Cryptography
Course Summary
The University of San Diego Cryptography course was one of the most technical courses in the program. Students were challenged to both perform research into cryptography concepts and then apply and implement those concepts using popular cryptographic software such as OpenSSL and OpenPGP implementations. This class addressed the foundations of cryptography back to basic Caesar ciphers as well as mono and poly-alphabetic transformations. This course covered one of my favorite subjects in cybersecurity which is the use of symmetric and asymmetric cryptography. It also addresses how these various algorithms are constructed and the common mistakes that are made in implementation. Cryptography and cryptographic implementations are complex and difficult to code. This is in part due to the fact that cryptographic algorithms must withstand attacks that are both known and unknown in an environment where available compute power increases significantly over time. Concepts such as public key infrastructures, methods of key distribution, and attacks on Transport Layer Security (TLS) were also addressed. The document below is the final assignment for the class (a group project), which covers multiple overlapping areas of cryptography.
Reflection
Cryptography is so intertwined with cybersecurity that the two terms are sometimes used interchangeably. However, these terms are distinct, and cryptography, although ubiquitous, should not be taken for granted. We live in an amazing era where we have incredible cryptographic primitives, libraries, and tools to take advantage of. However, this was certainly not always the case. This class explored basic cryptography mapping back to basic Caesar ciphers. At the other end of the spectrum, blockchain technology, distributed ledgers, and quantum computing resistant crypto were topics of discussion and debate.
One of the reasons cryptography is so difficult to get right is that it requires deep knowledge of both advanced mathematics and programming. Cryptographic algorithms and implementations must undergo and withstand intense scrutiny by academic researchers and government cryptographers alike. Most individuals without extensive background should not attempt to implement cryptography into a production environment and would instead be better served by libraries such as OpenSSL and its language-specific interfaces. However, research on this topic is fascinating, and knowledge of common failure modes associated with cryptosystems is invaluable.
Cybersecurity leaders and managers have a number of important perspectives to consider and decisions to make when it comes to leveraging cryptography in their environment. Cryptography is often used to support the CIA Triad (confidentiality, integrity, and availability). The cybersecurity leader must understand how each of these properties is supported through specific portions of the cryptographic suite of tools. For example, encryption does not necessarily imply authentication and, therefore, integrity although these two are often, for important reasons, linked together. It is highly undesirable to transmit encrypted data that has been modified in transit. In some cases, this is a worse outcome than having the confidentiality of the data breached. Managing a cybersecurity program requires ensuring that the most modern available ciphers are available for encryption in transit and that deprecated cipher suites are responsibly phased out while maintaining backward compatibility as appropriate to service client needs. Corporate communications such as e-mail, chat messages, and file sharing also need to have cryptographic interests addressed. Devices such as laptops and mobile phones need to employ robust encryption in transit and at rest for corporate data in case of the loss of a specific device.
“Cryptography fluency” is a highly desirable trait for the cybersecurity leader, given the close relationship between cybersecurity and the cryptographic implementations and controls that support it. The leader supports a cybersecurity team charged with using the tools discussed in this class to meet cybersecurity and, ultimately, business objectives. The cybersecurity leader is often the go-to person for new product vetting, data security, and new initiatives such as corporate blockchains and distributed ledger technology. I hope to use what I have learned here to be a better employee and leader today and in the future.
The University of San Diego Cryptography course was one of the most technical courses in the program. Students were challenged to both perform research into cryptography concepts and then apply and implement those concepts using popular cryptographic software such as OpenSSL and OpenPGP implementations. This class addressed the foundations of cryptography back to basic Caesar ciphers as well as mono and poly-alphabetic transformations. This course covered one of my favorite subjects in cybersecurity which is the use of symmetric and asymmetric cryptography. It also addresses how these various algorithms are constructed and the common mistakes that are made in implementation. Cryptography and cryptographic implementations are complex and difficult to code. This is in part due to the fact that cryptographic algorithms must withstand attacks that are both known and unknown in an environment where available compute power increases significantly over time. Concepts such as public key infrastructures, methods of key distribution, and attacks on Transport Layer Security (TLS) were also addressed. The document below is the final assignment for the class (a group project), which covers multiple overlapping areas of cryptography.
Reflection
Cryptography is so intertwined with cybersecurity that the two terms are sometimes used interchangeably. However, these terms are distinct, and cryptography, although ubiquitous, should not be taken for granted. We live in an amazing era where we have incredible cryptographic primitives, libraries, and tools to take advantage of. However, this was certainly not always the case. This class explored basic cryptography mapping back to basic Caesar ciphers. At the other end of the spectrum, blockchain technology, distributed ledgers, and quantum computing resistant crypto were topics of discussion and debate.
One of the reasons cryptography is so difficult to get right is that it requires deep knowledge of both advanced mathematics and programming. Cryptographic algorithms and implementations must undergo and withstand intense scrutiny by academic researchers and government cryptographers alike. Most individuals without extensive background should not attempt to implement cryptography into a production environment and would instead be better served by libraries such as OpenSSL and its language-specific interfaces. However, research on this topic is fascinating, and knowledge of common failure modes associated with cryptosystems is invaluable.
Cybersecurity leaders and managers have a number of important perspectives to consider and decisions to make when it comes to leveraging cryptography in their environment. Cryptography is often used to support the CIA Triad (confidentiality, integrity, and availability). The cybersecurity leader must understand how each of these properties is supported through specific portions of the cryptographic suite of tools. For example, encryption does not necessarily imply authentication and, therefore, integrity although these two are often, for important reasons, linked together. It is highly undesirable to transmit encrypted data that has been modified in transit. In some cases, this is a worse outcome than having the confidentiality of the data breached. Managing a cybersecurity program requires ensuring that the most modern available ciphers are available for encryption in transit and that deprecated cipher suites are responsibly phased out while maintaining backward compatibility as appropriate to service client needs. Corporate communications such as e-mail, chat messages, and file sharing also need to have cryptographic interests addressed. Devices such as laptops and mobile phones need to employ robust encryption in transit and at rest for corporate data in case of the loss of a specific device.
“Cryptography fluency” is a highly desirable trait for the cybersecurity leader, given the close relationship between cybersecurity and the cryptographic implementations and controls that support it. The leader supports a cybersecurity team charged with using the tools discussed in this class to meet cybersecurity and, ultimately, business objectives. The cybersecurity leader is often the go-to person for new product vetting, data security, and new initiatives such as corporate blockchains and distributed ledger technology. I hope to use what I have learned here to be a better employee and leader today and in the future.