Unveiling the Secrets of Cryptography with Panos Louridas: Early Computing, Encryption, and Modern Challenges

Secure Talk EP 207 Panos Louridas

Justin Beals: Our ability to use the internet is predicated on a really critical concept. It's the concept that we can keep information secret. Keeping information secret has been a, not just a computer issue, but keeping it secret. An issue really throughout the ages of humanity as, uh, certain topics or sensitive bits of information were meant to keep private from certain groups and methods of communication in secret have been being designed and developed for centuries, if not millennia.

Of course, our digital age and the amount of data that we push over the internet has brought a new level of. Importance to cryptography and encryption as a practice, and certainly as people that either develop software or are computer scientists more broadly, the concept of cryptography and the development of encryption technologies has allowed business to happen and comfortability and sharing personal information and even development.

Being able to win a deal or, create an outcome from a business perspective through your ability to keep information private and secure. A lot of our customers these days ask us how we keep data secure, and they want to know what type of cryptography and encryption we utilize. It's important to be able to talk to it both philosophically, conceptually, and technically.

All difficult areas of discussion that require both a sense of the mathematics, a sense of the technical implementation characteristics, and a sense of what's expected broadly in the marketplace. Today we have a deep expert in encryption joining us. Uh, someone that has written a number of books to help both lay people and those working in the computer science field to understand how encryption and cryptography works and why it's important.

So please join me today in welcoming Panos Louridas.  Panos is a professor in the Department of Management Science and Technology at the Athens University of Economics and Business. He's the author of three books, Real World Algorithms. Algorithms and Cryptography, all published by MIT Press. He is also the head of research and development at GRNet, which is responsible for designing, implementing, and deploying secure digital services used by millions of citizens in their dealings with the public sector in Greece.

Please join me today in welcoming Panos to SecureTalk. 

—-------

Justin Beals: Panos, thanks for joining us today on SecureTalk. We're really lucky to have you.

Panos Louridas: to be here. Thank you.

Justin Beals:  I have to say, I love your background. All my best work is done on something that I can erase. I don't know what for. That looks really exciting, though.

Panos Louridas: Actually, this is a wall. It's painted with a special paint, so we just use the wall. 

Justin Beals: That's perfect. Yeah. One of the things we always like to ask our guests as we get to know them is, how did you become interested in computing? You know, were there any early experiences before your professional career that kind of got you enthralled with the work?

Panos Louridas: Well, it was mostly by accident, I guess. So I was when I was young, I was a Boy Scout about 12 years old. And then as a team leader, who was, he was a student, and he was studying electrical engineering, and he had one of these writing about the 80s. So she had this kind of home computers with the age of Commodore 64 and ZX Spectrums, this kind of machine.

So he had a ZX Spectrum and he had used it to show us how computers work. And I was kind of interested and in one semester. During the semester, he had to work only on one of these big computers they had in the lab and not on his home computer. He told me, would you like to have it for six months so that you can learn how to program?

I said, yeah, why not? So he was kind enough to lend it to me, and well, that was it. So that's how I learned, uh, programming and, uh, yeah, appreciating the whole stuff, yeah. 

Justin Beals: Ah, that's brilliant. Yeah. I never got my Eagle Scout. I got as far as Life Scout, but I do think I had a computing merit badge somewhere along the way.

Certainly, I had an Apple IIe, I think, or something when I was a kid; it was the first one I got to play with. Yeah. But it is intriguing, right? Like when you're like, Oh, I can manipulate this thing in a lot of unique ways. 

Panos Louridas: Most people would do it for games, but I thought, well, this is more interesting than just playing here.

Justin Beals:  I got interested in the game side, but then I think especially once we got networks, you know, where you could dial into a system, that changed things. I think the way I viewed it, probably you as well, it looked very powerful. 

Panos Louridas: I still remember the first time I got into a computer network. And I still remember the moment. It was really amazing. When I realized, wait a minute, I'm not alone here. I can, it was amazing. I still remember I was sitting in a lab and then I discovered talking to other people around, amazing, amazing. 

Justin Beals: Yeah. I had a, I had the old prodigy network. You know, the early days when I was young, and then also speaking of Commodore 64 is one of our favorite things to do was just hit phone numbers, you know, see what had a tone to it.

So you've recently written a brilliant book about cryptography. I had a chance to read it is really fun read actually.

Panos Louridas: Thank you,

Justin Beals:.  Thank you, Panos. But there have been a lot of books about cryptography. I think about some of the Umberto Eco books that I've read more fiction based back in the day, you know, about secrets and keeping them.  What inspired you to write this particular book on cryptography?

Panos Louridas: The idea followed another book that I have written on algorithms, where what I want to do is to see if I could explain algorithms to somebody who has good knowledge of mathematics and nothing else as a prerequisite. And after I did that and well, the review for the Algorithms  book were very good, and it was well received, I thought, okay, perhaps cryptography, because it's something very, very important, affects every aspect of our lives.

I had even written a chapter on cryptography when writing the Algorithms book because Cryptography is about algorithms, at least modern cryptography. So one part was that, the other part was especially the younger generation that all their lives, all their lives is digital. And so it's permeated by cryptography, or it should be if they want to have any sense of privacy or security, but most of them have very, very little idea of what is going on.

And I think it should be a part of basic knowledge, like at some part, for instance, we decided that, you know, in high school we did basic stuff about electricity, biology.

So, in the same sense, right now, most people should have a knowledge of how the world works. And this includes cryptography. A modern world does not work without cryptography at all, so you should have a basic knowledge of this stuff. 

Justin Beals: Yeah, I want to confess that as a software engineer building a lot of product over the year, I had almost no understanding of how it worked. I basically worked off the acronyms. Someone told me, Oh, you got to have a yes. Implemented. It's port 80, 80. Uh, this is, it's a TLS one dot two.

You know, I remember the day someone was like, you can't use TLS 1.1 anymore. You better upgrade. And I was like, what's the, did we do this? But, and so I agree. I, but I think even practitioners in the computer science field all the times don't know what it is that we're actually implementing. 

Panos Louridas: I have also worked and I'm still working as a software engineer.

So yes, you may be lucky enough to be building applications where cryptography is being taken care of. Well, for me, that was the situation. Things at a point, then I started doing work for applications for the citizens in my country, Greece. So we're creating applications for the citizens. So we're handling private data, and then suddenly, everything becomes very, very important. Things that you were taking for granted, and it turns out that you cannot take for granted anymore. So that's how it also affected my programming life as well. 

Justin Beals: And broadly, even those not in the computer science field, and I agree with you, the Internet couldn't work if we couldn't keep data private, you know, who we want to talk to. It would be a total mess. And so it is a fundamental, like, key to allowing the network to work at all. 

Panos Louridas: Particularly since the Internet was not designed to be secure in the sense that we mean security today. It was built by academics. In the beginning, there was just a few nodes.

Everybody knew each other. Bunch of folks who everybody knew everybody. And then when it expanded, security had to be added on top. And that is also something very interesting. How can you create something that is secure based on something that's fundamentally not secure? Because it was never thought to be secure, or designed to be secure to begin with, so it's very interesting how you can make this happen with cryptography. 

Justin Beals: Yeah, I mean, my early days on IP addresses with a network were library networks, right? I don't think, we didn't even have a concept of identity other than an email address on a listserv. And all that was in plain text, you know, very open.

I think there's an academic bend towards that, right? Like we want to share ideas and, and drive concepts forward and learn from each other as we're developing. 

Panos Louridas: Yes. Historically, the commercial use came afterwards. And yes, we wanted to serve things. And this also is interesting how sharing happens in cryptographic ideas.

I guess you remember that it was even impossible to export cryptographic stuff, at least some kind of stuff from the United States to Europe. There were these funny stories about the books coming over here without the CDs, with, well, back then, you would put code on CDs. And Bruce Nye's books would come here without the CD in Europe.

And so it was happening to be scant. And so all these funny stories about how we can move these ideas around. 

Justin Beals: Yeah. Well, one thing I definitely have learned about security broadly and especially cryptography is that it's often called a real like arms race, right? Like somebody wants to keep something secret, they design a modality to keep it secret. And then someone wants to learn those secrets because information has value, and so they break into it.

And of course, this has been going on for millennia plus a lot longer than just computing, and you highlight a couple of the, you know, this arms race in more classical terms; I'm curious, do you have a favorite example from your classical stories of where someone created a secret modality and then that secret modality was solved for by a hacker?

Panos Louridas: So many nice stories. Well, I think it's difficult to, it's difficult not to talk about Enigma because it took, it is such an important part of the world therefore in World War II, and also so many important people were involved in different, different countries. But even today, it's a matter of pride for, even for the countries that were involved.

So as it happens, as a nice coincidence, just this week I was in Poland and in Poland there is a city called Poznań. And in Poznan, it was the head of the Cypher Bureau in Poland between the two wars, between the first and the second for, for, etcetera, not for the whole period, for part of the period. And it was there that they started trying to tackle the enigma.

And it was three Polish cryptographers cryptanalysts, who worked in Poznan. And they were the first ones. who designed a machine that would help them to break the code. And today they have built a fantastic museum in the city that highlights the history because they are so proud of it and it's even part of their national identity that they could do that and they contributed to the world effort.

So it's a nice story that it flows into today. So the museum is very nice. So, if somebody goes to Poznan, I really recommend it. And I understood also that it's popular for school visits because it has great educational material, so,  I was there with a school that were visiting there, and I was very happy to see the young kids going through the exhibits and seeing how the various crypto mechanisms work and explaining the importance of crypto analysis, especially in modern crypto analysis.

They highlight, and this is also important in Enigma, that it was probably The first time that very serious mathematics was used in the analysis of the machine, and also, it was the first time that a machine was built. In order to beat another machine and from then on, it's never the same. 

Justin Beals: Yeah. It does represent a milestone, right?

Like  we went from in the machine it, it was the, the dawn of kind of the machine era and secrets. And, of course, there's some amazing characters in that story, you know, back to Babbage and Lovelace. Through to deterring and, and then, you know, designing parallel processing in a way, and information science. It, it is. We got some great movies outta it. Yeah. 

Panos Louridas: And the story, the story goes on even now with the effort for the standards for post-quantum, for post-quantum algorithms for cryptography. That is what's found out to all of the approaches is actually very vulnerable. And this was it's happened in the last couple of years.

So scientists, very serious scientists who were working on very, very deep mathematics to create something that is secure. It was found that, in the end it was not. So this. Arms race is still going on; it's not going to finish, so you see it happening even now in front of our eyes. 

Justin Beals: Yeah, only accelerating, I think, this race in a way.

You used two terms that really helped me, I appreciate it, because I was probably using them poorly in my own lexicon. Cryptography is the act of making something secret or creating a modality to make it secret, and crypto analysis the act of trying to solve that secrecy or hack it, as we might use it in our modern parlance.

Yeah. So, one of the things that I found interesting is you were giving examples both towards the modern era and the more recent era is a lot of times, the solution, the crypto analysis of a cryptography problem, is a really obtuse way of coming at it, right? It's almost like a blind spot from the person that design the cryptography in the first place, cribbing, you know, statistical analysis of language. None of these things were, were part of the initial design. Yeah. 

Panos Louridas: Yes. So it takes some, not some, it takes a lot of creativity, actually, to hit upon this idea that, you know, and actually, some of these took centuries.

For instance, frequency analysis for polyalphabetic cyphers, like the visionary cypher, took centuries for somebody to realize with some creative leap of mind that, you know, you could use frequency analysis, even though initially it doesn't seem to work in these polyalphabetic cyphers, if only you notice this, and then you transform the problem in something that is amenable to what you know.

This was something that but I found very creative that somebody realized that and the same thing happens again, again, somebody who will find a blind spot and zero in sometimes. So I guess that's also why people like to do it. Well, people like solving problems and challenges, and cryptography is like the ultimate challenge in a sense.

Justin Beals: Yeah. I mean, to this day, yeah, we have, there's all kinds of. I think cultural phenomena where people hide a treasure, or we have some puzzle to solve. I would love that type of thing. Yeah, and it does work that way. It's also I found I love the word creativity in this work because it's like the crypto analytics work was about reimagining the secret in the context that the secret operated.

Like frequency analysis, how many ease are in the words that we use, for example, and that I think that broadens the whole field that improves it in a way, but it's secrets we want to make secret and and the way we think about securing them. 

Panos Louridas: Yeah. Even things that fall outside as a traditional cryptanalysis, like side-channel attacks, like somebody thought that from the sound of the operations in your computer, somebody would be able to deduce what's going on.

So this is really clever. Once it's been told it sounds obvious, of course, yeah, but somebody had to think of it that, you know, you could use heat dissipation or sound waves or electromagnetic waves and figure out the calculations. This is also a leap of imagination. 

Justin Beals: Yeah. Yeah. 

Panos Louridas: The whole mechanism. So it's a way to go around the whole mechanism and attack it in a completely novel way. 

Justin Beals: I feel for the cryptographer side because I, like, no, it's against the rules. I can't go out of that way. Yeah, that's true. You know, 

Panos Louridas: like, Whoa, with the side, this is nice. And it's so elegant. And then suddenly you come along and do this hardware thing, for instance, and you break everything up. Yeah. No rules.

Justin Beals: There was something that I learned in your book that was excellent for me to learn. And when I think about a lot of the people that I talk to in cybersecurity, I see a really common practice where part of the way that they think about making a system secure is achieved by hiding the state of the system or even the system's existence.

Can you help describe for us the fallacy of security by obscurity? 

Panos Louridas: First of all, yeah, it's, let's take it the other way around. What's what would you trust? Something that you know it is secure, even though everybody knows how it works and everybody has tried to attack it, or just because it's a black box.

So I think that if you, if you ponder a minute on it, you realize that, yeah, something that everybody has tried to attack and break and they know how it works and still they have not managed to break it. It's much better than something that it's only black box, and so it could be secure, it could not be, but we don't really know.

So,  the first one is security by obscurity; it gives you less information on which to base your confidence. If something is open, you have more information. You know how it works, you know the principles, and you know that many, many clever people, much more clever people than I am, and most even geniuses, have tried to break it, and they have not.

So you place your trust in this collective effort to prove, to prove security.

Second, security by obscurity is. It's founded on the idea that the design is secret, but this is also something that has to do with people, and people are very bad for keeping secrets. So, how do you know that the design has not been leaked or sold?

Even the Enigma that we talked about before, the designs of the Enigma were leaked from Germany

Justin Beals: Yea

Panos Louridas: So people will always, I mean, there will always be weak links among people. So if you just place your trust that this is a secret design, how do you know that the design is secret? You cannot. 

Justin Beals: Right. 

Panos Louridas: So it's an assumption that you cannot prove at all in the first place.

Justin Beals: There's a certain amount of hubris to it as well. Like I, I know best security. I know how to design it, and I'm going to keep that secret. 

Panos Louridas: Yes. And if it's, if it's all damn good, then why don't you let us know about it? Are you so certain? It's a job that is a hubris, perhaps. For me, it would look more like lack of confidence. Are you really so confident? Then bring it on. 

Justin Beals: Yeah. Okay. So, you know, first off, I want to highlight one of the things I loved about your book is that you kind of move through the history of cryptography; although light on the classical stuff, which I appreciated, we got it into the more modern commute computing ideas around cryptography fairly quickly.

But you do tell a story about the early days of developing cryptographic tools around D.E.S. And I think it highlights this issue of, you know, the hubris. And so, I have to jump to a question that was just in my mind is reading the book. The N.S.A. In the United States was involved in helping create D.E.S. Do you think that the N.S.A. hobbled D.E.S. as an encryption technique? 

Panos Louridas: But I. Well, we don't know. I don't know if this if there is something in some archives that will be declassified during our lifetime. So, after a lifetime, so we never know.  If I were NSA, would I try to put such a backdoor? it's very tempting.

Probably. You say that, yeah,  like, my allegiance is to the if my allegiance were to the NSA, then it's to the NSA agenda. Indeed, the NSA's agenda is to be able to intercept. 

Justin Beals: Yeah. 

Panos Louridas: Then, so, I don't know. I have reasons to suspect that it is so because it is so, so tempting. But, of course, that doesn't mean that everything that comes out from the government or the military is bad.

For instance, the TOR network that we use for the TOR browsers something that came out from the U.S. Navy. Most people don't know that because spies wants to be able to be anonymous. So, it's not necessary that everything is developed by a three-letter agency is flawed or insecure. 

Justin Beals: Yeah, I mean D.E.S was also kind of designed in a little bit of a closed source environment as much as an open source environment.

So that has given us and we saw that D.E.S later on, as more computing power became available, was crackable. Yeah. I mean, Even the simple decision like I could imagine being in the government, being we have the most powerful computers because we built them in the Navy. We've been trying to, you know, do weather for centuries.

Now we're gonna, we're gonna build this encryption technique just up to the limit of commercial computing, and you wouldn't have to hobble it or backdoor it at all. You just knew that the. Mathematical function for cracking over something you might have the tools for. 

Panos Louridas: Especially as you say, because the separation between commercial and military, it was quite, we even had in the GPS and the recent, so it was like, you have these dual users, and the military has access to more powerful hardware and resources than you, than you have now, it's not so much anymore, but back then, yes, it was something that they could leverage.

Justin Beals: Yeah. So we've now had AES and it was approved by the National Institute of Science and Technology in 2001. So we've had AES for a while. It's been a couple decades. How do you think it's holding up, Panos, in your opinion? 

Panos Louridas: Well, I think it's holding up pretty well, even with advanced quantum computing. We don't know of any fundamental attacks against AES there only, well, we know that the time to break it would be, let's say, half or something like that.

So you can just increase the key. So, this is the actual recommendation. So instead of using, let's say, 100, you could use 256. And, uh, I think that's something that we can keep doing. As long as no, not a completely different kind of attack or a quantum algorithm is, is found. So I think it's, it has to, yeah, it's in a bit good shape.

I think we just keep increasing the size of the key. And it's something that we can do computationally. It's not prohibitive. So, yeah. ForAll the time being, yeah. 

Justin Beals: I thought one of the things that was interesting to me about AES as a design, and your book does a great job of explaining this, is it's, it's kind of a multifaceted process, a little, you know, it uses a couple of techniques to obfuscate the data or encrypt the data in layers, and I think that's helpful from a cryptography perspective. 

Panos Louridas: Yeah. It's, uh, all this kind. Well, if you, if you sit on a basic level, it's a lot of slicing and ding and mixing. So you take your data and you slash it, dash it, you mix it, and again, and again, and again, and again.

But there's clever stuff, it's that, yeah, but it's not just by, you don't just do it randomly. It's done in a very, very clever way. So you cannot,  because basically what you do is you take your message, and you make it look random. And one of the basic things, You cannot make something look random, just randomly. 

You have to be very serious about how you do it. I think it was Donald Knuth that said that in one of his books, that you cannot design a random generator randomly or something like that. It's the same thing with cryptography. You know, you cannot hide your method just like that. You have to be very, very serious.

Justin Beals: Generating randomness is incredibly hard. I think nature doesn't even enjoy it that much broadly. This might be just a legend and not true, but I think there's a fairly large cybersecurity company that tries to generate randomness out of lava lamps, a wall of lava lamps and tracking the movement of fluid.

Panos Louridas: Yes, it's exactly, and there is actually, now people try to use quantum effects, so quantum computing to generate, random numbers. So in Greece, we are planning a project to do that because we also need to be able to have access to certifiably random numbers. So one approach is to use, well, or I could use quantum approach to do that, and we are working on that.

So it's something that, yes, it is necessary. Not many people realize how difficult it is to create something, something that was, you Yeah, even nature doesn't like that, 

Justin Beals: so yeah, yeah, we're, we're here. Let's talk about quantum computing and cryptography a little bit. How, how I'm afraid to ask this question, Panos, but do you, do you have, do you have an idea?

What do you think the timeline is like for something like AES in a quantum computing world is the way you could give me five to ten years. I think quantum computing is going to have an impact on our ability to keep secrets or. You can say, no, I think we're pretty solid for a while. 

Panos Louridas: Well, I think it's certainly more than five years, before we have, so yeah, progress is made, but I think it's definitely more than five years, perhaps it's even 10 years before it becomes a serious problem.

There are still technical issues to be resolved. But at the same time, well, in the meantime, we do work on these post-quantum cryptographic methods because one of the problems is that there might be sensitive data that people store them today in order to decrypt them, let's say, after 10 years or 20 years.

Justin Beals: Yeah. 

Panos Louridas: So if, so you must be able to know that. The method that you are using will be safe even in the future. And that's a very interesting problem and there are people working on that. So how can we migrate our data that are already included in something that is going to be secure also in the future.

It's good that people are aware of the problem and they're working on it because I think we have enough time to prepare ourselves before we have any real threat from quantum computing. 

Justin Beals: Yeah. I it's a little spooky, but when I read about the hardware and where it's at and the error correction issues that we're dealing with in quantum computing, you know,  I do think there is a little bit of time, but the legacy question exists.

One thing that I learned reading your book, which I loved, is I found it really interesting that, especially in modern cryptography, computing-based, that one of the major faults is also fundamental to its functions. And, of course, I should have known this, but your book helped highlight it for me. You know, there's a relationship between the content of the message and the language that's written in.

And we can use frequency analysis. There's a relationship between the key,  if we are doing the symmetrical type type encryption and the encrypted message itself. And a lot of times these mathematical relationships necessary to encrypt and decrypt are also used to crack, you know, the encryption tool.

And so part of the challenge in cryptography is the tools we use to encrypt it in the first place. 

Panos Louridas: Essentially, the problem is that you wanted information from something to something else that goes only one way, and you cannot go back because encryption is one way, and you cannot go back unless you have something else like the key.

And talking more generally, this kind of one-way functions,  they may not even exist. So it's an assumption that to the best of our current knowledge, these functions, because these transformations that you mentioned, these mappings from the original language to the encrypted methods, all these mappings essentially are functions that, to the best of our current mathematical knowledge, they are one way.

But that's also what I always repeat to my students. The key here is to the best of our current mathematical knowledge. We cannot be 100 percent sure. They have not been proven. They are just assumptions. Pretty confident that they're safe assumptions, but we're going to show, 

Justin Beals: You know, this is a big debate, not just in computer science, but physics, mathematics, right?

Like, we can do the deposits, demon-type analysis and be like, if we, if we knew, you know, a certain space, then we could predict with high confidence about how that was going to involve or the, the entropy of a system, although then it starts getting really esoteric with quantum things where we can understand where something is, but not where it's going.

But I think in a number of different scientific areas, we've been trying to test our human knowledge around this and our assumptions. One-way algorithms, for example. 

Panos Louridas: Yes, it's, yes, it, well, it expands, so it's the same idea of what we know or what we have proved, so a lot of things that have to do with cryptography have to do with the complexity of doing things.    So we go to the theory of computation, which is, how do you know that some problems are really hard to solve? And again, there's a whole class of problems called NP-complete that We believe that they cannot be solved efficiently, that there are no efficient algorithms to solve them, but we have not proved them in the channel.

If not the biggest problem in theoretical computer science, if somebody can prove that, yes, they cannot be solved efficiently. So, you see this thread about the limits of our knowledge. What can be computed? What can be reversed? It's, all of it is kind of related if you take, if you, if you look at it spherically, all of it's kind of related.

Justin Beals: Yeah. Okay, I'm going to pull me out of my philosophy a little bit back to earth here. One of the things that I had a question for you, Panos, about is, um, essentially, the practice of key management in modern web applications that we develop. I'm constantly being asked, like, what's your key rotation policy? Or how are you handling keys?

What, could you talk to us a little bit about what problems we're trying to solve there with this activity? 

Panos Louridas: The basic problem is that for somebody to attack you, they must have some access to encrypted messages. So, if you have only one encrypted message, it's very difficult to decrypt it. Okay. If it's just one.

And this is also the kind of problem with some of the historical problems in photography like this geo echo, the in it manuscript that these are kind of one-offs. So you have very, very limited material on which to base your decryption efforts. So if you're using the same key for a long, for a long time, well, you get more and more material encrypted, and somebody might intercept it, and they have, so they have more to work on in order to decrypt.

So the idea is how to minimize this. So you rotate your keys so they don't have the chance to accumulate a lot of material with which to attack you. Now, the question is exactly as you said, how, what is the rotation? Well, also, a lot of, a lot of times actually work with what is called a ephemeral keys, so they last only for one session, so anyway they don't last long. 

So otherwise, yes, you must have a policy of rotating them. How, uh, how frequent is good enough. Then, if it's too frequent, it might start impractical. That's also the kind of, there's also always a trade off between security and cost, so you can increase the security, but it's more costly, even mentally costing and talking about key rotation.

Think about how annoying it is when you visit some of the websites that ask you every now and then to reset your password. And  this is too often after the third or fourth time. You start, okay, do I really have to do that? Can I use the previous one?

So, even on the human level, it starts getting a bit problematic. So, there's a fine balance. Yes, it's a good idea to rotate keys and not keep them forever. On the other hand, you cannot rotate them. All the time, because somehow something would break along the way. 

Justin Beals: Yeah, I do get through that, like, especially with the amount of data we ship on the Internet, I can, I can allow a lot of encrypted data to be available for someone to collect quite, quite rapidly, you know, in a month or two listening on the right port, you know, we're, we're pushing encrypted data over the open Internet on some level.

 We think the encryption keeps it secret as it goes. But with that amount of data, all of a sudden they have more information to do analysis against it. And this system becomes easier to crack. Yeah. Okay. I have another one for you. What? You know, I've implemented AS. And TLS And a bunch of web applications. But I swear to this day, I don't understand very well the relationship between the two of them. Help us understand where AS sits, and TLS sits, uh, with each other.

Panos Louridas:  So TLS , it's a protocol. It means the way to two parties will agree on how to encrypt the communication.

So if, so let's say when we started talking here, if  our video link and audio link is encrypted, my computer will have to argue with your computer on how to do that. So we start by exchanging messages, like which, first, which protocols, which cryptographic algorithms do you support? So you support, your computer might support some algorithms, my computer will support some other algorithms.

So, TLS establishes this common understanding. So which algorithms are going to use for encryption? And then again, AES is symmetric encryption, so, it means that we need a common key. So TLS will also take care of that. So it will decide on the key exchange mechanism that we are going to use so that we will share a common key.

And after that, we can start using AES. And this is when the actual communication begins in earnest. So TLS, if you can think it's the preamble, like when two people meet. That's for something and then you have this kind of preliminaries, so then their access, who are you? What are you doing? This is TLS. And then communication can start going through, for instance, AES.

Justin Beals: Ah, exceptional. That's very helpful. Thanks. So, I wanted to just open up a question to the future of this space a little bit, Panos.

You know, we talk about quantum computing, and I think that's the thing we talk about a lot with cryptography and where this arms race is going. Are there other vectors that we should be aware of that you don't think we concern ourselves with?

Panos Louridas: Well, it's all very good , but I was working on projects that have to do with post-quantum cryptography from the backup point of view. I am not a theoretical person. I'm working on projects using this technology. What I think we should always be aware of and take care of actually is people. I would not care to attack somebody by attacking using a quad machine.

I will just do social engineering. I'm sure it will be much more successful. So, raising awareness, and I hope that's also a goal of the book. Raising awareness to people is important. As I told you, I work in developing services for the citizens. You will be surprised how often you would, if you work in this area, you will get emails from citizens saying, Oh, the system does not work.

Please. Here's my username and password. Please help me. So people will give out their secrets even without asking them. It's amazing. So 

Justin Beals: no, 

Panos Louridas: no, no, no, no. I don't want your username, I don't want your password.

So yeah, people are the weakest link like mathematics is perfect. So you can prove it algorithms. Yes. You can also prove them. If you may, they should software more difficult. We can not really prove that software is correct. In some cases, formal methods, not really, but when you are deeply the mixture. That's, that's the problem.

So what we always will have to think about is educating people and making them aware of the choices they make on how they use technology. 

Justin Beals: Absolutely. And I have to give praise to your book. I didn't do very good in mathematics in grade school. I blame my teacher, of course, because it can't be my fault.

And in college, I studied  theater, and I took a mathematics class called Mathematics for the Liberal Arts, which

Panos Louridas:, wow. I know,

Justin Beals: I love it, yeah. Because I realized when I think back to my old Algebra two that if only my teacher had said to me, hey, Justin, the reason we're doing these polynomials is that we're trying to define an arc in space, I would have been like, how intriguing I'm so interested in how to describe curves.

That's very interesting. And what I loved about the book is that it is information science. It is mathematics and algorithmic in a way the cryptography we do, but I felt like the math was very approachable for me and, and I could understand it on a more fundamental level and how it worked. Yeah. 

Panos Louridas: Well, I'm glad one of the things, well, you cannot do it for all kinds of mathematics, but one of the things that I have realized is that certain things that they look very forbidding when you look at the mathematical formula, in the end, when you explain the basic idea, it is not.  So it looks on paper like, wow, what is that? And how do I decipher it as a human being? Sometimes, I have difficulty, like, I see too many symbols here and too many subscripts and so that they don't make sense. And too many Greek characters. Well, at least I'm Greek. So the Greek characters, you know, yes, 

Justin Beals: so 

Panos Louridas: it must be even worse for you.

Okay, for me, at least that part is okay. Uh, and then. When you think of it, you say, yeah, but fundamentally, it's something very simple. It's just that when you formalize it, it becomes obtuse. So, and this was one of the things that I'm trying to show in the book that, you know, some of the, or a lot of the things,  are not that difficult to understand at a fundamental level.

Justin Beals: Yeah.  they're not that difficult to understand. And that's, I think that's why we see elegant mathematics, right? Like when, I think when we describe something that's very elegant or a formula we really like it's because it's simple and easy to communicate, and highly repeatable.  Panos, I, uh, I'm going to give your book to all my software engineers so that they understand how cryptography works.

Because sometimes I wonder if they do. But I'm, I'm very grateful for the work. We'll have, the title of the book and a link to it,  in the show notes here for our listeners. And also really appreciate you sharing your expertise with us today. 

Panos Louridas: Thank you for the invitation. I really enjoyed the, I really enjoyed the discussion with you.

And well, I hope people find the book interesting. 

Justin Beals: I certainly did.