Though the term has become more commonplace in recent years, cryptography remains an often misunderstood field overseen by a relatively small group of specialists. These days, however, information—specifically data—is at the heart of all modern processes, and cryptographic mechanisms are the most effective means for protecting and safeguarding those digital assets.
However, cryptography is not a new science, and for centuries has been used to protect sensitive information, especially during periods of conflict. The need for strong information security has made cryptography mainstream—as a result, cryptographic technologies once considered a domain of the government/military can now be found in the pockets of almost every technology consumer.
The following is cryptography condensed down to 13 key concepts for better understanding this indispensable “art of write and solving codes.” Volumes have been written on the topic; these are just a few high-level starting points for delving into on a deeper level.
1. Cryptography is math + security, combined to offer a set of 5 assurances.
Cryptography is the design/analysis of mechanisms that provide fundamental security services based on mathematical techniques. More formally, the field of “cryptology” is the scientific study of cryptography—the design of such mechanisms—and cryptanalysis, or the analysis of such mechanisms.
Cryptography provides a basic suite of security services:
Confidentiality is the assurance that data cannot be viewed by an unauthorized user, also referred to as secrecy. The “classical” security service provided by cryptography, confidentiality mechanisms have been implemented the most by historical applications via encryption techniques.
Data integrity is the assurance that data has not been altered in an unauthorized manner, including accidental. This assurance applies to the timeframe data was last created, transmitted, or stored by an authorized user. Data integrity is achieved via MAC and digital signatures, and sometimes via hash functions.
Data Origin Authentication
Data origin authentication is the assurance that a given entity was the original source of received data. This is also referred to as message authentication. These assurances are typically achieved via MAC and digital signatures.
Non-repudiation is the assurance that an entity cannot deny a previous commitment or action—that the original data source cannot deny a commitment/action to a third party. These mechanisms are desirable in situations where there is potential for a dispute over the exchange of data, and rely on digital signatures and sometimes MAC.
Entity authentication is the assurance that a given entity is involved and currently active in a communication session (also referred to as identification in certain contexts).
2. Four “crypto” concepts central to cryptography.
Cryptography hinges on four main elements, namely:
are cryptographic processes that provides a number of specified security services. If cryptography is a toolkit, then cryptographic primitives are the basic generic tools in that kit for building more advanced mechanisms (e.g., block ciphers, stream ciphers, message authentication codes, hash functions, and digital signatures).
are the particular specifications for a cryptographic primitive—essentially a “recipe” of computational steps (e.g., “add these two values together”, “replace this value by an entry from this table”). For example, AES is a cryptographic algorithm that specifies a block cipher.
are sequences of message exchanges and operations between one or more parties, at the end of which a series of security goals should have been achieved (e.g. STS, SSL/TLS). They typically employ a number of different cryptographic primitives at various stages.
or cryptographic schemes, are basic models that may include a sender and receiver, where the sender sends plaintext (i.e., easily readable by humans) converted into a ciphertext (i.e., unreadable or not easily readable by humans) via an encryption algorithm with an encryption key. The receiver then decrypts the ciphertext into plaintext via the decryption algorithm with a decryption key. Some examples include the Caesar cipher and public-key based cryptosystems, to name a few.
It’s worth noting that encryption does not prevent the interception of communications—cipertext is easily obtainable by anyone. Additionally, encryption of the communication channel does not guarantee end-to-end confidentiality. Plaintext data on sender and receiver’s computers should therefore be protected by additional security mechanisms.
3. Symmetric encryption algorithms or secret key encryption.
These use the same key (i.e., a shared secret) for both encryption and decryption. Two primary classes of symmetric encryption algorithm are stream ciphers and block ciphers.
Stream ciphers selects one bit of plaintext, performs a series of operations (e.g., XOR) on it, and outputs one bit of ciphertext. Some examples include RC4, A5/1 and E0.
In contrast, block ciphers process plaintext in blocks or groups of bits at a time (e.g. DES, AES) . The algorithm selects a block of plaintext bits, performs a series of operations (e.g., XOR) on them, and outputs a block of ciphertext bits. Block Ciphers are considered to be more versatile when compared with other ciphers.
4. Asymmetric encryption algorithms or public key encryption.
Asymmetric encryption uses different keys for encryption and decryption and allow two entities who do not share a symmetric key to employ cryptography to secure data to be exchanged. Public key encryption methods are trapdoor functions: easy to compute one way, hard to compute in the other without other special pieces of information (i.e., the trapdoor).
5. Public Key Infrastructure (PKI) versus public key cryptography.
PKI is often misunderstood and—more commonly—mistakenly used to refer to public key cryptography itself, rather than the supporting key management system (e.g., key generation, establishment, storage, usage). A PKI consists of a key management system that supports public key certificates for verifying the ownership of one’s public key, based on X509 standard.
6. Hybrid encryption applications.
Many applications require public-key encryption but cannot support the data size requirements of plaintext. In these cases, hybrid encryption methods can be employed by using unique session keys along with symmetrical encryption. Public key encryption is implemented for random symmetric key encryption; the recipient uses the public key encryption method to decrypt the symmetric key—once recovered, the symmetric key is used to decrypt the message. Hybrid encryption methods such as Pretty Good Privacy (PGP) are considered highly effective, as long as the public and private keys are fully secure.
7. Hash functions.
Considered the most versatile cryptographic primitive, a hash function is a mathematical one-way process for converting a numerical input value of any length into a numerical output value of fixed length. Hashes are extremely useful due to properties such as being keyless and publicly computable. Passwords are commonly stored as hashes for strong security.
8. Message Authentication Code (MAC).
A MAC is a cryptographic checksum sent along with a message in order to provide an assurance of data origin authentication, allowing receivers to confirm that the message is authentic and has not been changed. A well-known, widely-deployed version that provides enhanced security services is Hash-based Message Authentication Code (HMAC).
9. Digital signatures.
Created with data and a secret parameter known only by the signer, electronic signatures are generated using cryptographic primitives to provide non-repudiation—that is, so that an entity cannot deny a previous commitment or action. Various schemes exist (e.g., arbitrator-based, asymmetric) for generating MAC and hash-based digital signatures.
The element of randomness is critical to cryptography. Many cryptosystems fail because of problems with randomness in generating keys and salts, not due to problems with the underlying cryptographic primitives. Generally speaking, cryptographers abide by the mantra that “the more true randomness there is, the nicer the security will be.”
11. Perfect secrecy.
Perfect security involves the notion that guessing the value of plaintext is the best attack an interceptor can deploy—a cryptosystem is said to have perfect secrecy if, after seeing the ciphertext, an interceptor acquires no extra information about the plaintext (other than what was known before the ciphertext was observed). A related concept is forward secrecy (FS)—that is, the compromise of long-term keys should not compromise past session keys.
Steganography is the hiding of secret messages within ordinary messages, and their extraction at the destination. The mechanism works by replacing bits of useless/unused data in regular computer files (e.g., graphics, sound, text, HTML, floppy disks) with bits of different, invisible information—plain text, cipher text, or even images.
13. Secure Sockets Later (SSL) is the main type of cryptography on the internet.
SSL is a cryptographic protocol for establishing a secure network channel—and is most widely-used used on the internet, from web browsing to VoIP and banking transactions. By using SSL, communications between servers and web browsers/clients are secured from end-to-end.
In short, cryptography provides a toolkit of mathematical techniques for implementing core security services required to protect information. Much more than encryption, cryptographic methods are used under-the-hood to ensure data integrity and trust across insecure digital landscapes.
- Everyday Cryptography (Fundamental Principles and Applications) by KEITH M. MARTIN (Professor of Information Security – Royal Holloway, University of London)