CrySP research group helps maintain online security and privacy
The earliest example of cryptography — the study and practice of techniques to make communications secure — is thought to be a section of nonstandard hieroglyphics that was inscribed on the tomb of Khnumhotep II, an Egyptian nobleman who served pharaoh Amenemhat nearly 4,000 years ago.
The encoded hieroglyphics used what cryptographers call a substitution cipher, a type of code in which one symbol is exchanged for another. Scholars think its use likely was not to obscure the message on the tomb but rather to make it appear more dignified. Regardless of its purpose, the nonstandard hieroglyphics was an early form of cryptography.
Today, cryptography is used extensively in online information exchange, and instead of using simple character substitution it relies on complex mathematics to encrypt data to ensure its security and privacy.
Up until the Second World War most research on cryptography was for military purposes so that messages could be sent securely to troops over an insecure medium such as radio. More recently, as the World Wide Web began to be used widely for personal communications, to conduct transactions, and download information, cryptography in the public sphere became crucially important.
“This is because the Internet — like radio — is an insecure medium,” explained Ian Goldberg, a professor and university research chair in the David R. Cheriton School of Computer Science and a founding member of its Cryptography, Security, and Privacy (CrySP) research group.
“To transmit a secure message over an insecure medium you need to use cryptography, which scrambles or encodes the message in such a way that your intended receiver can understand it but eavesdroppers cannot. To do that there must be something your receiver knows that eavesdroppers don’t. Today, we call that a key and it’s used to unscramble or decrypt the message.”
Goldberg and his team develop cryptographic techniques that underpin a number of research areas and technological developments — from those that preserve online privacy and allow off-the-record messaging to those that resist Internet censorship and allow online information to be retrieved privately.
“Privacy is a broad field and many people think of it only as keeping secrets but that’s confidentiality, one small part of privacy,” he said. “There’s a lot more to it. For example, being able to control how information about you is collected and used is one aspect of privacy. If you live in a country where the Internet is censored then being able to freely download censored content is another example of privacy.”
To this end, Goldberg and his team have developed a censorship-resistance technology called Slitheen, which aims to allow people to access the free and open Internet in countries where it is restricted.
“Some countries block certain websites based on their web address or their content,” he explained. “Slitheen disguises your connection to a restricted website — for example, a connection to Wikipedia or the New York Times — to that of an allowed website, maybe a site about cute cats. Slitheen lets you access the New York Times website by redirecting your traffic to make it look to the censor that you’re on the cats website.”
Another aspect of Goldberg’s research involves privacy-enhancing technologies that would allow a user to obtain information from an online database without tipping his or her hand about what is being sought.
“Say you have a database of patents and I want to look up a particular patent but I don’t want to reveal which one I’m interested in. I could say, ‘Send me the database with all the patents and I’ll look it up myself,’ but that’s not something we’d ever do in practice, even though it’s clearly privacy preserving,” he said.
“But by using encryption, information theory and various other mathematical tools I can send you a query, and you send me the result, both of which are much smaller than the whole database. I learn about the patent I was interested in, but you will have no idea what I asked for.”
“Often you can do things that seem impossible, but that’s the magic of privacy-enhancing technologies and the cryptography that underlies them.”
Other technologies that have been developed by Goldberg’s group, such as off-the-record messaging software, have been used by hundreds of thousands of people around the world to protect their online security and privacy.
“Others have adapted our technology for the mobile space into the Signal protocol, which is used globally to protect mobile communications. Facebook Messenger uses Signal, WhatsApp Messenger uses it. A billion people now use this technology that had its origins in our group.”
Goldberg acknowledges that no matter how sophisticated or clever a system he and his team develops, the work is never complete.
“Unlike other fields of computer science, we have active adversaries. People see our research and how to protect a system and they use that to try to defeat it,” he said. “We have to play both sides of the game. There’s always an arms race where the defender makes a better system, then the attacker makes a better system. This is what makes the research fun and interesting but also very challenging.”