Cryptography and Your Security

by Erik Bruanitzer, http://www.cxtec.com/

Billions of people worldwide send trillions of messages through the World Wide Web each day. A large percentage of those people are, on any given day, conducting sensitive transactions such as online banking, shopping, and bill payment. And they need those transactions to be secure. You are probably one of those people.

On any given day, businesses are sending and receiving enormous volumes of sensitive information, such as financial data, trade secrets, customer data, and marketing plans. A loss of this information to the wrong party can destroy a business. You probably work for one of those businesses.

Protecting personal and business information online is where cryptography (from Latin, meaning "science of hidden writing") comes in. Cryptography makes it possible for a Website to provide password protection, credit card encryption, secure log-ins, and other security measures we rely on. It allows businesses to safely send, receive, process, and store proprietary information.

When used with other security techniques, cryptography is a pillar of a sound security structure. We'll look at why that is, shortly. First, a brief history of cryptography....

A brief history of cryptography

Some scholars believe that cryptography emerged not long after writing was invented. Archeologists have found samples of original cryptographic writing from as far back as 1900 B.C., when a scribe in Egypt used abnormal hieroglyphs in a document. Early uses included the protection of diplomatic memoranda and military plans.

See? We told you it was brief.

And it helps us see that cryptography has, for a long time, protected vital information by preventing "the bad guys" from understanding it. Cryptography  played an important role thousands of years ago for a reason that is still true today: preventing interception isn't always possible. Someone is, sooner or later, going to get your information. The solution is to make the information unreadable to any unauthorized person. The "bad guys" might get their grubby little hands on an encrypted message, but they'd have no idea what it said.

You may be thinking, "That's exactly what we need for Internet-based communications." If so, you are quite right. And modern security experts agree with you.

Cryptography today

Remember, we said preventing interception isn't always possible. Actually, it's a given. The media for transmitting information are not, in themselves, secure. Cryptography is an essential part of protecting information. Many industries, such as banking, manufacturing, retail, and telecommunications, rely on cryptography. So do government sectors such as law enforcement and the military.

Four distinct security elements help protect information:

1. Authentication. Verifying an individual’s identity (is that really you?). Verification by name or address is the primary basis of host-to-host authentication on the present-day Internet. Unfortunately, it has proven to be weak.

2. Privacy/confidentiality. Certifying that no one can view the message except the designated recipient.

3. Integrity. Ensuring the recipient that no one has tampered with the message enroute to its destination.

4. Non-repudiation. Guaranteeing the sender officially sent the message (that is, it's not a spoof sent by an imposter).

Three goals, three methods

The three main goals of any good cryptographic scheme are to:

1. Safeguard information from theft.

2. Safeguard information from unauthorized modifications.

3. Authenticates network users.

 The three variations of cryptographic systems typically used to achieve these objectives are:

1. Secret key (symmetric) cryptography. This involves one key for both encryption and decryption. A sender uses the key, or set of instructions, to mask the plaintext. This creates "ciphertext," which then goes to a recipient. The recipient uses the identical key to decrypt the message and unveil the plaintext. Since the same key is applied to each side, secret key cryptography is also referred to as symmetric encryption.
   
   With this system, the sender and recipient must have the key. That creates the tricky problem of safely distributing (and, usually, storing) the key. The solution to this is....
    

2. Public key (asymmetric) cryptography. This involves two keys, one for encryption and one for decryption. This system is much more secure than the secret key system, which means the two parties can communicate securely over an insecure line without being forced to use a joint key. Introduced to the public in 1976, it's generally recognized as the greatest accomplishment in cryptography since the 17th century.
   
   One-way functions serve as the basis for the public key. These are mathematical functions that can be solved easily. However, their inverse functions are very hard to solve. Take the following example:
   
   Exponentiation vs. logarithms. Calculating 2 to the 5th power is a common math problem that most people can solve: 2 raised to the 5th power = 32. But, if you consider the number 32 and attempt to compute the two integers that make up the rest of the equation, you must insert variables “x” and “y” into logx 32=y. It will undoubtedly take longer to figure out the values of x and y in the logarithm than it would to solve the exponential problem. It's much easier to process 2x2x2x2x2 than to evaluate a logarithm.
    

3. Hash functions. These don't use a key at all. Also known as "message digests" or "one-way encryption," hash functions are algorithms. The encrypter calculates a permanent hash value, based on the plaintext. This restricts access to the contents or length of the plaintext.
   
   Hash functions are capable of displaying a “digital fingerprint” of the contents of a file, to verify whether it has been tampered with by an outsider or infiltrated by a Trojan, virus, worm, or other invader. In essence, the digital fingerprint gauges a file’s authenticity. Various operating systems utilize hash algorithms to encrypt passwords.

      In each instance, the data originate as plaintext. The plaintext is then is then encrypted to ciphertext. The ciphertext is almost always decrypted into functional plaintext, which usually reappears in its original form.

Name trivia

People who work in the field of cryptography have names for specific parties in an encrypted communication situation. The two parties in communication with one another are referred to as Alice and Bob. In where there is a third or a fourth party included in the dialog, they are known as Carol and Dave, respectively.

Outside factors must also be accounted for. So, a malicious party is called Mallory, an eavesdropper is Eve, and Trent is the name for a loyal third party.

Famous secrets

Cryptography is especially intriguing, due to all the secrecy involved. This lends the entire discipline a certain mystique. Ironically, the mystique isn't what makes a cryptographic algorithm successful. In fact, the most successful algorithms are well-known. The most successful ones are successful not because of secrecy, but because experts have devoted extensive resources to enhancing them. If a cryptographic scheme has been in use for any length of time, that's probably because it has a high success rate.

Erik Braunitzer is a Web Development Manager working with CXtec, http://www.cxtec.com/. Formerly a small time Web programmer, Erik now manages a team of highly skilled content developers with masters in communications and writing. CXtec has been helping companies meet their networking goals since 1978, without blowing their budgets. CXtec provides sales and service for network gear, Voice over IP, network cables, network accessories, and legacy hardware.

Some cryptography resources:

• Books on cryptography.
• DVDs on cryptography.