Brief reflection on compliance and risk

Cryptography is defined as the technique of presenting a message in such a way that the information contained in it can only be received by the recipient; This can be achieved in two different ways: by concealing the existence of the message or by modifying the text of the message in a way that makes it understandable.

The origins of cryptography are very ancient. In ancient Sparta, Skitala was used to encrypt secret messages intended for military generals engaged in combat campaigns (from the ancient Greek, Sky, “Stick”). It was a small wooden rod on which a thin strip of parchment was wound in a spiral on which the sender wrote the message in a longitudinal line and placed it on the rod in such a way as to have a certain meaning.

Parchment can be easily concealed and wrapped around the rod only if necessary. When Skyth was wounded, Parchment’s letters seemed meaningless; The recipient of the message must conduct the same type of auction (“twin” auction) and rewind the parchment in a manner consistent with the sender so that he can read the “clear” message. Another historical example of cryptography is the Caesar cipher.

The function of the ancient algorithm was as follows: each letter of the plaintext is replaced, in ciphertext, later by the letters found in a certain number of positions in the alphabet (for example, if you want to replace each letter in the text the word is clear “Dogs“The result will be as follows with the following two positions in the cipher text:”fduh”), Only by knowing the algorithm can it be returned to the encrypted message.

Historically, cryptography has been widely used in the military field to maintain communication between commanders assigned to operational theaters and to conceal strategic communications from the enemy or even to confuse the enemy. In fact, in the middle of World War II, before landing in Normandy, the Allies sent a false message to the enemy, intended to decode it, to tell him that the attack would begin at Pass de Calais.

Thus, the Allies secured an operational advantage of fundamental importance over the enemy. In addition to the war, cryptography has spread to other areas thanks to great technological and IT advances. Today, cryptography is used in a “home” environment, for example to protect our data on a smartphone or personal computer; Company and public administration information; Data on banking circuits and beyond.

There are mainly two cryptographic techniques: symmetrical and asymmetric. Symmetric cryptography (or “private key” cryptography) is characterized by the fact that the same key message is used to encrypt and decrypt. The problem with this strategy is provided by security: in fact, the sender and the recipient must choose a communication channel that is secure enough to exchange cryptographic keys, preventing it from being compromised by malicious parties.

Asymmetric (or “public-private” keys) cryptography, on the other hand, are characterized by a pair of distinct keys: public and private. Public keys are used to encrypt messages; Personal for decryption, the latter is in the possession of the recipient only and should not be exchanged. The positive side of this cryptographic strategy is security: in fact, even if the public key falls into the “wrong” hands, the absence of the private key guarantees the privacy of the message.

That cryptography is a basic security tool that can also be found in the protection of personal data and IT security regulations.

The GDPR Among security measures, it refers to encryption to guarantee the privacy of personal data. In the field of data security, ISO 27001 also includes cryptography as a security control. In addition, it is a useful tool for securing encryption Security by design According to the requirements of ICT services and products Cyber ​​Security Act (Art. 51, p. 1, Lt. I) EU Reg. 2019/881)

In recent times, this security system has become a “must” and all IT security laws provide for it. For example, the proposed European guidelines NIS 2 (Network information security) In the industry. 18, p. 2, lett. g) Encryption is a system of cyber security risk management. Another European regulatory proposal on financial sector resilience and business continuity (DORA – Digital Operational Resilience Act) Provides in the industry. One of the 14 cryptographic security systems.

Although cryptography is considered the cornerstone of cyber security, it is not without its dangers. Consider a mismanagement of cryptographic keys, which can jeopardize data integrity and availability. An example is in the case of Bitcoin: the unavailability of a private key makes your wallet accessible with the risk of losing all your data and bitcoins.

Proper management of cryptographic keys is also essential to prevent unauthorized criminals from taking possession of those who may use them for malicious purposes. Another danger of cryptography comes from technological advances, especially those associated with the development of quantum computers. In short, a quantum computer is a computer that uses the laws of physics and quantum mechanics to process data and whose basic unit is the qubit (for traditional computers, the basic unit is the bit). If implemented, they would be able to break through any security measures based on traditional cryptography because they are much more powerful than usual.

Today, endangering cryptography does not only mean undermining a comprehensive security system, it also means all the important infrastructure on which it is unprotected: just think, for example, the banking world and electronic payments, which are based on cryptography-based security. In a fully interconnected world and with a comprehensive security system like cryptographic, it could represent a serious threat to the national security of all states. For this reason, efforts are underway to develop new cryptographic systems that are also resistant to any attack by Quantum computers. For this purpose, the NIST initiative (National Institute of Standards and Technology) Which, at the 2016 PQCrypto conference, announced its desire to select cryptographic algorithms “Quantum-safe“Then to develop a value.

Even if there is no Quantum PC for civilian use on the market today, it needs to be reflected on the possibility of a threat capable of endangering a security system, such as cryptographic, widely used. The goal of the state, private companies and research institutes should be to develop appropriate security measures to prevent any danger arising from quantum technology. Adapting cryptography to quantum technology from the beginning is the first step in protecting the core resources of each state and avoiding systemic crises.

A legal | Expert privacy
Guidelines for all privacy laws, judicial bodies and guarantor authorities, many tools to ensure you comply with all requirements: practical guidelines, commentary, journals, action plans, checklists, sources, news.

Leave a Comment