Cryptography is a science and an art, where both mathematics, algorithms, statistics, and real world use cases of securing communications in public channels are considered and studied. Not long ago, the US government had a ban on export of the technology, since it was considered as munition.
Initially most of the algorithms and standards came out of the NSA, so one would assume a back door was also available for the agency. As with every technology, it can be used by law abiding citizens, as well as criminals. You wouldn’t ban cars because criminals used them to escape law enforcement after robbing a bank? Apply the same logic to the government’s attempt on banning or controlling cryptography. I don’t want to go into a discussion of car registrations and plates, as that could be defeated, the same way the clipper chip or any other attempt at key escrow would have been defeated.
Why do we need Cryptography, and what are all the Algorithms and protocols used for? How can one use it in personal life or in business? It can get very confusing when you try to study Cryptography, because of the different types of algorithms. You spend a couple of hours reading about the wonderful working of an algorithm, later to find out that it was defeated, and is nowadays easy to crack. Or this other wonderful algorithm that can scramble your plain text to an impossible to decipher cipher text, the only catch is that you have no way of securely and economically transferring the secret key to decipher that message to the intended party.
The way I simplify things for my own understanding is by breaking problems into smaller components, and attacking each one at a time. At the end, the big picture will be clearer. Cryptography enables a message to be securely transmitted or stored, so it enables confidentiality. It provides integrity to a message or any digital asset by producing a message digest. Think of a password hash, or a message digest of any software that you download from the internet. Lastly, it provides authentication as it can be used to create a digital signature, and ensures non-repudiation of the document source. Remember, CIA, Confidentiality, Integrity, and Authentication, don’t confuse that with Availability of the CIA triad.
Let’s pick on one at a time. How can you fulfill Confidentiality? For instance, you want to transmit a message to a client securely, and then store that communication in your storage device securely as well. Both qualify for Confidentiality, since you are transmitting and storing. First, you encrypt a plain text to cipher text with a secret key that you possess, then you send it on its way via your favorite e-mail client. It hits many routers and servers, until it gets to the recipient’s box. They open the message, and it’s a scramble of letters and characters. Your client calls you up and asks you for the key to unscramble or decipher the message!
So you can encrypt all you want, but without a key, the encrypted message is worthless. The same way it was worthless in transit, so no malicious user can eavesdrop on your communication channel to read it, it is also worthless to the receiver, since they don’t have the key. Your next move was to schedule a flight from San Francisco where you live to New York where your client is located to give him the key that you saved in a thumb drive. You see how this solution to sharing a secret key can get expensive quickly! Governments can certainly afford it, since they don’t mind spending tax payer’s money, but a business will quickly go bankrupt if they use this method for sharing a secret key for all their encrypted communication.
The solution is Public key Cryptography or asymmetric key encryption, where the geniuses of encryption, read algorithm creators, have figured out through different mathematical formulas that an Encryption key can have two components, a public key components that is accessible to the public, and an associated private key component that’s kept a secret. In the scenario described above, that would save me a trip to New York, by getting my client’s public key to encrypt my message, which can only be decrypted by his own private key.
In his reply to my important secret message, he can use my public key that I attached in my message in plain text, or he could also have gotten it from my website, and encrypted his response. I would use my secret private key component to decrypt, and read his message.
So initially, we used a symmetric key, where one key encrypts and decrypts a message, but we had an issue with key management, as we had to make a long trip to share that key. The asymmetric key solution solved our key sharing issue. Where it’s safe to share the public key, but it’s bad to share your private key! We will discuss the technical details of each method in upcoming posts.
As you read different literature online on the subject, remember that some technologies that implement cryptography can use both symmetric and asymmetric methods to provide confidentiality. (PKI, for instance)
The symmetric key would be used to encrypt the message, and the asymmetric key for symmetric key distribution.
The other uses of cryptography is to provide authentication and non-repudiation, so you cannot say that it’s not my signature on this digital document! Since you are the only one that owns the signature key, then it’s you unless you reported it stolen.
Which key can provide non-repudiation? Obviously, it should be the private key that only you have access to, not the symmetric private key that you have shared with others, since any one of you can sign the document and we wouldn’t know who it was. You would use the private portion of an asymmetric key to sign a document and send it in open to be read by recipients who are certain it’s from you because it carries your digital fingerprint.
Now for a quick explanation of integrity, and what it tries to accomplish. Let’s use the example of password storage. Have you ever called your bank and chose the prompt to be connected to online banking support, and when you got someone on the phone, you identified yourself as the owner of the bank account, but yet the support agent on the phone couldn’t tell you what your password is!
He has access to everything, but yet can’t even give you the first couple of letters of your password, so you can log on to your account, and do your important banking business you were planning on doing except for the constant password errors you kept getting!
Well, the reason the support agent doesn’t know your password is because it’s scrambled beyond recognition. Yes, even if you escalate to speak to a manager, or even if you have had dinner with the CEO of the bank the day before, that won’t get you the lost password.
Simply, the password was scrambled by a hashing algorithm that provides one way encryption before it’s stored in the database. The support agent, cannot call up the database guy and tell him Mr. VIP is on the phone, and need to know his password now! It’s impossible, it’s a one way street!
Well then how does the system know who I am, and the people that work there don’t know?
The answer is that when you enter your password in the website, the same hashing function is applied to it before comparing it to the value stored in the database table under the row where your username is sitting happily in plain text. If the two values are equal, then you are allowed access. Integrity has been accomplished in this case, since even a social interaction didn’t reveal the secret!
There is more to it than I have presented in this article, as you would discover when doing some googling about different subjects. But if you get the big picture, this should be a good start for you to do further research on different algorithms being used for different types of cryptography, their strengths and weaknesses, salting before hashing, and combining different cryptography methods for stronger encryption.