Friday, September 5, 2014

Encryption 101: Substitution ciphers

Jack Hammond
Junior Developer
Egress Software Technologies Ltd.
So far in this blog series, we’ve mainly focused on transposition ciphers, which encrypt their messages by shifting the letters around, as in the Caesar and Atbash ciphers, or by ‘jumbling them up’ in some way that makes discerning their true meaning difficult, à la the Columnar Transposition Cipher.

The simple substitution cipher

The basic idea of a substitution cipher is a simple one: take one letter in your message, let’s say ‘A’, and replace it with a different letter, such as ‘E’.
Sounds familiar?
Both the Atbash and Caesar ciphers used this basic principle, however they both have one weakness: predictability. Figure out how a handful of letters had been encrypted and you can pretty much break the entire message. (Learn more about how these ciphers work in my previous post: Encryption 101: Back to basics.)
The substitution cipher, however, takes this idea to the next level and provides a ‘random’ alphabet to encrypt the message. In other words, each letter is encrypted with its own key.
The table below displays an alphabet that I chose at random, simply placing letters in different locations until it was complete.

Plaintext alphabet
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Ciphertext alphabet
D
H
C
L
P
F
S
V
J
Y
U
O
B
R
N
T
Z
K
I
X
W
E
Q
M
G
A

This new alphabet makes figuring out the relationship between the plaintext and the ciphertext a lot harder, as the confusion that the cipher provides has been increased. The diffusion, however, is still fairly low – changing one letter in the plaintext will still only change one letter in the ciptertext – but this won’t really increase in complexity until we start looking at more modern examples.
However, while the Atbash cipher had just one key and the Caesar cipher had 25, the substitution cipher has 26 (factorial) unique keys. This works out to about 403,291,461,126,605,635,584,000,000 different ways to write the alphabet!
As you can see, the number of keys increases rapidly the more the ciphers advance.

More keys = More secure?

While one might think that having a vast number of keys to choose from is a good security metric – after all, what attacker is going to sit there and write out every possible permutation of the alphabet, run your ciphertext through it and see whether they can break the encryption – substitution ciphers still suffer the same inherit weakness as the transposition ciphers before them: letter frequency analysis.(I discussed this topic in further detail when looking at weaknesses in the Caesar cipher.)

Defeating letter frequency analysis

Letter frequency analysis has so far proven to be a very powerful cryptanalysis method, so you would be forgiven for thinking that eventually all ciphers would be cracked by it.
As part of this Encryption 101 series, however, we will move onto the Vigenere Cipher, Substitution-Permutation Networks, which start to try to increase the diffusion property of the encryption process to make the relationship between plaintext and ciphertext. We’ll also take a look at the One Time Pad cipher, which some argue is the only form of ‘perfect’ cryptography we’ve ever created – however nothing is perfect in the world of cryptography and even this ‘perfect’ cipher has its drawbacks.

Your turn to crack the code (try these at your desk!)

For these examples, we’ll be using the substituted alphabet that we create earlier in the blog to encrypt and decrypt some messages. You’ll also be asked to carry out a letter frequency analysis on a piece of ciphertext to see whether you can uncover the ‘cipherbet’ used to encrypt it.

  1. Using the cipherbet, encrypt the following phrase:
    • ‘You either die a hero, or live long enough to see yourself become the villain’
    • Answer: gnw pjxvpk ljp d vpkn, nk ojep onrs prnwsv xn ipp gnwkipof hpcnbp xvp ejoodjr
  2. Using the cipherbet, recover the plaintext message from the ciphertext. The spaces between the words has been removed to make it a little harder:
    • ‘hpcdwip vp'i xvp vpkn snxvdb lpipkepi, hwx rnx xvp nrp jx rppli kjsvx rnq’
    •  Answer: Because he's the hero Gotham deserves, but not the one it needs right now
  3. Now for something a little harder. Using the website and ciphertext below, see whether by using letter frequency analysis you can recover not only the plaintext message but also the cipherbet used to encrypt it:

Friday, August 15, 2014

Practical steps you should be taking to unleash the full benefits of Cloud Computing

Neil Larkins
Chief Operating Officer
Egress Software Technologies Ltd.
The last 12 months have seen have a tangible change in perception around the security of Cloud-based communication solutions. With Edward Snowden revealing the extent of international Government surveillance, in addition to data losses and breaches earning a higher level of media coverage, there has been an understandable hesitancy about procuring Cloud-based communication solutions.
However in my view, so long as the correct approach is taken, the Cloud can provide the same, if not a greater, level of security as on-premise offerings, with the added advantages of cost reductions, reduced management overhead and increased flexibility – an approach that I presented at Europe’s largest information security event, Infosecurity Europe 2014.

Manage risk with 'smart encryption'

Data residency’ – the concept of where your data is stored and processed, and who consequently has jurisdiction over it – has become one of the go-to reasons for avoiding the Cloud. However, a well-informed approach to data sharing can mitigate this risk.
Before undertaking any contractual agreement with a Cloud-based service provider, ask yourself the following questions:
  • Does your service provider have access to your servers and data? 
  • Do they have the appropriate service accreditations and procedures in place to look after your data? 
  • Where will your data live and will it be replicated to other geographical locations? 
  • What are your options should you want to change providers? 
If concerned about any of the above, you should probably question whether you’re using the right service provider!
In addition, by adopting ‘smart encryption’ to data that you expose to any third party provider and by remaining in control of the associated keys, you not only ensure the information is protected but also that you can track and audit it wherever it resides.

Extending the parameters of your control

The systems in place to share data securely must not only ensure legitimate distribution but also actively promote user control.
Essentially, it comes down to identifying the extent to which an end-user can be trusted (based on key factors such as the domain, browser, device and IP range being used to access the information) and being able to apply different access controls to reflect this.
For example, when sharing confidential information with a ‘trusted’ business partner – who is accessing it from an authorised domain through a compliant browser or application on a federated secure network with a verified IP range – then it would be possible to grant this particular end-user ‘full access’ (meaning they can, for example, download and print the information). Alternatively, if you have an ‘untrusted’ business partner, with whom you don’t have a federated trust relationship, then it is possible to only grant them ‘restricted access’, enabling them to simply view the information in a hosted environment.
If the information is subsequently forwarded to an unknown and ‘untrusted’ third party – or even if a known recipient is attempting to access information using a non-compliant browser or device or from an unknown location – it is possible to deny access altogether.

Embrace the Cloud - just secure it too!

At Egress, we like to call this thought-out method 'taking a risk-managed approach' - recognising the need to share sensitive information electronically, and consequently applying all suitable and available mechanisms to ensure the information is protected. In doing so, the benefits of cloud computing need not be sacrificed in the name of data protection.

Wednesday, August 6, 2014

The fall of TrueCrypt: Reminding us all to choose our encryption solutions carefully

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
Much has been written about the motives behind the recent shutdown of open source endpoint and file encryption product TrueCrypt. Whether you believe some of the conspiracy theories or the reason given on the TrueCrypt website (which puts it down to Microsoft ending support for Windows XP) there is a lesson in this story for us all.

Fans of TrueCrypt have for many years used it as an example of how open source technology can be effectively used to solve business and personal data privacy challenges. Used to encrypt data at the endpoint, in addition to file attachments, TrueCrypt was relied on by thousands of users to protect their highly sensitive information.

However, this sudden exit from the market, leaving organisations and individuals fearful that their data may now be compromised, highlights the very real risk behind selecting open source technology to solve information security requirements. On one hand the software may be free to use, but on the other, is this cost saving worth placing data privacy at risk?

Protecting sensitive data isn’t something that should be taken lightly, and careful monitoring of those individuals that contribute to the development of encryption software using best practise standards plays an essential part when delivering information assurance. Consequently when procuring a new technical solution, particularly data security or encryption services, it is imperative for organisations to choose a solution provider that offers both openly validated technology, as well as the reliability, long-term technical support and SLAs offered by a stable commercial business.

Wednesday, July 30, 2014

Why does Egress’ ISO/IEC 27001:2013 certification matter?

Richard Green
Senior Project Manager
Egress Software Technologies Ltd.
ISO27001 certification provides organisations with a way to demonstrate the strength of their security practices to customers, prospects and partners – however, although a company may already be working to the correct standards, actually undertaking formal certification requires a considerable commitment of man hours across the business. Consequently, organisations need to get the timing right when submitting for formal certification: undertake this too lightly and you may very well end up having to repeat the process further down the line.
At Egress, we continually seek to benchmark our technologies and processes against the highest levels of certification and accreditation. With the publication of the updated ISO standard in September 2013, we decided the time was right to formally certify ourselves against a standard we had informally been working to for some time.
This meant we needed to prove that we manage key business risks effectively, and ensure that our existing policies and procedures were moved into a robust, international standard called an information security management system (ISMS). Our first step was to define the scope of our ISMS, before fleshing out our Security Policy and undertaking an extensive risk assessment across all key Egress business areas, culminating in a score that represented our current risk level.

What does ISO/IEC 2700:2013 involve?

Stepping up from the old 2005 standard, and among other improvements, the 2013 one puts more emphasis on measuring and evaluating how well your ISMS is performing. As we were documenting our ISMS afresh, we tackled this from the ground up to create a tailor-made management system.
By December 2013, we’d planned our ISMS design, assessed our information security risks and had started to align appropriate controls against them. Moving into 2014, we started to formally implement and operate these as company policies and processes, together with the system controls they applied to, such as Access Control, Incident Management, Business Continuity, Physical Security, HR and Technical Procedures – everything you would imagine you’d need to support an effective and efficient management system.
Throughout the process, these controls were reviewed and constantly evaluated to ensure they were fit for purpose. In reality, and despite us fully discussing our requirements and agreeing pragmatic resolutions to our business challenges, a few processes needed some fine tuning to make them work as well as we had originally anticipated. Most problem areas were identified internally, however BSI (our external auditors) highlighted a dwindling action list as we progressed through our pre-certification visit, Stage 1 and Stage 2 Audits.

What does this mean for Egress?

Although we had been working to the ISO standard for some time, since our formal ISO 27001 certification in June, we’ve already noticed how this creates a market differentiation due to prestige, image and external goodwill. Being ISO certified has also allowed us to meet contractual requirements more easily, as well as being a positive selling point for additional business. Internally, it’s given us an assurance of a set standard of information security throughout Egress, demonstrating to staff that we have total buy-in for this from the Egress Management Team.
ISO 27001 is also the foundation block for other accreditations and is now providing key evidence in our Pan Government Accreditation (PGA \ G-Cloud).
Even though we’re now formally certified, Egress will still have an external ‘continual assessment visit’ every year and will be audited for recertification every third year. By allowing independent reviews, Egress will provide ongoing assurance of our information security practices to both customers and partners.

In conclusion

ISO 27001 provides a holistic, risk-based approach to information security and compliance, providing confidence for clients, partners and internal staff. By undertaking formal certification of this new standard, Egress has successfully demonstrated its commitment to not only providing market-leading technology, but doing so by working efficiently and securely to ensure the service we provide to customers and partners is of the same equally high standard. Our ISMS is now fulfilling its role very effectively, such that it’s now part of Egress’ everyday business, helping us to identify and manage risks to key Egress information and systems assets in a cycle of continual improvement, raising the security awareness of all staff, together with monthly ISMS management meetings feeding into our existing management sessions.
This is the best way ISO 27001 can demonstrate its value to any business!

Monday, July 14, 2014

New ‘snooping law’ is another reminder to keep our data secure

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
Last week’s passing of an emergency law to ensure that the UK police and security services can continue to access email and phone data relating to British citizens for up to 12 months is yet another reminder of the need to secure our most sensitive information (http://www.bbc.co.uk/news/uk-politics-28237111 and http://www.lbc.co.uk/new-snooping-law-needed-to-keep-uk-safe-93547).

This move represents an attempt by the UK Government to protect existing powers after the European Court of Justice ruled in April that existing legislation was unlawful and breached human rights. Prime Minister David Cameron defended the decision, stating the law was intended to protect citizens and the state from terrorist attack.

Whether you agree with granting governments access to personal data stored by service providers in the name of national security or not, this story serves as another reminder that sensitive information handled or stored by external third parties needs to be secured appropriately.

After all, if governments can access / intercept data and emails, then so can other less credible entities and organisations!

This is a topic we have covered regularly on the Egress blog and in our news pages:





At Egress, we see this type of news coverage as a real positive for the data security industry.

Regardless of the politics or the perceived terrorist threat, it demonstrates yet again that organisations and individuals need to question the underlying security of their data and apply greater due diligence when procuring a new system via a third party service provider – a point supported by some recent market research.

Wednesday, May 14, 2014

Product launch, presentation and prizes: The highs of Infosecurity Europe 2014

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
Egress Software Technologies enjoyed a busy three days at Infosecurity Europe 2014 earlier this month. Whether interested in the launch of our latest product, Egress Switch Secure Workspace; discussing current issues in data security with the Egress team; or trying their hand at the Egress Buzz Wire Challenge, our stand proved incredibly popular with delegates.

In addition, Egress COO Neil Larkins presented to a packed audience in the Technical Theatre during Day Two, examining ‘Who’s really accessing your data? Building information assurance in a cloud-facing world’. Such discussions also continued on the stand, where delegates were invited to take part in the ‘2014: The Year or Encryption’ market survey – the results of which will be published in the coming days.

Day One: Launching Switch Secure Workspace


Arriving for the final Infosecurity Europe event to be held at Earls Court, the Egress team stood out against the crowd in our unmistakeable orange tops. Moreover, based on the Egress Trust Network, our unique community-based licensing model, the fantastic design of the Egress stand provided a great talking point for delegates.

Forming the focus for Day One, the launch of Secure Workspace responded directly to the market’s need for a secure Cloud-based online collaboration platform. The latest pillar of functionality of the award-winning Egress Switch encryption platform, this Cloud-based service offers end-to-end secure collaboration by encrypting information at rest and in transit. For the first time, Infosec14 delegates were given the opportunity to demo Switch Secure Workspace, visiting the Egress stand to examine this next generation of secure online collaboration.

The evening, meanwhile, gave the Egress team chance to rest their tired legs in Drayton Arms, where we hosted a drinks reception for attending clients.

Day Two: Building information assurance in the Year of Encryption

Refreshed and ready for Day Two, we returned to an even busier stand than the day before. While Switch demos continued and the Egress team caught up with more delegates, COO Neil Larkins presented to a full Technical Theatre. With standing room only, Neil challenged his audience to examine how they build information assurance when using Cloud services to share sensitive information securely.

The recent media coverage of high-profile data breaches and the impact of Edward Snowden’s revelations regarding the scale of international data surveillance, a topic we covered here, have raised concerns about the security of shared data in the Cloud. Neil encouraged delegates to examine the issues of data residency, risks posed by service providers, how to ensure controlled release of sensitive data and gaining identity assurance over communities of third party recipients.

Inciting debate amongst attendees, many of these topical discussions continued on the Egress exhibition stand throughout the event and tied in well with the market survey being conducted by members of the Egress team. Entitled ‘2014: The Year of Encryption’, the survey gave delegates the chance to offer their opinions on a range of current subjects, including whether Snowden’s revelations have increased their awareness of data protection, how secure they subsequently perceive Cloud solutions to be, and the upcoming reforms to the European Data Protection Act. Look out for the results of the survey on the Egress website in the coming days.

Day Three: Going out with a buzz

Back by popular demand, the Egress Buzz Wire Challenge ran throughout Infosec14, with a Samsung Galaxy Tab 3 being awarded for the fastest lap time each day. This year saw the 2013 record (11.9s set at NISC2013) repeatedly broken and we’re delighted to announce our three winners, alongside their times:

Day One: Phil Yeo – 12.5s
Day Two: Davinder Hunjan – 10.45s
Day Three: Imogen Cummings – 10.0s

Further congratulations go to Allan Sneddon, who took part in the @EgressSwitch Twitter competition to win a Kindle Fire HD.

Packed with demos and delegates, Infosec14 provided Egress with a fantastic opportunity to not only discuss our latest offerings and developments, but to also listen to attendees views and opinions about the continual evolutions of the data security market - and we look forward to next year's event, when we will be able to reflect on whether 2014 has truly proven to be the Year of Encryption

Day One: Phil Yeo - 12.6s
Day Two: Davinder Hunjan - 10.45s
Day Three: Imogen Cummings - 10.0s

Wednesday, May 7, 2014

The Mail app bug: How can you protect documents stored on iOS 7 devices?

Andy Whittlestone
Senior Software Developer
Egress Software Technologies Ltd.
Late last month, Andreas Kurtz, of NESCO Security Labs, published claims on his personal blog that attachments in the Mail app have not been encrypted at rest in iOS 7, as Apple assures user they are, since at least version 7.0.4 and including the current version, 7.1.1.

Kurtz discovered the bug by restoring an iPhone 4 to iOS 7.1 and 7.1.1, and setting up an IMAP email account. After performing certain tests, Kurtz found that all attachments were accessible without any encryption, with the same proving true for iPhone 5s and iPad 2 devices.

While Apple has responded to the claims – with a spokeswoman declaring: “We’re aware of the issue and are working on a fix which we will deliver in a future software update.” – they haven’t provided a timescale for when a fix will be available.

Protect your email attachments on iOS 7 devices

With mobile devices being used increasingly more often to send and receive personal and commercially sensitive documentation, it is imperative that this information is protected.

Encrypting email attachments as ‘.switch’ files, the Egress Switch Secure Email app secures documents when stored on iOS 7 devices. These files can only be accessed using the correct credentials and the Secure Email app, which also gives users the ability to deny unauthorised access attempts and, if required, revoke access to sent information.

Consequently, while Apple works to resolve the Mail app bug, Switch will continue to enable users to share confidential information with confidence. 

Monday, April 28, 2014

Cloud-based collaboration: It's better together

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
Aside from data security concerns, a topic we recently examined here, online (Cloud-based) collaboration sites can also present IT management and integration issues. For many, such sites are seen as separate from traditional email and file transfer systems, meaning they are procured, developed and managed differently, with solutions kept in insolation from one another.

By taking this approach, however, organisations risk adding layers of complexity to their IT infrastructure – resulting in data silos, additional ongoing management overhead and low end-user take up.

Systems in silo

In the absence of a centrally managed solution, end-users often select collaboration sites on an ad-hoc basis, away from existing solutions for email and file transfer. Consequently, IT staff and senior managers end up with another system to manage and reduced visibility over what information is being shared where and with whom, both inside and outside of their organisation’s network boundary. Similarly, managing multiple sets of credentials for different collaboration, email and file transfer systems can create problems for users, who may resort to using other, less secure file sharing mechanisms as an answer to this. Not only does this heighten the risk of data breaches but it also impacts efficiency – one of the very reasons these services are used in the first place.

Moreover, even when solutions are procured centrally, if they don’t integrate with existing infrastructure, organisations will continue to risk added complexity and, consequently, the cost-effectiveness of their chosen solution.

The benefits of an integrated approach to online collaboration

To simplify this process and increase control over the information that employees are sharing with internal peers and external third parties, an integrated approach to data management must be taken.

This potentially involves procuring online collaboration solutions as part of a broad information sharing platform that also includes email and file transfer functionality. Moreover, it is also important that collaboration tools integrate well with an organisations’ existing IT infrastructure, such as archive and document management systems, to improve workflow and business processes.

Cloud solutions are championed for increasing efficiency and reducing costs – however a disjointed approach to procuring such platforms risks jeopardising these benefits. 

Thursday, April 24, 2014

Cloud-based collaboration: Golden goose or white elephant?

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
Have you ever stopped to consider the sensitivity and potential value of the information you disclose using one of the many widely available, online collaboration and file sharing websites?
The go-to solution for multiple email threads and file transfers, as well as for improved project and document management between co-workers and external third parties, collaboration sites have grown in prominence within business. Offering the ability to edit in real time and check in / check out documents, these sites seem to solve many business challenges, such as efficiency, cost overheads, and sharing information from private networks without numerous emails and file transfers.

While these sites all claim to have invested heavily in security and authentication mechanisms designed to keep user data safe, recent stories in the press have caused many to question this:




Understanding the security threats

Typically, security breaches can be routed back to one of the following causes –or in some cases, both.

Access control

By their very nature, collaboration platforms have been designed with ease of access in mind. Internal and external access to documents and information enables users to share content and work collectively on files, which in turn offers substantial efficiency and cost saving potential. However, if insufficient access control mechanisms are put in place, the risks to data protection can be significant.

In many cases, once a user has gone through the initial authentication process steps, there is nothing to stop them from sharing personal or commercially sensitive data with an extended group of external third parties. Additionally, with no auditing or tracking capabilities, in many cases an organisation’s IT team will have little to no visibility over what information has left the corporate network.

This reduced control also extends to the types of devices and applications that are used to access the data. With links being forwarded to different email addresses, for instance, sensitive information can be downloaded onto personal laptops. This is not only a concern due to potential malware or viruses existing on these devices, but also means that individuals can continue to access certain information after they have left a project or, even, the company.

The hacker / cyber security threat

The recent disclosure of the Heartbleed bug and the ease with which hackers have bypassed the security / authentication mechanisms of many websites that were previously perceived as secure raises a more fundamental security concern. As Dropbox found out when they were hacked two years ago, the consequences of unpermitted users gaining access to unencrypted data can be disastrous. An attentive reading of the security credential webpages of many online collaboration service providers shows that although they may have taken measures to protect data in transit using TLS, very few have taken steps to encrypt information at rest.

A secure approach to online collaboration

These factors pose significant threats to data security – however, they shouldn’t be used as excuses to avoid collaboration through Cloud-based service providers. Organisations should be able to take advantage of the benefits offered by online collaboration sites, such as time and cost efficiencies, without compromising their data security.

Investment must be made in suitably secure platforms. Sensitive data needs to be encrypted both in transit and at rest, and appropriate access control mechanisms need to be implemented so that organisations and central administrators have full visibility and control over who accesses information – including the ability to restrict the access rights of those no longer relevant to the project, such as ex-employees. Online collaboration shouldn't be an issue that makes senior management and IT departments uncomfortable. The benefits of Cloud services and data protection shouldn't be mutually exclusive. 

Friday, March 21, 2014

Snowden: What have we learnt?

“There can be no faith in government if our highest offices are excused from scrutiny - they should be setting the example of transparency.” – Edward Snowden, 2013.

The topic of data security and privacy has captured plenty of headlines and column inches since Edward Snowden’s revelations regarding the NSA collecting large-scale data on individuals – and questions have been raised about the way that we trust our governments and businesses to handle our information.

Individual privacy vs national security?

One of the main points that arose from Snowden’s revelations is the balance between individual privacy and national security. While governments need to take measures to ensure that national security is not compromised and their borders are protected, has this pursuit taken priority over the privacy rights of the individual?

The mass collection of data has raised questions, with some calling it a waste of resources and others saying it damages communication security at the expense of protecting individuals’ information.

In this current era of the internet, social sharing is now commonplace, with people using social networks to share intimate details of their everyday lives. However, this shouldn’t negate the fact that our national governments are collecting huge stores of data with no clear or intended purpose in the interests of national security. In his TED Talk, Mikko Hypponen makes an interesting point about individual privacy, stating that it should be “non-negotiable and built into all of the systems we use”. But how clear are national governments and businesses being with our information?

Transparency – clear as mud?

The bond of trust is one that is built through an exchange of honesty and openness between the individual and the entity in question. Upon reflection of Snowden’s revelations last summer, there are still challenges that governments and organisations face with the collection and storage of data.

As mentioned in a previous post, the US Patriot Act has implications for how data is stored and accessed; an issue that is also currently being debated within European Parliament. Companies such as Google and Microsoft are already taking into consideration where data is stored, with the former encrypting searches and the latter offering overseas data storage in response to NSA concerns. However, other challenges include:
  • The need to ensure the data about individuals that is collected and stored is kept secure and only shared with trusted people and organisations
  • Making sure people are trained and educated in data protection
  • Ensuring data is used for specific purposes only
  • Keeping accountability and transparency paramount
The impact of Snowden’s revelations has been far reaching, with the issues of privacy, national security and transparency ever-changing. What is important is keeping in mind the people who are affected by these issues, ensuring that they are well-protected and that their individual rights are being considered with the strictest confidence.

Friday, March 14, 2014

Encryption 101: Columnar Transposition Cipher

Jack Hammond
Junior Developer
Egress Software Technologies Ltd.
As part of the Encryption 101 series, we’ve previously looked at the Caesar cipher – a simple transposition cipher that sees every letter in the plaintext shifted by a set number (otherwise known as the key). So, for example, using a key of ‘4’, the following encryption occurs:

Plaintext: We can only see a short distance ahead, but we can see plenty there that needs to be done

Ciphertext: Ai ger srpc wii e wlsvx hmwxergi elieh, fyx ai ger wii tpirxc xlivi xlex riihw xs fi hsri

Columnar transposition

This post will focus on a columnar transposition cipher – a slightly more advanced transposition cipher that produces very different results. If we take the same phrase as above and run it through a columnar transposition cipher, the ciphertext would read:

OETNAEEYTEEX ASOTHTSNRNOE NERAEWETEEBX CYHSAUNEETTN WNADCDCPTHDD ELSIEBALHASO

Right away, we can see that this looks vastly different to the previous result: if you saw these two pieces of ciphertext next to each other, you’d initially have no way of knowing that they contained an identical message.

Working with columns

As with every cipher, you first need to define a key. For this example, we’ll be using the keyword of ‘Turing’, which will define how many columns we’ll use to encrypt the message: since the keyword has six letters in it, we’ll be using six columns.

To encrypt the text, we write each letter of the keyword at the top of a column. In the next row, each letter is given a number that dictates its alphabetical position in the keyword: since ‘G’ is the first letter of the alphabet that is present in the keyword, it gets designated ‘1’; ‘I’ is given ‘2’ as it appears next; and so on. Then we simply write the text we wish to encrypt out under it, moving to a new line once we reach the end of each row. (As we are using Regular Case transposition in this example, any empty cells at the end have been padded with the letter ‘X’.)

T
U
R
I
N
G
5
6
4
2
3
1
W
E
C
A
N
O
N
L
Y
S
E
E
A
S
H
O
R
T
D
I
S
T
A
N
C
E
A
H
E
A
D
B
U
T
W
E
C
A
N
S
E
E
P
L
E
N
T
Y
T
H
E
R
E
T
H
A
T
N
E
E
D
S
T
O
B
E
D
O
N
E
X
X

Using this table, we can now create our ciphertext. Starting with the column ‘1’ (‘G’ in this case), we now read down the whole column, writing out each letter in turn, which results in:

OETNAEEYTEEX ASOTHTSNRNOE NERAEWETEEBX CYHSAUNEETTN WNADCDCPTHDD ELSIEBALHASO.

Decrypting

Now that we have an encrypted piece of text, we need to know how to recover the actual message. If you know the keyword, this process is fairly straight forward. All you do is start with the letter in the keyword that appears first in the alphabet, in this case G, and put this at the top of the first column. Then put the letter that appears next in the alphabet at the top of the second column, etc.

With that done, start writing out the ciphertext – however, whereas before we wrote across the rows, this time we write down the columns.


G
I
N
R
T
U
1
2
3
4
5
6
O
A
N
C
W
E
E
S
E
Y
N
L
T
O
R
H
A
S
N
T
A
S
D
I
A
H
E
A
C
E
E
T
W
U
D
B
E
S
E
N
C
A
Y
N
T
E
P
L
T
R
E
E
T
H
E
N
E
T
H
A
E
O
B
T
D
S
X
E
X
N
D
O

Once the columns have been written out, rearrange them so the keyword makes sense and then read the resulting text off row-by-row.

Increased complexity = Increased security?

This initially seems to be a more complex method of encryption compared to the simple transposition cipher – and therefore it surely must provide more security? The answer is both ‘yes’ and ‘no’.

When this cipher was first created, it would have of course provided more security than those that came before it. However, it still possesses one weakness that was present in earlier ciphers: namely, the letter frequency will still closely resemble that of the original plaintext, thus making the ciphertext potentially vulnerable to a frequency analysis attack.

Your turn to crack the code (try these at your desk!)

Try the following examples at your desk and see if you get the correct results. Since these might take a while to crack, there are only two this time.
  1. Using the ‘encryption’ as a keyword, encrypt the following phrase (with ‘x’ as padding if needed):
    • “The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers” (Bill Gates)
    • Answer: etbgeoyautmaoenwreottlpacrshaludtalnscrbeyomxuihdmstixvmaolnfeeohrhvftrmiakuoeaprbeeweaogb
  2. Using ‘cryptography’ as a keyword, decrypt the following ciphertext:
    • oafntplnpyimrsexyedlccbegsixhhidtwfarkyleithapax
    • Answer: The cryptographic key was split by Diffie and Hellman