This overview’s target audience is those without a math or computer science background. It should leave you with a basic understanding of some of the basics of what cryptography is all about. This is barely scratching the surface of the topics mentioned. There are some links at the bottom of the page for those wishing to learn more.
Cryptography is essential to the functioning of the modern world. It protects your credentials when you login to websites such as your bank, email, and social media. It protects your credit card information when making online purchases. It can be used to prevent eves droppers from snooping in on any kind of wireless device from anywhere within range. It can be used by wireless security systems to prevent criminals from tampering with them from outside of the facility they protect. When your employer pays you with direct deposit, they are most likely using cryptography to protect the transfer to the bank. Cryptography is used by computer software developers to protect users from malware. The list could go on and on, but the point has been sufficiently beaten in by now.
Before going any further, there is a glossary at the bottom of the page defining the cryptography jargon used in this intro.
A cipher is nothing more than a function used to scramble or unscramble a message. The process of scrambling the message up is called encryption, while the process of unscrambling the message is called decryption. Functions are simply a list of information needed and instructions on what to do with this information. Think of a function the same way you would a recipe. With a recipe, you have a list of ingredients and a list of instructions on what to do with those ingredients to get your finished product. Ciphers typically have two ingredients, the message to be scrambled, and a key. Cryptography has terms for the scrambled and unscrambled messages. The unscrambled message is called plaintext, while the unintelligible scrambled message is called ciphertext. A very simple example of a cipher is the Caesar cipher, or rotation cipher. The Caesar cipher uses its key, which is nothing more than a number, to replace the letters that make up a message with different letters. It takes each letter of the message, and replaces it with the letter of the alphabet that is whatever number the key is behind it. If the beginning of the alphabet is reached, you simply count back until you reach A, then start counting back from Z. For example, if the key is one, A becomes Z, B becomes A and so on. To decrypt the text, simply reverse the process. Using a key of one, Z becomes A, A becomes B, and so on. Experiment with the Caesar cipher tool below to get a better grasp on the encryption and decryption processes.
The Caesar cipher is an example of a symmetric cipher. A symmetric cipher uses the same key to encrypt and decrypt a message. As you can probably imagine, it would be very easy for someone to decrypt a Caesar cipher by just guessing all the keys. For this reason, Caesar ciphers are only used to demonstrate the concepts of symmetric ciphers. Symmetric ciphers that are actually in use are much more complex, with much larger keys. The keys are so large, that it would take the worlds fastest super computer over a million years to try every possible key. A big problem with symmetric ciphers is key distribution. For example, if I wanted to make a purchase from an online retailer that is on the other side of the continent, there is no practical way for them to send me a symmetric cipher key or vice versa. Where symmetric ciphers really shine is speed. They are usually used in situations where speed matters, such as encrypting large amounts of information and sending things across the internet.
An asymmetric ciphers uses two keys. They are also frequently called public-key cryptography. One key is used to encrypt the message, the other to decrypt the message. It doesn’t matter which key is used for encryption, but the message can only be decrypted by the other key. In practice one key is kept secret, while the other is freely given away. The key that is kept secret is called the private key, while the key that is released to the public is called the public key. Asymmetric ciphers aren’t typically used to encrypt large messages because they are a lot slower than symmetric ciphers. They are typically used for signing and distributing symmetric cipher keys. In the case of symmetric key distribution, any party that is receiving the key has a public and private key pair. The sender simply encrypts the symmetric cipher key with the receiver’s public key. Although asymmetric ciphers are relatively simple compared to symmetric ciphers, there isn’t an example I can find or come up simple enough for the target audience.
Before we get into signing, we need to cover hash functions first. A hash function takes a message and produces a fixed size result that can’t be used to derive the original message. The fixed size result is called a hash. Hash functions are typically used as part of cryptographic signing, converting passwords to keys, and for storing things that never need to be decrypted, such as passwords. For example, let’s say Eve types her password to login to her bank’s website. The bank probably uses her password as input to a hash function; and then compares it to the hash they have for her in their login system. This prevents someone malicious that somehow gets access to where these hashes are stored from obtaining everyone’s passwords. A simple example of a hash function is to use the first and last characters of a message as the hash. The hash of the message “this is for a hash function example” would be “te”. The obvious problem with the example is that anything that begins with t and ends with e would result in the same hash. That is called a collision. The example also gives some information away about the message. We can determine from the resulting hash what the first and last character of the message are. Hash functions used for cryptographic purposes are designed to be resistant to collisions and not leak any information about what the resulting hash is from. Making the tiniest change to the input of a cryptographic hash function will result in a hash that is very different. Another problem with our example is the size of the hash produced. Collisions are very likely. Hashes used in the real world are large enough where a collision is extremely unlikely. In fact, it is so unlikely that someone has a better chance of winning a lottery jackpot two drawings in a row than finding a hash collision. The provided hash tool uses the common SHA-256 hash function.
Hashes have limitations. Hashes cannot guarantee a message was produced by any particular source. Unless the source of the hash is trusted, they can’t guarantee a message hasn’t been tampered with either. This is where signatures come in. Signatures are the result of applying a hash function to a message, and then encrypting the hash with an asymmetric cipher using the private key. Signatures do two things: they ensure a message hasn’t been tampered with; and they guarantee the source of the message. As long as you can be reasonably sure the private key used to sign the message hasn’t been compromised, it is generally safe to trust signatures. They are as safe as the cipher used to sign it. Some common things that make use of cryptographic signing are public keys and email. The SSL/TLS encryption system used to securely send things across the internet makes heave use of signing. Organizations such as the U.S. military use signed emails to ensure a malicious party isn’t impersonating its members and sending fake messages.
How Cryptography is Defeated
Now the fun part. Breaking cryptography. There are three ways a cryptographic system can be broken. The most obvious is just trying all possible keys until you get the correct one. This is called brute force. With modern ciphers, the number of possible keys is way too large even for the world’s fastest supercomputers to do this in any reasonable amount of time. The smallest symmetric cipher key in widespread use is 128 binary digits long, which is approximately 340,000,000,000,000,000,000,000,000,000,000,000,000 possible keys. Good luck. Asymmetric cipher keys are even larger. The second way cryptography is broken is called cryptanalysis. Cryptanalysis is reading or modifying messages due to weaknesses in the cipher used. An example would be a way to compute an asymmetric private key from the public key. This has a reasonable chance of success in some cases. The encryption used on DVD movies to prevent copyright infringement was rendered useless shortly after it was released due to being susceptible to cryptanalysis. It takes mere seconds using nothing more than cheap consumer PCs. There are several ciphers with no known feasible cryptanalysis in common use today. The third and most common way to defeat cryptography is a side-channel attack. A side-channel attack is exploiting a cipher that is being used incorrectly. For example, lets say Alice sends encrypted postcards to her friend Bob. She decides to use a Caesar cipher. She uses a stamp with a number on it, the number being the key. A nosy postal worker doesn’t need to know the key. They just need to look at the stamp.
If you want to learn more about cryptography, check out these topics:
- Block Ciphers
- Stream Ciphers
- One Time Pads
- Elliptic Curve Cryptography
- Alan Turing
- Block Cipher Modes of Operation
- Random Number Generators
- Asymmetric ciphers use different keys to encrypt and decrypt messages.
- A cipher is a method of encrypting messages, also known as an encryption algorithm.
- Ciphertext is a message that has been encrypted.
- A collision is when a hash function produces the same hash from different input messages.
- Cryptanalysis is obtaining information about a message by exploiting weaknesses in the cipher.
- Encryption is scrambling up a message to prevent it from being read or tampered with by a malicious party.
- Functions are a list of instructions to perform on a message.
- A hash is the fixed sized result of a hash function.
- Hash functions produce the same sized result regardless of the size of the input message.
- A key is a secret a cipher uses to encode messages.
- Plaintext is a message that has been decrypted or has not yet been encrypted
- Side-channel attacks are obtaining information about a message by exploiting incorrectly used cryptography.
- Signing is using asymmetric encryption to verify the source of a message and ensuring it hasn’t been tampered with.
- A symmetric cipher is a cipher that uses the same key to encrypt and decrypt messages.