You may be vaguely aware that cryptography has something to do with secret messages. Perhaps you remember reading about the code-breaking Enigma machine. What you might not realise is just how important cryptography is to our everyday lives. In our beginner’s guide to cryptography we look at why cryptography is necessary and how best to engage with it.
What is cryptography?
The field of cryptography can be summed up by the question:
- How can we keep our information and communications secure from attackers?
A large part of cryptography involves finding ways to keep messages secret from adversaries that may be eavesdropping on us. This is partly achieved through encryption, which involves encoding information with algorithms so that attackers are unable to read it.
However, encryption alone cannot keep our information and communications secure from attackers. Consider the following scenario:
You have a top-secret message you need to send to your friend. You spend months reading up on encryption algorithms and all of the state-of-the-art practices so that you can build your own encrypted channel between you and your friend. You’ve checked and double-checked it, and everything is perfect, so you send your friend the top-secret message. Unfortunately, it’s not actually your friend on the other end. Instead, an attacker received your top-secret message, and all of your plans are ruined.
Would you consider the above situation secure? Of course not. Despite using all of the correct encryption protocols, your data ended up right in the hands of an adversary. Sure, your encryption did a good job of keeping other parties out of the channel, but it forgot something incredibly important—to authenticate that the party on the other side of the channel is really who they say they are.
Authentication plays a major role in keeping our communications secure. It doesn’t matter how good your encryption is at keeping third-parties from eavesdropping if you don’t authenticate your communications partner properly.
Without authentication, you could be sending data straight to an enemy, just like in our example. In cryptography, authentication is accomplished through certificate systems and mechanisms like digital signatures and public-key encryption.
Other critical aspects of security can include integrity and non-repudiation. Integrity processes allow recipients to verify whether information has been tampered with since it was sent, while non-repudiation removes the sender’s ability to deny that they were responsible for sending something.
The mathematical concepts, protocols and other mechanisms that can grant us confidentiality, authenticity, integrity and non-repudiation are all aspects of cryptography. Some of the most common elements of cryptography include:
Hashing
Hashing is changing a message into an unreadable string not for the purpose of hiding the message, but more for verifying the contents of the message. It’s most commonly used in the transmission of software or large files where the publisher offers the program and its hash for download. A user downloads the software, runs the downloaded file through the same hashing algorithm and compares the resulting hash to the one provided by the publisher. If they match then the download is complete and uncorrupted.
In essence, it proves that the file received by the user is an exact copy of the file provided by the publisher. Even the smallest change to the downloaded file, by either corruption or intentional intervention, will change the resulting hash drastically. Two common hashing algorithms are MD5 and SHA-2.
Symmetric cryptography
Symmetric cryptography uses a single encryption key to encrypt a message and also to then decrypt it after it has been delivered. The difficult part here is finding a secure way of delivering your crypto key to the recipient for decrypting your message to them (see the description of asymmetric encryption below).
Symmetric cryptography is used for things like encrypting a hard drive, where the user creates a single key and a password. The same key and password combination are then used to decrypt data on the hard drive when needed.
Asymmetric cryptography
Asymmetric cryptography uses two separate keys. The public key is used to encrypt messages and a private key is used to then decrypt them. The magic part is that the public key cannot be used to decrypt an encrypted message. Only the private key can be used for that. Neat, huh?
This is most commonly used in transmitting information via email using SSL, TLS or PGP, remotely connecting to a server using RSA or SSH and even for digitally signing PDF file. Whenever you see an URL that starts with “https://”, you are looking at an example of asymmetric cryptography in action.
An extreme example of how all three can be used goes something like this: your company’s accounting officer needs to get budget approval from the CEO. She uses her symmetric private key to encrypt the message to the CEO.
She then runs a hash on the encrypted message and includes the hash result in the second layer of the overall message along with the symmetric key. She then encrypts the second layer (made up of the encrypted message, the hash result and the symmetric key) using the CEO’s asymmetric public key.
Next, she sends the message to the CEO. Upon receipt, the CEO’s asymmetric private key is used to decrypt the outer most layer of the message. He then runs the encrypted message through the same hashing process to get a hash result.
That result is compared to the now decrypted hash result in the message. If they match, showing that the message has not been altered, then the symmetric key can be used to decrypt the original message.
This all happens behind the scenes, where it is carried out by the email programs and the email server. Neither party would actually see any of this sort of thing happening on their computer screen.
There is a lot of math involved in converting a message, like an email, into an encrypted signal that can be sent over the internet. To fully understand cryptography requires quite a bit of research.
Below are some of the most often referenced websites, books and papers on the subject of cryptography. Some of these resources have been in active use for close to 20 years and they are still relevant.
Cryptography Courses
If you are new to cryptography, one of the best ways you can learn is by taking Dan Boneh’s free Cryptography I class on Coursera. Dan Boneh is a professor at the Computer Science Department of Stanford University. His research specializes in the applications of cryptography to computer security.
Cryptography I delves into the different forms of cryptography and how they can be used in the real world. It shows you how cryptography can solve various problems, such as how two parties can establish a secure communication channel, even if they are being monitored by attackers.
The course covers numerous protocols, as well as more advanced concepts like zero-knowledge proofs. It’s a great introduction to the basics of cryptography for those with limited prior knowledge.
Another good resource is David Wong’s videos, which often explain more technical concepts in detail. While his work can be a useful resource, it is not comprehensive or the best place to get a grounding in classical cryptography.
Newsgroups
Newsgroups are community-generated feeds hosted on Usenet. To view them, you’ll need a newsreader app. Read more about how to get set up with Usenet here and see our roundup of the best Usenet providers here.
- sci.crypt – Possibly the first newsgroup dedicated to cryptography. Please take with a grain of salt as anything that has been around as long as sci.crypt has been is bound to attract nuts, hoaxes and trolls.
- sci.crypt.research – This newsgroup is moderated and not as prone to hoaxes as some others
- sci.crypt.random-numbers – This newsgroup was created to discuss the generation of cryptographically secure random numbers
- talk.politics.crypto – This newsgroup was created to get all the political discussions off of sci.crypt
- alt.security.pgp – And this newsgroup was created to discuss PGP way back in 1992
And a bonus Google group:
- Google Groups sci.crypt – A Google group trying to emulate the original sci.crypt newsgroup
Websites and organizations
- A good explanation of how RSA works
- PGP – A site dedicated to Pretty Good Privacy
- Cryptography World has their “Cryptography made easier” site available
- International Association of Cryptologic Research
- The CrypTool Portal
People of Note
- Bruce Schneier – schneierblog on Twitter
- John Gilmore
- Matt Blaze
- David Chaum
- Ronald L. Rivest
- Arnold G. Reinhold
- Marcus Ranum
FAQs about cryptography
How does cryptography work?
Cryptography is a method of secret communication that uses ciphers and decryption to encode and decode information. It is used to encrypt and decrypt data using mathematical equations. It’s employed in various applications, including email, file sharing, and secure communications.
What are the benefits of cryptography?
Cryptography has several advantages, including data security and authentication. Data security is one of the key advantages of cryptography. It secures information against unlawful access while also allowing only authorized users to access it. Authentication is another advantage of cryptography. For example, it may be used to verify a sender’s or receiver’s identity. A final benefit of using its algorithms is non-repudiation. This implies that a message’s transmitter cannot deny sending it, and its recipient cannot deny receiving it.
What are the challenges of cryptography?
Cryptography can be vulnerable to attacks, its algorithms can be broken, and keys can be stolen. Cryptography is also computationally intensive, making it difficult to use in some applications. Additionally, it can be subject to government regulations.
Books
- Applied Cryptography: Protocols,Algorithms and Source Code in C – Bruce Schneier, 20th Anniversary Edition
- Handbook of Applied Cryptography: free chapters are available
- Building in Big Brother: The Cryptographic Policy Debate is available through several university libraries
- Cryptography Engineering: Design Principles and Practical Applications – Niels Ferguson, Bruce Scheier, Tadayoshi Kohno
- Practical Cryptography – Niels Ferguson, Bruce Schneier
- Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World – Bruce Schneier
Papers
- Chaffing and Winnowing: Confidentiality without Encryption by Ron Rivest – CryptoBytes (RSA Laboratories), volume 4, number 1 (summer 1998), 12–17. (1998)
- How Computers Generate Random Numbers by David W. Deley
- The Crypto Anarchist Manifesto by Tim C. May
- Diceware for Passphrase Generation and Other Cryptographic Applications by Arnold G. Reinhold
- The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability by David Chaum, J. Cryptology (1988)
- The Magic Words are Squeamish Ossifrage by D. Atkins, M. Graff, A. Lenstra, and P. Leyland
- The Mathematical Guts of RSA Encryption by Francis Litterio
- One-Time Pad FAQ by Marcus Ranum
- P=?NP Doesn’t Affect Cryptography by Arnold G. Reinhold
- Survey on PGP Passphrase Usage by Arnold G. Reinhold
- Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms by David Chaum, Communications of the ACM
- Why Are One-Time Pads Perfectly Secure? by Fran Litterio
- Why Cryptography is Harder Than It Looks by Bruce Schneier