Most people have heard of encryption and cryptography. It’s been used by governments and militaries for centuries to keep secrets away from prying eyes. However, modern cryptography is important to keep our economy going by keeping purchases secure and online financial transactions validated. Cryptography has become one of the most important technologies supporting the new world of internet communications. Almost everything is encrypted these days, so it helps to understand the basics of what encryption is and how it is used.
While a detailed study of the mathematics of cryptography can take years, there are a lot of useful, high-level concepts that will make cryptography relevant and useful to non-technical users.
Ciphers and Substitutions
When most people think of cryptography, they assume some magic tool that simply substitutes one letter for another according to a fixed rule. However, such a substitution cipher is not very secure.
Analysts can look at letter frequency and context information to make educated guesses to decode an encrypted message. However, we have at our disposal computer algorithms that can make relatively complex changes in a message very quickly, with little “leakage” of information. Each character is typically composed of about eight bits (ones or zeros).
The computer can operate on individual bits extremely quickly, especially the Exclusive-Or (XOR) operation. The XOR operation compares a string of bits to a key. If the bits in a certain position are different, a “one” is sent. Otherwise, a zero is sent. (“XOR” means “if one or the other, but not both.”) The XOR operation is reversible, such that if the encrypted information is run through the XOR comparison process again, the original text is revealed.
Several terms are useful to know when discussing cryptography:
- Plain Text: This is the original, unencrypted message. In practical use, it doesn’t have to be just text. It can also be photos, sound, spreadsheets, etc. It is what is readable.
- Ciphertext: This is the encrypted information that should be unreadable by unauthorized persons or computers.
- Key: This is the magic string used to encode and/or decode during the conversion between plain text and ciphertext. Note that it doesn’t have to be as long as the text itself. A short key can be re-used iteratively over long strings of text. However, short keys can be guessed by trial and error. It takes much more effort or computing power to guess a long key.
- Stream cipher algorithm: This is the algorithm that operates over a stream of data as it passes through a system. It must be fast enough to keep up, and it can’t look ahead. The decoding of a streaming cipher must also be tolerant of missing bits of data. These types of ciphers are often used for streaming voice and video.
- Block cipher algorithm: This algorithm divides the data into blocks, typically 64 bits in an eight-by-eight matrix, and encodes the entire block at once. Digging into the details, some algorithms reorder the bits in the block by working down diagonal rows as they encode. Block ciphers can be coded to be very fast and very secure.
Two Major Types of Encryption Algorithms
In addition to block and streaming ciphers, there are two families of encryption algorithms based on the keys. Symmetrical encryption algorithms work as you would expect. They use the same key for encoding and decoding. They are fast, secure, and efficient.
The only problem is that the sender and receiver of the encrypted information must have some way of knowing the same key, but it’s difficult to simply send a key over the same medium that the data will use. An eavesdropper could simply catch the key and use it to decode the data when it goes by. Historically, systems have used different pathways to send keys and data, and some still do. However, most modern systems use a clever trick to share that common key, asymmetrical encoding.
Asymmetrical encoding simply means that each user uses a special algorithm with a pair of two keys. The algorithm is designed such that if one key is used to encrypt the data, only the other key can be used to decrypt it, and vice versa.
If we designate one key as public (anyone can see it), we can begin secure communications. If Alice sends her public key to the world, anyone who wants to communicate with Alice can use it to encrypt a message to send to her. Only Alice can decode the received message because only she has the private key that is paired with that public key. It takes multiple steps, but using this scheme, Betty and Alice can use their respective public and private keys to share a single key between them and establish a trusted relationship.
Practically speaking, secure sessions are usually set up using Public/Private key pairs to exchange a common key. Once that is done, the common key is used to encrypt further communications because it takes far less computing power. This sounds complicated, but your browser does it with every HTTPS website, every time. The next time you see the little padlock in your browser bar, you’ll know that the website and your browser have just executed this transaction using public and private keys and certificates.
Common Encryption Algorithms
Because encryption protects so many things, there has historically been a sort of arms race as secure algorithms are designed, then broken, then replaced, then broken again, and so on. For symmetric algorithms, the Data Encryption Standard (DES) encryption algorithm was replaced by the 3DES “Triple DES” algorithm, which was then replaced by the AES (Advanced Encryption Standard), which was then successively updated with 128-, 192-, and 256-bit keys.
Of course, we expect the progression to continue. There are several asymmetric (2-key) algorithms to choose from. Diffie-Hellman is widely used but is joined by other protocols, including Elliptic Curve Cryptography (ECC), El Gamel, and RSA. Most systems today can use several and typically negotiate which one to use for each transaction.
Uses of Encryption
You may run across several different applications of encryption, often operating at different layers of the protocol stack. Secure Shell (SSH) is used to protect Telnet type text commands to a remote system. Secure Sockets Layer (SSL) is commonly used to encrypt your browser communications but has largely been replaced by Transport Layer Security, or TLS. TLS has undergone revisions and is up to version 1.3 now and SSL is at version 3.0. They will continue to be strengthened as needed.
Hashing Is Not Encryption
Although often mentioned together, hashing is a related but separate technology from encryption.
Hashing is used to create a relatively unique “digital signature” for a file or other data. It establishes authenticity. If you have a hash of a data file, you cannot “decode” it to get the original file.
However, if you have a file and create a hash. You can come back at another time and place and calculate the hash on that file again. If the two hashes match, the file has not been changed. This is useful, for example, to prove a file has not been altered in transit.
However, the most common use for hashes is to manage passwords. When a user sets up a password, the system calculates a hash of that password and stores it. The original password is discarded. Later, when the user logs in, the system hashes the submitted password and compares it to the hash in storage. If the hashes match, then the underlying passwords must match.
Why do we do this? Suppose a hacker breaks in and steals the file with all the user hashes. The original passwords can’t be derived from a hash, so the passwords are still safe. (In reality, this is an over-simplification. There are tools that use brute force to guess the password that matches a hash, but it’s very compute-intensive.)
Continue Learning About Cryptography
Encryption is a part of almost every communication on the internet. Encryption is required by the Payment Card Industry (PCI), which mandates the use of encryption when storing or transporting credit card information. Likewise, the Health Insurance Portability and Accountability Act (HIPAA) requires encryption to help ensure patient privacy.
All cybersecurity professionals will need to be comfortable with encryption and the associated standards. However, it takes good training to do that.
Here are some courses to get you started: