The Basics of Cryptography, part 1

Encryption has been a buzzword in the technical world for the past few decades; but in light of recent events, such as the San Bernardino terrorism case, encryption has become important to the average person as well. Encryption is a procedure for taking ordinary information (known as plaintext) and converting it into an unrecognizable format (known as ciphertext). The history of encryption can be traced back as far as Julius Caesar, who used a substitution cipher (as shown in picture 1, below). A cipher is a pair of algorithms used to encrypt and decrypt data, like an equation. In a substitution cipher, you substitute characters in your message with other characters using some sort of scheme. In this way, Caesar would send encrypted messages to his army. For example, let’s say the substitution key is 3, so each letter is shifted to the right by 3. Using this key, “hello reader” becomes “fcjjm pcybcp”.

As you may be able to tell, this cipher is vulnerable to an attack known as frequency analysis or pattern words. In this attack, the most frequent letters are tallied and matched up with the most frequently used letters in the alphabet; with enough pattern-matching, the substitution key can usually be derived.

Another classical cipher used was the transposition cipher, where the letters are rearranged somehow to jumble the plaintext. A modern example of this which you may know is “pig latin”, where you take the first syllable of a word and move it to the back to form a new word.

The Greek military is also thought to have used stenography, which is hiding a message in plain sight. They did this using something called a scytale: they would wrap a parchment around a wooden rod, write their message on the parchment, then unwrap the parchment and add letters in between those already written (see picture 2, below). Only someone with an identical wooden rod would be able to decipher the message. Another example of early stenography was tattooing a message on a slave’s shaved head and waiting for the hair to grow back to cover up the message.

Skytala
Skytala

Stenographic methods have become increasingly complex over the past couple of millennia, with forms like invisible ink, microdots, and hiding information in the compressed space of music files (as seen in the tv show Mr. Robot) becoming popular. Another common method is to store your secret information in a photo file, since these files are also compressed and do not require all the bits to recreate the photo.

These methods of concealing information for secure communications are apart of a larger family of study called cryptography, which in Greek translates to hidden or secret writing. A fairly famous example of cryptography is the Enigma device, used by the German military during WWII to send secret messages. The large computer systems developed to help crack the Enigma code helped usher in the modern age of computers. Fast forward to today, and cryptography is used every day by ordinary people, not just spies and military personnel. Online banking and credit card transactions, email, electronic voting, anonymous web surfing, regular web surfing and social media are all areas where modern cryptography is used without many people ever realizing it.

In the information security world, there is a principle known as the C.I.A. triad, which stands for Confidentiality, Integrity, and Availability. Confidentiality is the ability to keep your information safe and secure from unauthorized entities, which can be equated with privacy. Integrity deals with the consistency, accuracy, and confidentiality of your data. Availability is just what it sounds like: having your data or services available to you and whoever else needs access at all times.  Cryptography can aid in confidentiality and integrity. As we have discussed earlier, encryption supports confidentiality by ensuring your message/data is not readable by an unauthorized party. Integrity is supported by using various cryptographic algorithms to ensure data has not been tampered with or altered; i.e., the original data is put through an equation to derive an ‘answer’, which you receive a copy of. If you then receive a copy of the data, put it through the same equation, and receive a different ‘answer’, your integrity check fails. These checks are sometimes known as hashes, of which there are various types depending on the algorithm used. They are used in a wide variety of applications, e.g. proving the integrity (lack of tampering or file corruption) of files downloaded from the Internet by checking them against their authenticated hashes or checksums.

Modern cryptography for confidentiality can be divided into two categories: symmetric key cryptography and public key cryptography. Symmetric key cryptography uses the same password or passcode to encrypt and to decrypt the data. This can be a security concern because of low confidence regarding secure sharing of the password. It may be a decent algorithm / scheme to use to encrypt data for your own use, which is what most full-disk or file system encryption systems use, but it’s not recommended for use when sharing data among multiple users. This scheme may be used to encrypt multiple kinds of devices: laptop hard drives, phones, tablets, flash/thumb drives, individual files, and so on.

The preferred method used to encrypt data shared among multiple users is public key encryption, which uses two different keys: a public key and a private key. The public key is just that, public; it’s the key you give to any other user, and can be publicly known. The private key is also just that, private, and is related to the public key in a way such that it can decrypt something encrypted with the public key. Anyone can encrypt a message for you using your public key, which you can then decrypt with your private key, which nobody should know except for you. Public keys can be also digitally signed by other users with their private keys, which means the people that have signed the key have verified the key owner’s identity. This creates a web of trust. Let’s say Don trusts/knows Bob but not Alice; since Bob trusts/knows Alice, Don inherently trusts Alice’s key/identity due to his trust of Bob.

A good example of a public key encryption system is GPG (GNU Privacy Guard), a free replacement for PGP (Pretty Good Privacy), as PGP used to be free but was bought by Symantec. GPG public key encryption can be used to encrypt email messages and files, and also has some built in features for integrity (verification of user identity). For example, let’s say Alice wants to email Bob a secure message. Alice could look up Bob’s public key from a public key server, or get it directly from Bob and use it to encrypt her email to Bob. She then digitally signs her message using her private key. When Bob receives the email, he decrypts the message using his private key, and verifies her digital signature using Alice’s public key.

Thank you for joining me for a brief history and overview of cryptography and encryption! Stay tuned for future blog posts where I hope you will join me as we explore cryptography and encryption in more detail. You will learn how to better protect yourself and your data in today’s computer age.

Text References and Resources:

“Cryptography: History of cryptography and cryptanalysis.” Wikipedia.org. Wikipedia, 25 July 2016. Web. 1 Sept. 2016.

“GNU Privacy Guard.” Wikipedia.org. Wikipedia, 15 Aug. 2016. Web. 1 Sept. 2016.

“Outline of cryptography.” Wikipedia.org. Wikipedia, 21 July 2016. Web. 1 Sept. 2016.

Picture References:

Skytala. Digital Image. Wikimedia Commons. Wikimedia Commons. 16 Feb. 2007. Web. 1 Sept. 2016.

Resources:

The Electronic Frontier Foundation, https://www.eff.org.