If you’re vaguely aware of cryptography, you may know that it has something to do with secret messages. While this is true, the field of cryptography has a wider focus, which can be summed up by the question:
- How can we keep our information and communications secure from attackers?
A big part of cryptography involves finding out ways that we can keep our messages secret from adversaries that may be eavesdropping on us. This involves finding mechanisms that can grant us confidentiality. Much of this is accomplished through encryption, which involves encoding information with algorithms so that attackers are unable to read it.
But cryptography is about more than just encryption for keeping our data confidential. If we return to our initial question, we want to keep our information and communications secure from attackers. This can’t be accomplished by encryption alone. Consider the following scenario:
You have a top-secret message you need to send to your friend. You spend months reading up on encryption and all of the state-of-the-art practices so that you can build your own encrypted channel between you and your friend. You’ve checked and double-checked it, and everything is perfect, so you send your friend the top-secret message. Unfortunately, it’s not actually your friend on the other end. Instead, an attacker received your top-secret message, and all of your plans are ruined.
Would you consider the above situation secure? Of course not. Despite using all of the correct encryption protocols, your data ended up right in the hands of an adversary. Sure, your encryption did a good job of keeping other parties out of the channel, but it forgot something incredibly important—to authenticate that the party on the other side of the channel is really who they say they are.
Authentication plays a major role in keeping our communications secure. It doesn’t matter how good your encryption is at keeping third-parties from eavesdropping if you don’t authenticate your communications partner properly. Without authentication, you could be sending data straight to an enemy, just like in our example. In cryptography, authentication is accomplished through certificate systems and mechanisms like digital signatures and public-key encryption.
Other critical aspects of security can include integrity and non-repudiation. Integrity processes allow recipients to verify whether information has been tampered with since it was sent, while non-repudiation removes the sender’s ability to deny that they were responsible for sending something.
The mathematical concepts, protocols and other mechanisms that can grant us confidentiality, authenticity, integrity and non-repudiation are all aspects of cryptography. Some of the most common elements of cryptography include:
Hashing is changing a message into an unreadable string not for the purpose of hiding the message, but more for verifying the contents of the message. This is most commonly used in the transmission of software or large files where the publisher offers the program and its hash for download. A user downloads the software, runs the downloaded file through the same hashing algorithm and compares the resulting hash to the one provided by the publisher. If they match then the download is complete and uncorrupted.
In essence, it proves that the file received by the user is an exact copy of the file provided by the publisher. Even the smallest change to the downloaded file, by either corruption or intentional intervention, will change the resulting hash drastically. Two common hashing algorithms are MD5 and SHA.
Symmetric cryptography uses a single key to encrypt a message and also to then decrypt it after it has been delivered. The trick here is to find a secure way of delivering your crypto key to the recipient for decrypting your message to them. Of course, if you already have a secure way to deliver the key, why not use it for the message as well? Because encryption and decryption with a symmetric key is quicker than with asymmetric key pairs.
It is more commonly used to encrypt hard drives using a single key and a password created by the user. The same key and password combination are then used to decrypt data on the hard drive when needed.
Asymmetric cryptography uses two separate keys. The public key is used to encrypt messages and a private key is used to then decrypt them. The magic part is that the public key cannot be used to decrypt an encrypted message. Only the private key can be used for that. Neat, huh?
This is most commonly used in transmitting information via email using SSL, TLS or PGP, remotely connecting to a server using RSA or SSH and even for digitally signing PDF file. Whenever you see an URL that starts with “https://”, you are looking at an example of asymmetric cryptography in action.
An extreme example of how all three can be used goes something like this: your company’s accounting officer needs to get budget approval from the CEO. She uses her symmetric private key to encrypt the message to the CEO. She then runs a hash on the encrypted message and includes the hash result in the second layer of the overall message along with the symmetric key. She then encrypts the second layer (made up of the encrypted message, the hash result and the symmetric key) using the CEO’s asymmetric public key. She then sends the message to the CEO. Upon receipt, the CEO’s asymmetric private key is used to decrypt the outer most layer of the message. He then runs the encrypted message through the same hashing process to get a hash result. That result is compared to the now decrypted hash result in the message. If they match, showing that the message has not been altered, then the symmetric key can be used to decrypt the original message.
Of course, that would all happen automatically, behind the scenes, by the email programs and the email server. Neither party would actually see any of this sort of thing happening on their computer screen.
Obviously, there is a lot of math involved in converting a message, like an email, into an encrypted signal that can be sent over the internet. To fully understand cryptography requires quite a bit of research. Below are some of the most often referenced websites, books and papers on the subject of cryptography. Some of these resources have been in active use for close to 20 years and they are still relevant.
If you are new to cryptography, one of the best ways you can learn is by taking Dan Boneh’s free Cryptography I class on Coursera. Dan Boneh is a professor at the Computer Science Department of Stanford University. His research specializes in the applications of cryptography to computer security.
Cryptography I delves into cryptographic systems and how they can be used in the real world. It shows you how cryptography can solve various problems, such as how two parties can establish a secure communication channel, even if they are being monitored by attackers. The course covers numerous protocols, as well as more advanced concepts like zero-knowledge proofs. It’s a great introduction for those with limited prior knowledge.
Another good resource is David Wong’s videos, which often explain more technical concepts in detail. While his work can be a useful resource, it is not comprehensive or the best place to build up a foundation.
Newsgroups are community-generated feeds hosted on Usenet. To view them, you’ll need a newsreader app. Read more about how to get set up with Usenet here and see our roundup of the best Usenet providers here.
- sci.crypt – Possibly the first newsgroup dedicated to cryptography. Please take with a grain of salt as anything that has been around as long as sci.crypt has been is bound to attract nuts, hoaxes and trolls.
- sci.crypt.research – This newsgroup is moderated and not as prone to hoaxes as some others
- sci.crypt.random-numbers – This newsgroup was created to discuss the generation of cryptographically secure random numbers
- talk.politics.crypto – This newsgroup was created to get all the political discussions off of sci.crypt
- alt.security.pgp – And this newsgroup was created to discuss PGP way back in 1992
And a bonus Google group:
- Google Groups sci.crypt – A Google group trying to emulate the original sci.crypt newsgroup
Websites and organizations
- A good explanation of how RSA works
- PGP – A site dedicated to Pretty Good Privacy
- Cryptography World has their “Cryptography made easier” site available
- International Association of Cryptologic Research
- The CrypTool Portal
People of Note
- Bruce Schneier – schneierblog on Twitter
- John Gilmore
- Matt Blaze – @mattblaze on Twitter & flickr/mattblaze
- David Chaum
- Ronald L. Rivest
- Arnold G. Reinhold
- Marcus Ranum
- “Snake Oil Warning Signs: Encryption Software to Avoid” – Matt Curtin, April 10, 1998
- sci.crypt FAQ in 10 parts, last modified on June 27, 1999
- EFF’s cryptography FAQ – The Crypt Cabal, February 18, 1994
- RSA Laboratories’ Frequently Asked Questions About Today’s Cryptography, Version 4.1
- Other sci.crypt newsgroup FAQs dealing with several areas of cryptography and it’s uses
- Crypto-Gram by Bruce Schneier
- Cryptobytes – The full archive of RSA Labs newsletter on cryptography – last published in Winter 2007 – Vol 8 No. 1
- Applied Cryptography: Protocols,Algorithms and Source Code in C – Bruce Schneier, 20th Anniversary Edition
- Handbook of Applied Cryptography is now available as a downloadable PDF file
- Building in Big Brother: The Cryptographic Policy Debate is available through several university libraries
- Cryptography Engineering: Desigh Principles and Practical Applications – Niels Ferguson, Bruce Scheier, Tadayoshi Kohno
- Practical Cryptography – Niels Ferguson, Bruce Schneier
- Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World – Bruce Schneier
- Chaffing and Winnowing: Confidentiality without Encryption by Ron Rivest – CryptoBytes (RSA Laboratories), volume 4, number 1 (summer 1998), 12–17. (1998)
- Computer Generated Random Numbers by David W. Deley
- The Crypto Anarchist Manifesto by Tim C. May
- Diceware for Passphrase Generation and Other Cryptographic Applications by Arnold G. Reinhold
- The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability by David Chaum, J. Cryptology (1988)
- The Magic Words are Squeamish Ossifrage by D. Atkins, M. Graff, A. Lenstra, and P. Leyland
- The Mathematical Guts of RSA Encryption by Francis Litterio
- One-Time Pad FAQ by Marcus Ranum
- P=?NP Doesn’t Affect Cryptography by Arnold G. Reinhold
- Survey on PGP Passphrase Usage by Arnold G. Reinhold
- TEMPEST in a Teapot by Grady Ward (1993)
- Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms by David Chaum, Communications of the ACM
- Why Are One-Time Pads Perfectly Secure? by Fran Litterio
- Why Cryptography is Harder Than It Looks by Bruce Schneier