Cryptography is the art of changing a message from a readable format, referred to as “plaintext”, into an unreadable one, or “ciphertext”. This process is referred to as “encrypting” the message. In most cases, there needs to be a way to change it back to a readable format, or “decrypting” it, but not always. There are three main types of cryptography in use today.
Hashing is changing a message into an unreadable string not for the purpose of hiding the message, but more for verifying the contents of the message. This is most commonly used in the transmission of software or large files where the publisher offers the program and it’s hash for download. A user downloads the software, runs the downloaded file through the same hashing algorithm and compares the resulting hash to the one provided by the publisher. If they match then the download is complete and uncorrupted.
In essence it proves that the file received by the user is an exact copy of the file provided by the publisher. Even the smallest change to the downloaded file, by either corruption or intentional intervention, will change the resulting hash drastically. Two common hashing algorithms are MD5 and SHA.
Symmetric cryptography uses a single key to encrypt a message and also to then decrypt it after it has been delivered. The trick here is to find a secure way of delivering your crypto key to the recipient for decrypting your message to them. Of course, if you already have a secure way to deliver the key, why not use it for the message as well? Because encryption and decryption with a symmetric key is quicker then with asymmetric key pairs.
It is more commonly used to encrypt hard drives using a single key and a password created by the user. The same key and password combination are then used to decrypt data on the hard drive when needed.
Asymmetric cryptography uses two seperate keys. The public key is used to encrypt messages and a private key is used to then decrypt them. The magic part is that the public key cannot be used to decrypt an encrypted message. Only the private key can be used for that. Neat, huh?
This is most commonly used in transmitting information via email using SSL, TLS or PGP, remotely connecting to a server using RSA or SSH and even for digitally signing PDF file. Whenever you see an URL that starts with “https://”, you are looking at an example of asymmetric cryptography in action.
An extreme example of how all three can be used goes something like this: your company’s accounting officer needs to get a budget approval from the CEO. She uses her symmetric private key to encrypt the message to the CEO. She then runs a hash on the encrypted message and includes the hash result in the second layer of the overall message along with the symmetric key. She then encrypts the second layer (made up of the encrypted message, the hash result and the symmetric key) using the CEO’s asymmetric public key. She then sends the message to the CEO. Upon receipt, the CEO’s asymmetric private key is used to decrypt the outer most layer of the message. He then runs the encrypted message through the same hashing process to get a hash result. That result is compared to the now decrypted hash result in the message. If they match, showing that the message has not been altered, then the symmetric key can be used to decrypt the original message.
Of course, that would all happen automatically, behind the scenes, by the email programs and the email server. Neither party would actually see any of this sort of thing happening on their computer screen.
Obviously, there is a lot of math involved in converting a message, like an email, into an encrypted signal that can be sent over the internet. To fully understand cryptography requires quite a bit of research. Below are some of the most often referenced websites, books and papers on the subject of cryptography. Some of these resources have been in active use for close to 20 years and they are still relevant.
Newsgroups are community-generated feeds hosted on Usenet. To view them, you’ll need a newsreader app. Read more about how to get set up with Usenet here and see our roundup of the best Usenet providers here.
- sci.crypt – Possibly the first newsgroup dedicated to cryptography. Please take with a grain of salt as anything that has been around as long as sci.crypt has been is bound to attract nuts, hoaxes and trolls.
- sci.crypt.research – This newsgroup is moderated and not as prone to hoaxes as some others
- sci.crypt.random-numbers – This newsgroup was created to discuss the generation of cryptographically secure random numbers
- talk.politics.crypto – This newsgroup was created to get all the political discussions off of sci.crypt
- alt.security.pgp – And this newsgroup was created to discuss PGP way back in 1992
And a bonus Google group:
- Google Groups sci.crypt – A Google group trying to emulate the original sci.crypt newsgroup
Websites and organizations
- A good explanation of how RSA works
- PGP – A site dedicated to Pretty Good Privacy
- Cryptography World has their “Cryptography made easier” site available
- International Association of Cryptologic Research
- The CrypTool Portal
People of Note
- Bruce Schneier – schneierblog on Twitter
- John Gilmore
- Matt Blaze – @mattblaze on Twitter & flickr/mattblaze
- David Chaum
- Ronald L. Rivest
- Arnold G. Reinhold
- Marcus Ranum
- “Snake Oil Warning Signs: Encryption Software to Avoid” – Matt Curtin, April 10, 1998
- sci.crypt FAQ in 10 parts, last modified on June 27, 1999
- EFF’s cryptography FAQ – The Crypt Cabal, February 18, 1994
- RSA Laboratories’ Frequently Asked Questions About Today’s Cryptography, Version 4.1
- Other sci.crypt newsgroup FAQs dealing with several areas of cryptography and it’s uses
- Crypto-Gram by Bruce Schneier
- Cryptobytes – The full archive of RSA Labs newsletter on cryptography – last published in Winter 2007 – Vol 8 No. 1
- Applied Cryptography: Protocols,Algorithms and Source Code in C – Bruce Schneier, 20th Anniversary Edition
- Handbook of Applied Cryptography is now available as a downloadable PDF file
- Building in Big Brother: The Cryptographic Policy Debate is available through several university libraries
- Cryptography Engineering: Desigh Principles and Practical Applications – Niels Ferguson, Bruce Scheier, Tadayoshi Kohno
- Practical Cryptography – Niels Ferguson, Bruce Schneier
- Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World – Bruce Schneier
- Chaffing and Winnowing: Confidentiality without Encryption by Ron Rivest – CryptoBytes (RSA Laboratories), volume 4, number 1 (summer 1998), 12–17. (1998)
- Computer Generated Random Numbers by David W. Deley
- The Crypto Anarchist Manifesto by Tim C. May
- Diceware for Passphrase Generation and Other Cryptographic Applications by Arnold G. Reinhold
- The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability by David Chaum, J. Cryptology (1988)
- The Magic Words are Squeamish Ossifrage by D. Atkins, M. Graff, A. Lenstra, and P. Leyland
- The Mathematical Guts of RSA Encryption by Francis Litterio
- One-Time Pad FAQ by Marcus Ranum
- P=?NP Doesn’t Affect Cryptography by Arnold G. Reinhold
- Survey on PGP Passphrase Usage by Arnold G. Reinhold
- TEMPEST in a Teapot by Grady Ward (1993)
- Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms by David Chaum, Communications of the ACM
- Why Are One-Time Pads Perfectly Secure? by Fran Litterio
- Why Cryptography is Harder Than It Looks by Bruce Schneier
“Binary Business” by mikecogh — Licensed under CC-SA 2.0