Making Citizens' systems more Secure: Practical Encryption Bypassing and Countermeasures

Abstract

Cryptography is used to protect the confidentiality, integrity, and authenticity of information by preventing unauthorized users from accessing or modifying them. Encryption techniques are used to protect personal or company data. This work demonstrates practical scenarios where, under certain conditions, encryption may be bypassed. Bypassing encryption, either by recovering the encryption key, a password used to generate the encryption key, or a plaintext copy of the encrypted data, allows for accessing data which appear to be inaccessible in the first place. There are six categories for bypassing encryption: find the key, guess the key, compel the key, exploit a flaw in the encryption scheme, access unencrypted message when the device is in use and locate an unencrypted copy of the message. In this study we utilize publicly available software to demonstrate real-world scenarios that fall into most of the aforementioned categories and show how, in those specific cases, encryption may be successfully bypassed. Moreover, we underline that bypassing encryption is possible only when certain conditions are met (e.g., software misconfiguration, physical access to the target device, etc.) and we highlight each one of them so as to effectively suggest countermeasures to the demonstrated techniques for encryption bypassing. The main aim of this paper is to highlight how encryption can be bypassed and thus make citizens set up their system in such a way that it would be more difficult to be hacked. This is especially important for citizens that may have limited knowledge/exposure to technology as they can be, for example. people from certain diversity groups such as elderly and/or people of very low income.