Encryption – It’s a Numbers Game!

Growing up, we watched Sesame Street almost every day and although I preferred to watch the Muppet Show, there were certain segments of Sesame Street, I certainly enjoyed that downloadwasn’t on every day; Cookie Monster counting his cookies before he gobbles them down, “The Count”, always finding new ways and new things to count; and my absolute favorite the Pinball Machine song!   In fact, in almost every television show I enjoyed watching, it always had something to do with counting numbers.  Why then, as I got older, did I performed so poorly in math at school?  It was my absolute worst subject! As you get older, matured, self-sufficient, independent and so on, you realize that in the real-world, nearly everything that you do boils down to numbers.  You can find numbers in everything; finance, accounting, chemistry, music, measurements, temperature, calendar, DNA, coding, 7 chakras, numerology and so on.

In my early years, working for the Bank of Montreal in the Manulife Centre at Bay and Bloor in Toronto,  I was the administrative assistant for the ABM Channel Group, a 130704041642-sesame-street-muppet-cookie-monster-horizontal-gallerymedium-sized department that managed all the automated banking tellers and its information systems across Canada.  The ever so wonderful and charismatic Mathew Barrett was at the helm of the Bank of Montreal (BMO) as CEO shocking the country, especially Finance Minister Paul Martin, about its intentions to merge Bank of Montreal with Royal Bank of Canada.  Those were very exciting days!

That would be somewhere around 1998 when Public Key Infrastructure (PKI) started catching ground in the information technology, network and security world.  Back then in a most notably dominated male industry, looking back I would have to say that it was RBC BMOan honor to serve an executive team of women.  Two female Directors, Monica who was promoted from a middle management position and an outside candidate Rosa Caputto whose reputation preceded her as an excellent negotiator and mediator.  She was recruited to fill the second Director’s position; and the VP, Grace, a soft-spoken assertive woman, who never had to raise her voice but you’d know when she wants something done or if what you did was wrong; quiet and an astute woman.

These three women managed a department full of male techies, rubbing shoulders at conferences and boardrooms with blue suits that oozed with male dominance and ‘mansplaining’.  I enjoyed listening to some of these women’s stories about having to handle the more difficult personalities and learned so much through observation.  I’d watch how they would conduct themselves chairing meetings in a room full of male egos while I sat quietly taking minute notes for committee and staff meetings. It was incredible how these women navigated themselves in often difficult and  dominating environments.

So when a friend began talking about cyber-security, cyber-bitcoin-chip-1currency, this new fad called BitCoin and the complex encrypted security formulas used to find prime numbers that generate the key, my mind quickly shot back to those days working at Bank of Montreal; I didn’t realize how quickly and far that industry had progressed –  how fast time flies!   Apparently, supercomputers are left running all day, every day going through complex mathematical formulas and equations just to find the next prime number!  I had to empty my head of letters and words to let numbers and symbols take over to visualize what all that might look like.  I let them swirl around in my head, layers upon layers of complex codes, formulas, and algorithms, like musical notes in a symphony; then he tested my knowledge of prime numbers.  Thankfully, I understood numerology so it was a little easier for me to catch on, and the more I learned, the more I was amazed at how extremely difficult it is to find a prime number, how valuable it is on the market once you find that formula and that’s what makes bit currency unique.  This is the real stuff – how cybersecurity is made from, cryptography, and encryption, digital keys, coding, algorithms, passwords, safety, privacy – and it all comes down to you and me.

It’s about YOUR identity!

Digital vs Personal  – Personhood

identity-theftBefore we get to numbers, let us first talk about your personhood; physical and digital.  In the physical world, we all have boundaries for which we do our best to protect, and there are consequences when a boundary has been crossed especially without consent.  This is also the case in the digital world which mirrors the real world.  However, there are a few more areas in the digital world that need highlighting when speaking about digital personhood.  The term “person” refers to a human being or a natural person.  “Personhood” is used in the traditional world to mean recognition of an individual or entity as having status as a ‘person’.  Therefore, the term “personhood” or “digital personhood” means to have recognition of a human being as having status as a person in the electronic realm.  Identity is both a “real-world” concept and a ‘digital artifact’.

In the digital world, there is a growing sense that a free and open society may not be as certain as previously assumed.  We know with the tabling of the amendments to Bill C51 [renamed to Bill C59] has granted our government with extraordinary powers for surveillance, and prosecution of those whom they deem as terrorist threats.  Canada’s partnership with the Five Eyes Alliance enables them to 522856-0581b466-fb78-11e3-8184-7d8b4f4697c9have even more access and the ability to share greater information with its global partners being UK, US, Australia, and New Zealand.  More specifically, there have been a series of recent coordinated efforts to pressure companies to weaken encryption systems enabling backdoor use so that they may widen the scope and continue to with their mass surveillance.

This should cause some concern because we, ordinary citizens, need and use encryption every day in almost everything from online banking to personal messaging apps like WhatsApp.  With a lack of identity controls, society will be susceptible to identity theft, fraud, and the shutting down of businesses and even news media through ‘denial of service attacks’.  In terms of identity management (IDM), unless law and technology are crafted to respect certain “Properties of Identity”, there is no data protection; and if there is no data protection, there is no accountability; and if there is no accountability, there is no trust.

As in the real world, a person may have any number of different “identities” in the electronic world with a subset of identity information attached to each identity (eg; an address). In the real world identity is considered to entail a rather comprehensive set of “individual characteristics by which a thing or person is recognized or known[1]  A person acting through digital identities may be familiar to others due to personas that he himself develops (with a persona being “the role that one assumes or displays in public or society; one’s public image or personality, as distinguished from the inner self”[2]).

So for Example:  Growing up I was called Suzie.  When I began working for BMO it was Monica, who took a slight mentor’s role with me – actually all three women did but it was Monica who held me aside one day while in a casual conversation – this was just after she got promoted to Director, and said, “You know you might want to think about changing your name.  Suzie is kind of cute but it’s not as professional as say for example, Suzanne.” I didn’t like ‘Suzanne’ so I went home and thought about what she said and the next day I knocked on her office door and told her I’d like to be called Susan.” She loved it and ever since then when I engage in “9-5 business-activity” it’s Susan.  Yet, in my personal time I had become active in the art world developing my artistic pursuits; I wanted a different name to capture that aspect of life so I used my birth and legal  name Susannah Marie.  No, I wasn’t schizophrenic I didn’t have 3 different people in one body but it was more of a matter of having one body that engages in three different activities and that’s where the digital world helps to categorize and facilitate these activities, each having their own branding, through use of online profiles.

1onthetaxcodeCOLCP“The concept of multiple digital personas (the common parts of each which are linked together for quick update) enables the introduction of more nuanced relationships into online social networks.  It is clear that the requirement for allowing a person to express himself differently in different contexts is fundamental to society in many ways. And it will be a requirement of all future IDM solutions as well. Creation and maintenance of multiple simultaneous, digital personas will become a new social norm.” [At Crossroads]

When information in a digital identity relates to an identified or identifiable natural person – meaning “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” – they constitute “personal data”.  “If IDM profiles substitute for the actual person – to the point where recognition is transferred to the profiles rather than to the person behind them – the concept of personhood dissolves.

For Example: A faulty credit report, if a person has no way of knowing about an error that negatively affects his credit rating, he may be denied a loan to purchase a house.  His enjoyment of rights suffers (in this case, the right to know what information is held about him and the ability to correct it so as to buy a home).  The problem is caused by the fact that identity information is detached from the person’s control.  Such detachment can lead to a diminishing of a person’s participation in society and basic enjoyment of personhood.  The ability to control the use of one’s identity information is crucial for reminding others that there is a person behind data and enabling that person to have full status when dealing with others.” [At Crossroads]

Personhood demands control over the property for expression and freedom accompanies that control over the property when it is enjoyed within a community.  Data protection reflects a sense that a person should be able to control data relating to him, and that the state helps him enjoy those rights that people reign over their separate private spheres and have defensive liberties against the state.

Human Rights Digital Personhood

Article 6 of the Universal Declaration of Human Rights states:

bH2WyXVh

“Everyone has the right to recognition everywhere as a person before the law.”

In essence, the right to recognition as a person is foundational to a person’s enjoying all other rights.  When individuals are not in effective control of their identity information, person-hood and the enjoyment of human rights shrink.    To understand why, it is important to remember that human rights attach to the person, as opposed to the profiles that may be built up from identity information about him/her.  While it has always been the case in human history that a person’s reputation and actions have influenced others’ treatment of him, this tendency is magnified in IDM as a person is effectively recognized by the spin-off profiles that begin to accrue for him. In other words, the danger is that what is relevant is no longer person-hood – the recognition of a person as having status as a person – but rather a profile – the recognition of a pattern of past behavior. Those past actions themselves are not the source from which his human rights derive; rather, the state of being a person gives rise to those rights.

Data Protection Cryptography and Encryption – [Online] Banking

So let’s talk about numbers.  An odd topic, since math wasn’t one of my stronger subjects in school.  I remember in grade 2 or 3, my sister having to have patience like the biblical Job teaching me long form division – I just couldn’t get it,  when I hit high school that’s when my school grades really began to suffer.  My father a mathematician and a university professor who employs complex mathematical equations to solve problems absolutely loved math but the mathematical gene laid dormant in me.  My high school teachers couldn’t understand why I did so well with my math homework – almost a perfect score but when it came to tests and exams I suffered miserably. That’s because my dad would help me with my homework while the TV was on, he’d get excited teaching me about numbers and math, he didn’t even notice I wasn’t learning but instead I was watching what was on TV and in the end, he actually did the work for me.  No wonder I failed when it came to taking the tests!

Encryption is all about hard math and encryption is the original goal of cryptography.  The concept of prime numbers and how to generate them is critical to cryptography.  It employs concepts of prime numbers and relative prime, also known as co-prime numbers, real numbers, imaginary numbers, natural and negative numbers.  The concept is actually pretty simple; two numbers ‘x’ and ‘y’ are relatively prime.  There have been numerous attempts to formulate some algorithm that woul66fe5ab63a6276514a882c050d9d4c1bd consistently and efficiently generate prime numbers.  Simply generating a random number and checking it by hands is impossible to do and could take quite some time even with a computer and those who have those prime numbers need to be very large.  So simply generating a random number and checking it by hand is impossible to do and could take quite some time even with a computer.

Data protection and cryptography is an increasingly important cyber-security functional area.  Cryptography has gone from the specialized niche of protecting military communications to protecting almost every aspect of Internet communications and commerce.  Cryptography is also critical to the success of strong authentication technologies such as digital certificates, smart cards, and one-time password tokens.  It’s cryptography that protects data when your money is sitting at rest in your bank account and in transit if you pay a bill online or send money by e-transfer.   It’s cryptography that provides for strong authentication and non-repudiation for messages and data, supporting message identity and authenticity.encryption-on-paper-with-key

Even in the absence of such advanced technologies, it is important to remember that the simplest authentication mechanism (that is username and password) employs its own cryptography in the form of a simple shared secret key, the password. [Enterprise Cyber-security, p58]  Therefore, if you do your banking online, and due to the level of sophistication of cyber-criminals, you will need to add an extra layer of software protection ideally one that is specifically designed and tasked with money management.  Kaspersky is the best product on the market and is quite affordable for the individual users, small businesses and corporate.

download (2)When you are ready to pay for anything online whether it be your bill payments or online shopping when you are ready to pay a new window opens up that has a bunch of extra layers of encrypted code to protect your transactions.  It even has a passcode generator and management system to handle all of your passwords including passwords for emails. You can download the program from Kaspersky‘s website but I recommend – as with any product that’s available in physical format – to purchase a copy on CD and have them courier the program to your house.  A word of caution, regardless of how safe the publisher professes their products to be when downloading,  you are still exposed to anyone who’s savvy enough that could “hi-jack” your download and thus compromise the program and your system.  But if you are willing to take the risk, and most of us do, then, by all means, go ahead and download the program.

Encryption and Data Breaches/Backdoor Access

Bank machines, we all know them, and where to find them as well as the inherent'I didn't do my homework because I forgot my user name and password.' security risks that significantly and progressively improved over the years.  Yet your bank card is still prone to some cyber hacking through its electronic magnetic strip. I knew that, as a teenager, the day I opened my first chequing account at National Bank.  At the Bank of Montreal our department, the ABM Channel, handled all the automated bank machines across Canada and with it the information technology and security aspects.  That’s when Rosa Caputto, our securities executive/expert, came on-board and joined our team.  Rosa inherited an unhappy team in the sense that upper-management split the IT department and the Manager who was tasked to look after the old team now suddenly had a new [female] boss.  He wasn’t too happy.  In any case, we made it work.  I mention this because Public Key Infrastructure (PKI) was on the rise occupying memos, letters, mailings, meeting, and conferences for Rosa – everything was, PKI, PKI, PKI!.

In short, PKI is an infrastructure that allows you to recognize which public key belongsEncryption-630x330 to whom.   There is a central authority that is called the Certificate Authority, or CA for short.  The CA has a public/private key pair and publishes the public-key.  The CA verifies the person’s identity and then signs a digital statement called the certificate which certifies that the key belongs to this specific individual.  The problem of distributing and managing keys is one of the really difficult parts of cryptography for which they have only partial solutions.  Establishing cryptographic keys is an age-old problem, and one important contribution to the solution is public key cryptography.  This is a significant idea behind public-key cryptography.  The key to encrypt a message is different from the key to decrypt that message.  Public key cryptography makes the problem of distributing keys a lot simpler because only a single key is needed.

“Data protection and cryptography’s goal is to protect the confidentiality and integrity of data using techniques such as encryption and digital signatures.  The success of these techniques depends, in part, on enterprise key management that helps to ensure the cryptographic keys used for those operations are properly protected.”  [Enterprise Cyber-security, p58]  Establishing cryptographic keys is an age-old problem, and one important contribution to the solution is public-key encryption that employs the use of a sequence of randomly generated prime numbers.  The concept of random and prime numbers and how to generate them is critical to cryptography.  To generate key material, we need a random number generator (RNG). Generating good randomness is a vital and necessary part of many cryptographic operations.  Generating good randomness is also very challenging and for this reason, there have been many attempts to formulate some algorithm that would consistently and efficiently generate prime numbers.

Identity theftSomehow I am reminded of the data breaches we recently heard about in the news about the credit bureau Equifax. People want to be able to see what data other parties have on file about them, and they want an opportunity to contest those records.  Having access to our records is crucial – keeping our records safe is imperative!   I am by no means an expert on this but I would have to imagine a coding embedded in the magnetic strip of a bank card.  Our bank and credit cards (and credit history information] come with a  set of 15 digit numbers for which we offer when we want to conduct a transaction and once we give the numbers and password it signals the bank to authenticate.  With bank machines we are strongly encouraged to use our own bank’s ATM rather than another’, unless reputable, and try to avoid the white-label machines not only are the service fees expensive but they are more prone to the hacking of card reading devices that sits in the ATM and access your bank card information when you begin a transaction.  The department was aware of the physical tampering of ATMs and it was a constant chore on how to expect and improve our equipment.

Password cartoon 3_thumb[3]Still, individuals themselves cannot always be privy to what is being done with their data by public and private actors spanning different jurisdictions.  The law might generally require consent by a person if his personal data is used by an entity, but it might at the same time authorized use without consent for certain purposes, such as national security.  As mentioned earlier, intelligence agencies are now pressuring companies, telecommunications, internet providers and the like to enable backdoor access enabling these agencies to eavesdrop on unsuspecting citizens on the basis of national security.  Even more alarming is when a cyber-criminal has your bank card and in turn uses it for online activity, they could get into your online banking and create all sorts of mischief.  This is how some finance organized crime and/or terrorists related activities all under your identity, and with such activity mostly conducted through the dark web so no one would be the wiser.  It is these criminals that under Bill C51/59 authorities profess to search for and install surveillance of citizens’ activities – but at what costs to the law-abiding citizen?

An Ongoing Debate

For example, WhatsApp is an online messaging service now owned by tech giantwhatsapp-app1-664x374 Facebook, that has grown into one of the world’s most important applications.  More than a billion people trade messages, make phone calls, send photos, and swap videos using the service.  This means that only Facebook itself runs a larger self-contained communications network. The founders of WhatsApp, recently revealed that the company has added end-to-end encryption to every form of communication on its service.  This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them.  And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old-school Nokia flip phones.

With end-to-end encryption in place, not even WhatsApp’s employees can’t read the data that’s sent across its network.  In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service.  Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices.  Building secure products actually make for a safer world, (though) many people in law enforcement may not agree with that,”.  With encryption, anyone can conduct business or talk to a doctor without worrying about eavesdroppers.  With encryption, you can even be a whistleblower [or a human rights defender, an activist, or journalist]—and not worry.

'I forgot my password, but surely you RECOGNIZE me!'According to a Guardian article “Tech companies are facing demands from the home secretary, Amber Rudd, to build backdoors into their “completely unacceptable” end-to-end encryption messaging apps encryption is a binary.  Either something is encrypted, and thus secure from everyone, or it’s not. If a backdoor exists, then anyone can exploit it.”  If you put a backdoor in, it’s there not just for security services to exploit, but for cyber-criminals, oppressive regimes and anyone else. And that’s the crux of the matter.  The UK government could conceivably ban messaging companies that offer end-to-end encryption from operating in the UK. However, it is not clear how you would enforce that – and indeed it would be the people who do not want to be monitored who would find ways to avoid it. What’sApp.

The FBI’s attempt to force Apple to unlock an iPhone used by a terrorist set up a grand legal battle between security and privacy. On one side is a massive tech company envisioning a future similar to the setting in George Orwell’s “1984” and on the other is the world’s most powerful government dangling the threat of a terrorist attack if it can’t get access to vital information? Cybersecurity experts said the dispute could have far-reaching implications for everything from how private our personal photos are to how tech companies work in other countries.

Hiding Data

“Along with the move from the government to the corporate sector, and the ease of useimages (2) resulting from the pervasiveness of computers, a number of applications of cryptographic techniques, other than simply that for hiding data, have been developed.  These have been motivated by needs of the digital age:  how to confirm that a message received indeed came from the sender purported (it’s easy to change a sender name in most e-mail system), how to prevent a sender from claiming that they did not, in fact, send the message you received, and how to make sure that the message received was the one sent and had not been altered.   The most significant recent applications of cryptography are for identification of senders, authentication of senders and recipients as well as the messages themselves, and digital signatures applied to messages.” [Cryptography Engineering]

In such cases, an individual will be in the dark as to whether his identity information is being used for purposes to which he has not consented. There is arguably an ombudsman role for democratically accountable officials to play in verifying that citizen data if shared without consent, receive proper treatment and is safeguarded from subsequent misuse by downstream actors.

BMOGood Bye Bank of Montreal!

I left Bank of Montreal not too long after Mathew Barrett left the organization and with me was a copy of “You are the Message” by media mogul Roger Ailes.  It was Monica’s personal copy she told me to keep the book as it will give ample of advice on how to navigate my career since I was just starting out.  To this day it’s still one of my favorite books.

The proposed merger between Bank of Montreal and Royal Bank caught everyone by surprise and it was Finance Minister Paul Martin who hammered the nails in that coffin and killed the deal.  In gossip circles, it was said that Paul Martin was offended that he wasn’t involved in the conversations about the proposal right from the beginning and had to learn about this possible merger with the rest of the public.  I suppose his ego was bruised.  It reminded me of the Quebec Premiere, Rene Lévesque, who felt snubbed because he wasn’t included in the Kitchen Cabinet discussions and finally walked away from constitutional talks when his demands weren’t met.  I don’t recall the technicalities Paul Martin was able to use to pull it off yet he managed to kill the deal.  

Mathew Barrett
Mathew Barrett

Not too long after the merger fell through Mr. Barrett announced he was resigning from his role at  BMO to take on a new challenge overseas as Executive Chief Officer at Barclay’s Bank in the UK.  It was a sad day.  I remember Mr. Barrett addressing BMO employees to introduce his replacement, Tony Comper.  Mr. Barrett was an excellent leader loved by everyone – the company threw him a going away party and we wished him well.

A company is only as good as the people it employs.  I chose to write about this work experience appropriately because that is where [unbeknownst to me] I was first introduced to encryption, security and digital technology.  But more importantly is the warm memory it brings; the  department of three fabulous women that introduced me first-hand about the challenges and successes of women  moving up in the corporate ladder, camaraderie and challenges in navigating and working together as a team to meet deadlines and customer service satisfaction  all inspired by an enigmatic leader whose presence as the CEO inspired employees moral as we all worked to do better and to be better.


References:


[1]              Definition of “identity” at http://wordnet.princeton.edu/perl/webwn, as viewed on 3 December 2007.
[2]              The American Heritage Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004. http://dictionary.reference.com/browse/persona (accessed: 7 January 2008).