA 869, the court ruled that a signature submitted via an online platform was valid, and in Claremont 24-7 Pty Ltd v Invox Pty Ltd [No 2] [2015] WASC 220, the terms of a lease discussed via email were found to be valid because the lessor agreed to them in a message that contained his email signature.

In other words, virtually any sort of electronic signature has been found to be valid in Australia. That said, the superior security and authenticity offered by a digital signature would appear to be a better fit with the requirements laid out by the Electronic Transactions Act.

Internationally, the United States, the United Kingdom and Canada have taken a similarly relaxed and technology-neutral approach to allowing electronic signatures.

It should be noted, however, that the European Union, via the Electronic Signatures Directive (1999), has set standards that require digital signatures – i.e. PKI technology – to be utilised for signatures to be valid. Similar standards have since been set in jurisdictions throughout South America and Asia.

Ultimately, regardless of any particular country’s legal landscape, a digital signature is the safest and most secure way to validate and authenticate an online agreement – and the fact that they are now essential to trading with countries that take a standards-based approach to electronic signatures is just icing on the cake.

Cryptoloc’s powerful electronic document signing platform allows you to automatically generate fully admissible digital signature certificates that are legally binding and accepted by most judiciaries worldwide.

DISCLAIMER: This information does not constitute legal advice or recommendations and should not be relied upon as such. If legal advice is required, you should consult a lawyer.

Hacks in history: What businesses can learn from the ANU cyber attack

In a cyber attack so sophisticated that it shocked even the most experienced Australian experts, hackers gained access to the computer system of the Australian National University (ANU) in 2018. Here’s what the attack can teach us about how we can protect ourselves today.

According to a public incident report released by the University in 2019, hackers spent weeks quietly trawling through data stored in ANU’s system. It was months before anyone at the institution even realised there had been a breach.

The report traces the hack back to an email sent by a senior ANU staff member in November 2018. The email was previewed, but never clicked on, by another staff member who had access to their colleague’s account.

Although the email was swiftly deleted, the hackers had already gained access to the senior staff member’s username, password and calendar. From there, they were able to access and compromise the ANU computer network.

Despite a forensic investigation, the full extent of the attack and the motivation behind it is still unknown, because the hackers were so meticulous in clearing their tracks. However, investigators say names, addresses, phone numbers, dates of birth, payroll information, tax file numbers, bank account details and student academic records were stolen.

Cyber security expert Mark McPherson, a member of Cryptoloc’s advisory board, says the breach of ANU’s administrative systems appears to have been accomplished by determined hackers. He says they acted systematically, and with a sophistication of forethought indicating they were:

  • Working to a plan – Spear-phishing for maximum yield and targeting specific systems.
  • Disciplined and patient – Establishing a foothold and erasing evidence of the attack tools used.
  • Varying and escalating their attack sophistication to overcome each new barrier.

McPherson has worked with governments and organisations internationally to improve their security, including universities and financial institutions. He became involved with Cryptoloc after realising the company’s encryption technology would help to ensure data privacy for individuals and organisations worldwide.

Based on the public incident report, McPherson says that the success of the ANU attack hinged on human vulnerabilities as well as technical vulnerabilities.

McPherson says cyber attacks on institutions like ANU often exploit the trust that exists between colleagues – as in this case, where another staff member had access to their colleague’s account and previewed the malicious email.

“Due to the collegial nature of educational institutions, internal cyber security is often necessarily soft-centred with a hard shell protecting the perimeter,” he says.

“It is possible that part of the success attackers enjoy in these environments relies on exploiting the model of internal trust between colleagues and the systems they use to communicate and store their data.

“However, the major impact of data theft may have been reduced – or possibly even eliminated entirely – if a Cryptoloc-based solution was protecting the data that was targeted.”

That’s because the primary focus of a Cryptoloc-based solution is to secure valuable data against unauthorised access. It accomplishes this by requiring an exchange of digital keys between an authorised user and the data storage system prior to releasing the contents of a data file.

McPherson says this exchange can only work if the user possesses not only the correct login name and password, but also has access to their part of the digital key needed to access each specific data file.

“In any normal multi-user environment, systems administrators – also known as super users – have unlimited access to all the data files stored on that system,” he says.

“But the data in files stored using a Cryptoloc-based solution remain encrypted and inaccessible, even to systems administrators. A systems administrator can move, copy and delete any file on a system they control, but they cannot read the contents of a Cryptoloc-encrypted data file without the correct digital key for that specific file.

“In a Cryptoloc-based solution, the complete digital key is not stored on the same system as the data file itself. The file can only be unlocked – decrypted – for reading using the complete key, which can only be assembled by the deliberate action of an authorised user who brings their part of the digital key along with them at the time of access.”

McPherson says that if ANU had taken these sorts of precautions, their data may not have been vulnerable to hackers – assuming they didn’t commit another basic human error.

“Had ANU protected their important or sensitive data with a Cryptoloc-based solution, they may not have lost control of any files securely encrypted on their servers,” he says.

“This, of course, presupposes that unencrypted copies of important files were not otherwise also stored elsewhere on their systems.”

When it comes to cybersecurity, humans are the weakest link – and no matter how secure your software is, every member of your organisation should be on their guard to reduce the risk of a cyber attack.

Blockchain has hit a stumbling block, but there is a better way

The seemingly infinite potential of blockchain technology to transform a variety of industries has long been heralded. But before you buy into the hype, it’s important to understand what blockchain can and can’t do – and carefully consider which of your business’ problems a blockchain ‘solution’ would actually solve.

To begin with, we need to be clear on what we’re talking about when we talk about blockchain – because while many people link blockchain with Bitcoin, and often use the terms interchangeably, they’re not the same thing.

What is blockchain?

Essentially, a blockchain is a type of database where information is stored in chronological order across a network. Data is stored in blocks that are then chained together; as new data is entered, a fresh block in the chain is created.

While private (or ‘centralised’) blockchains – in which all the computers that make up the network are owned by the same entity – do exist, public (or ‘decentralised’) blockchains are more common. The purpose of a decentralised blockchain is to store and verify information without the need for a central authority.

Crucially, every device – or ‘node’ – on the network has access to a full record of the data stored on the blockchain since its inception.

The most famous use of blockchain technology is Bitcoin, introduced in the white paper Bitcoin: A Peer-to-Peer Electronic Cash System, published under the pseudonym Satoshi Nakamoto. Proposing Bitcoin as a cryptography-based currency that could avoid the pitfalls of a financial system controlled by central institutions, ‘Nakamoto’ wrote: “We have proposed a system for electronic transactions without relying on trust.”

When a Bitcoin user makes a transaction, their unique ‘public key’ is recorded on the blockchain in place of their personal identifying information. Initially used by a small group of cryptographers and hobbyists in 2009, Bitcoin gained popularity as the confidentiality it offered appealed to users of darknet marketplaces like the infamous Silk Road. Bitcoin has continued to gain widespread acceptance and adoption, along with rival cryptocurrencies like Litecoin and Peercoin.

But while blockchain is the underlying concept that enables the existence of cryptocurrencies like Bitcoin, it’s not limited to this use. A blockchain can be used to store information like contracts, voting records, medical histories, product and asset inventories – essentially any type of data you can think of can be entered into a blockchain.

The drawbacks of blockchain

Aside from the common concern that storing and replicating data throughout the chain can slow transactions to a crawl as more and more nodes are added to a network, limiting scalability, the nature of blockchain technology also leads to privacy concerns.

All transactions are visible on a blockchain. This is the first and most important protocol of a public blockchain, and how the technology attempts to prevent the corruption of data. Everybody on the network has access to the same public database, and everyone can see everything.

This might be ideal for verifying transactions made using a cryptocurrency, but for other possible uses of blockchain technology, it’s a stumbling block. There is such a thing as being too open, and excess transparency is a potential downside – the idea of medical records or confidential business agreements, for instance, being viewable by everyone on a public blockchain raises serious red flags for privacy, and even storing this type of data on a private blockchain doesn’t preclude the possibility of a cyber-attacker gaining access to your network.

The second most important element of a public blockchain is the consensus algorithm, which ensures that all copies of the distributed ledger remain the same. Essentially, if a change is made to the ledger by one node, but this change isn’t reflected by the majority of the nodes on the network, then the change would be corrected and the truth decided on a majority-rules basis.

But this, too, is vulnerable to a noteworthy security flaw. If more than half of the nodes on the network tell the same lie, then the lie becomes the truth. In other words, if a malicious party was able to control 51 per cent or more of the nodes on a network, they could gain the ability to rewrite or alter the supposedly immutable blockchain record, and prevent new blocks from being added to the chain.

This is called a ‘51 per cent attack’, and was highlighted by Satoshi Nakatomo as a potential flaw when Bitcoin was launched. It’s not entirely hypothetical, either – 51 per cent attacks have been deployed against numerous cryptocurrencies, resulting in millions of dollars being stolen.

And while blockchain was the first technology to effectively track the movement and transactions of products based on cryptographically unique codes, it does little to counteract the creation of imitation products with a copy of their genuine code – leaving companies employing blockchain as a means of quality assurance open to the threat of counterfeiting.

Overcoming the limitations of blockchain

The answer to these problems lies in the next generation of cryptographic platforms.

For example, at Cryptoloc we use cryptographers, mathematicians, data scientists and software developers who put privacy first. Eschewing the anonymity that initially gave blockchain its notoriety, Cryptoloc ensures that all users are verified to the same standards as the banking industry.

Our patented technology combines three different encryption algorithms into one unique multilayer process that can be deployed across a wide range of applications, including file storage and document management. It’s why Forbes named us one of the 20 best cybersecurity companies to watch in 2020.

Cryptoloc’s ISO-certified technology also enables developers to build virtually any product in a completely secure environment. Each piece of data is assigned its own separate audit trail, and every user and action is verified and accounted for. So unlike a public blockchain, data can only be viewed by the user and the people to whom they specifically choose to grant access, and the user can keep track of when the data was accessed and where it was accessed from.

Similarly, Cryptoloc’s anti-counterfeiting and quality assurance product, Cryptoloc QA, puts control of a brand back in the hands of its producers, generating a unique code that can be applied to virtually any item and eliminating revenue opportunities for imitators. While blockchain technology cannot stop or monitor counterfeiters using copies of their codes, Cryptoloc QA alerts producers whenever a duplicated code is detected so they can take immediate action.

In launching Bitcoin, Satoshi Nakamoto proposed a system “without relying on trust” – but with Cryptoloc, the core values of trust, control and authenticity have been given priority, making it the superior choice for users seeking to minimise risk and maximise safety and security.

Cyber crime reported every 10 minutes in Australia: report

Online scams are taking their toll on Australian computer users, with a cybercrime being reported to authorities every 10 minutes.

That’s according to a story by Information Age that points to the findings of the latest Annual Cyber Threat Report conducted by the Australian Cyber Security Centre.

ACSC says that of the 60,000 cyber crimes reported in the past year, slightly more than one third were categorised as fraud related, with fake romances, dodgy investments and shopping scams the leading causes.

“Cyber crime is one of the most pervasive threats facing Australia, and the most significant threat in terms of overall volume and impact to individuals and businesses,” the ACSC report says.

“Cyber criminals follow the money. Australia’s relative wealth, high levels of online connectivity and increasing delivery of services through online channels make it very attractive and profitable for cyber crime adversaries.”

Read the full story in Information Age.

2020 has been the year of the cyber attack: report

Security firm Crowdstrike has reported there were more cyber attacks in the first half of 2020 than in the whole of 2019, according to Information Age.

It seems the huge transition to remote work caused by the COVID-19 pandemic has left workers and companies exposed as the opportunities for attacks rose.

The company said in a report released by its Overwatch analysis team that “the pandemic created opportunities for adversaries to exploit public fear through the use of COVID-19-themed social engineering strategies”.

Read the full story in Information Age.

What does a hacked coffee machine look like?

Imagine if making your morning brew had the ability to torment you while also demanding a ransom in exchange for a swig of the bean juice that keeps us all going each day?

As reported in Information Age, a security firm researcher did just that.

Martin Hron – who works for antivirus software maker Avast – picked apart a security weakness in an automatic coffee machine by reverse engineering it – and at the same time found a weakness in most IoT-connected devices. Watch the video to see his handy work in action.

Hron told Information Age it took him a week to turn the coffee machine into a ransomware machine.

They reported that:

When the user tried to connect the coffee machine to their home network, the machine would immediately turn on the burner, let loose hot water, continually spin the bean grinder and display a ransom message while beeping. The only way to make this whole mess stop would be to unplug the device, rendering it unusable. 

Read the full story in Information Age here.