“Secrets are at the heart of all online security. If two computers are talking to each other, how do they convince each other that they are who they say they are? That’s called authentication. And how can they be sure the messages they send and receive aren’t read or altered by malicious parties? We really only have one way of solving all these problems—which is by using secrets. For online security to work, we need to solve two problems: how to safely share the secret is one problem, but how to keep the secret is the other problem.
“Imagine you’re a spy and you’re going overseas and I’m back at home base. You need to send me messages and I need to communicate instructions to you. I could give you a secret code book before you go, and then you would communicate with me using the code book. Only you and I have a copy of the code book. But what if you’re already overseas and I haven’t seen you, or never met you before? How can I get the code book to you? Because we haven’t yet got a confidential way of communicating things because we don’t have a common code book yet, and I can’t authenticate it’s you because we don’t have a shared secret to authenticate.
“So it is this really weird problem. But it’s not an esoteric problem. If you go to Amazon and you want to buy something, you type in your credit card number. How does your computer know you’re really talking to Amazon? How do you and Amazon set up a way of encrypting your information that you’re sending so someone eavesdropping on the line can’t work out what your credit card number is just by listening? Because you and Amazon have never met. You’ve never exchanged a code book.
“We have this joke in computer security. If you want to keep a secret a secret, the optimum number of people to know it is zero. Because if even one person knows it, they’ll blow it. And once you’ve got two people knowing it, it’s a disaster.
“In terms of creating a shared secret, there is a neat mathematical trick that was worked out that partly solves the problem. It’s called public key cryptography or asymmetric cryptography. It’s based on the idea that there are some mathematical operations that are easy to do one way and harder to undo. It’s easier to square a number, for example, than it is to calculate the square root. The two computers partially do these easier calculations and share some of our intermediate results. At the end they both get the same answer, and because we’ve chosen the numbers in the partial calculations ourselves we can work out the answer the easy way and use it as a shared secret between us. But a malicious evesdropper can only work out the answer the slow way, hopefully taking them years.
“So that’s pretty good, but once you’ve set that up, you still need to authenticate who you are. And ultimately the only way we know of authenticating who you are is with shared secrets like passwords. And that has all the problems of keeping secrets secret. Like picking ones that are easy to guess, reusing them, losing them, or being tricked into typing them into fake websites that look just like the real website.
.png?width=670&height=1000&name=Professor%20Richard%20Buckland%20is%20Professor%20in%20CyberCrime%20Cyberwar%20and%20Cyberterror%20at%20the%20School%20of%20Computer%20Science%20and%20Engineering%20UNSW%2c%20the%20UNSW%20director%20of%20Teaching%20Practice%20and%20the%20director%20of%20SE%20(1).png)
“There is no perfect solution to cybersecurity. We are humans, and ultimately in security humans are the vulnerable spot. That means human-based attacks are common, and we need human defences just as much as technological ones, and no defences are foolproof. Artificial intelligence holds some promise. But AI is just a tool, and it’s a tool that increases complexity. With complexity comes less security. The more complex you make things, the more gaps there are. There is hope that we’ll be able to use AI for good and not for bad, but there’s no way that we’ll be able to use it to solve this problem.
“When you think about what security means, it’s quite hard to define. You can really only define insecurity. Insecurity is when bad things can happen, and security is those bad things not happening. But you could rule out all the bad things anyone can think of today and still not be secure because some bad guys can think of some new bad things tomorrow.”
