top of page

InfoSec Basics - What is Cryptography?



Cryptography makes the world go ‘round.

With apologies to Broadway (https://en.wikipedia.org/wiki/Love_Makes_the_World_Go_%27Round_%281961_song%29), cryptography is such an important part of our online lives that it’s hard to remember a time where it wasn’t – in spite of the fact that it’s so new. It’s very easy to forget that the World Wide Web (https://en.wikipedia.org/wiki/World_Wide_Web) is only thirty years old. (Oh, dear. I just realized how old that makes me... sigh.)

In the early days of the internet (https://en.wikipedia.org/wiki/History_of_the_Internet), the focus was primarily on how to increase computing power, first through time-sharing for large computers, and later through connecting those computers into a network. In the 1960’s, ARPANET (https://en.wikipedia.org/wiki/ARPANET) became one of the earliest networks on the path leading to the modern internet, and one of it’s innovations was the fact that it used “packet-switching”

Packet-switching (https://en.wikipedia.org/wiki/Packet_switching) is a process by which data is broken into “packets”, which consist of a “header” and a “payload”. The header contains details about where and how to send the packet, while the payload contains the actual data being transmitted.

The main benefit of this approach is that the network is entirely focused on transmitting packets from source to target in whatever way is most efficient, while the end-points are entirely focused on the contents without being concerned about how they were transmitted. If a given network path is unavailable, the network will simply use a different path.



This provides an enormous amount of fault-tolerance and flexiblity, but security was not a major consideration in these early days. So, anyone with access to the communications channel could see all of the traffic and know where and how it was being transmitted. At one time, this was not thought of as a major issue, since there were relatively few computers in use, most of those were considered to be “secure”, and most were connected through a small number of physical connections.

What has changed? Why do we care now?

First, any traffic you send on an insecure channel (for example HTTP) is visible to anyone who can access any of the traffic between you and the site to which you are connecting. So, your passwords, banking details, and so on, would be freely visible on any HTTP connection, which is why HTTPS is now the de facto standard across the web.

Well, ok, but all I do is watch cat videos. Why should I care about that?

Aside from people being able to see WHICH cat videos you watch, a major problem with HTTP is that you can’t actually be sure where you are connecting, since there is no authentication built into the protocol. So, while you may THINK you are connecting to your cat-video site, an attacker can get between you and your website and add or remove anything they want – and you will have no way of knowing.

So, Malice can intercept traffic between Alice and Bob’s Cat Videos, and Alice has no way of knowing that Malice’s cat video site looks identical to Bob’s, except the videos are lower quality AND include malware in them. This can be a major problem, and is generally referred to as a “Man-in-the-middle” attack (https://en.wikipedia.org/wiki/Man-in-the-middle_attack), though I prefer the term “Malice-in-the-middle”.



So, HTTPS is the answer. Good. But, what is it and how does it work?

THIS is where the cryptography comes in.

Simon Singh’s excellent work “The Code Book" (https://en.wikipedia.org/wiki/The_Code_Book) describes the history and background of cryptography in great detail, from the ancient world to quantum cryptography. I highly recommend it for anyone interested in cryptography.

For our current discussion, we can simplify things and break cryptography down into “private-key” (aka “symmetric” https://en.wikipedia.org/wiki/Symmetric-key_algorithm) and “public-key” (aka “asymmetric” https://en.wikipedia.org/wiki/Public-key_cryptography) cryptography. A “cipher” (https://en.wikipedia.org/wiki/Cipher) is then an algorithm for encrypting or decrypting a message, where a key is required for each action. Cryptography is covered in vastly more detail by a great many others, so I will only hit some high points here.

Symmetric Cryptography

Alice uses a key “K” to encrypt a message “PLAINTEXT” into “CIPHERTEXT”, and Bob then uses the same key “K” to decrypt the message “CIPHERTEXT” back into “PLAINTEXT”. An observer (let’s say “Eve”) must have the key “K” in order to eavesdrop on the communication.

Simple enough, in principle. The complexity lies in the algorithms used, the size of the key, and how the keys are transmitted. The transmission is really the hardest part, as you theoretically need as many keys as you have connections. Think about this – the number of keys would expand exponentially and would be totally unmanageable without a secure way of sharing keys, so it’s essential to have a way to communicate the keys securely before communication can commence.

That said, symmetric cryptography is generally very fast and efficient in comparison with asymmetric cryptography.

Asymmetric Encryption

This is a much newer development, dating from the 1970’s, and is based on a number of different mathematical tools. One example is RSA (https://en.wikipedia.org/wiki/RSA_(cryptosystem)), named afer Ron Rivest, Adi Shamir, and Leonard Adelman, who publicized the approach in 1977. Interestingly, a British signals intelligence officer named Clifford Cocks developed an equivalent system several years earlier, in 1973, but this system was classified until 1997.

The RSA algorithm is based on modular exponentiation, and the difficulty of factorizing large prime numbers. In practice, though, the computers handle all of the math and RSA allows for the use of two keys – each key allows the encryption of a message which only the other key can decrypt, and vice versa.

Asymmetric cryptography allows the sharing of information in such a way that it is safe from an outside party, WITHOUT needing to share keys ahead of time.

So, Alice creates a public key and a private key, then publishes the public key. Bob does the same. So, assuming Eve is monitoring their communication, Eve will have Alice’s public key and Bob’s public key.

Bob encrypts a message using Alice’s public key, and sends it. Eve already has Alice’s public key, but does NOT have Alice’s private key, so is unable to decrypt the message. Alice’s private key is then used to decrypt the message.


Asymmetric encryption tends to be relatively slow, but can be used to communicate securely with unknown parties. As a result, it is often used to define a shared key to be used for symmetric encryption which, as noted above, tends to be much faster.

The flexibility provided by the availability of both symmetric and assymetric cryptography is essential for the modern internet – without secure communications, we would not be able to use the web for financial transactions or any other transmission of private information. Think of what the COVID-19 pandemic would look like without the Internet...

It seems like such a little thing, but that “https” or the lock icon is a vitally important part of our day to day life, including how we secure almost everything we do. It’s so important that the browser developers are shifting their approach from using positive indicators (like “https” or the lock icon) to using negative indicators when a site is NOT “https”. Troy Hunt (https://www.troyhunt.com/the-decreasing-usefulness-of-positive-visual-security-indicators-and-the-importance-of-negative-ones/) has a very good write-up on this topic, but one point in particular is that we are NOT talking about whether a given site is “safe” – only that your connection to it is secure from eavesdroppers. It’s like a phone – the line may be secure, but that doesn’t make you safe if you’re talking to a criminal.

Still, it’s nice to at least know that the connection is safe.

Cheers!

Comments


bottom of page