Blog

What is Cryptography?

Apr 02, 2020

By Javvad Malik, CISSP

Can You Explain Encryption to Me?

From: Thomas, Kevin
Sent: 24 August 2019 10:43
To: Malik, Javvad
Subject: Encryption

Jav

I’m updating the presentation pack for this months management meeting. Can you send me a short description of encryption so the SLT can better understand the solution.

Kev

From: Malik, Javvad
Sent: 24 August 2019 11:03
To: Thomas, Kevin
Subject: Encryption

Hi Kevin,

Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. In many contexts, the word encryption also implicitly refers to the reverse process, decryption to make the encrypted information readable again.

Thanks,

Javvad

From: Thomas, Kevin
Sent: 24 August 2019 11:09
To: Malik, Javvad
Subject: Encryption

If I wanted the Wikipedia description I would have copied and pasted it myself. I need a more business-speak definition.
 
From: Malik, Javvad
Sent: 24 August 2019 12:52
To: Thomas, Kevin
Subject: Encryption

Sorry Kevin, I assumed that senior technology managers would have half a clue about technology. I have thought long and hard about this and think the easiest way to explain this would be to replace the word encryption with witchcraft. It too is misunderstood by the masses at large, but conveys a clearer message.

Witchcraft is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is witchcraft-ed information. In many contexts, the word witchcraft also implicitly refers to the reverse process, de-witchcrafting to make the witchcraft-ed information readable again.

Regards,
Javvad

From: Thomas, Kevin
Sent: 24 August 2019 13:24
To: Malik, Javvad
Subject: Encryption

stop messing around!!! I need this urgently to finalise the presentation.
 
From: Malik, Javvad
Sent: 24 August 2019 14:20
To: Thomas, Kevin
Subject: Encryption

Hi Kevin,
You’re right, it was naïve of me to think simply replacing one word would make it simple and easy to understand. I’ve now also amended the other words accordingly.

Witchcraft is the process of transforming a prince into a frog using special knowledge, usually referred to as a spell. The result of the process is witchcraft-ed prince who looks like a frog. In many contexts, the word witchcraft also implicitly refers to the reverse process, de-witchcrafting to make the witchcraft-ed frog a Prince again.

I’m sure you’ll find those senior managers who have daughters will particularly like this analogy and be able to understand it in its correct context now.

Regards,
Javvad
 
From: Thomas, Kevin
Sent: 24 August 2019 14:43
To: Malik, Javvad
Subject: Encryption

Has anyone told you that you can be a right idiot! Sort it out NOW!
 
From: Malik, Javvad
Sent: 24 August 2019 15:21
To: Thomas, Kevin
Subject: Encryption

Hi Kevin,
Not, to my face to be honest. But thanks for the feedback. I assume that you are alluding to the fact I should include a pictorial description as senior managers love charts. I have corrected this for you below.
Hope this helpsEncryption

Javvad
 
From: Thomas, Kevin
Sent: 24 August 2019 15:37
To: Malik, Javvad
Subject: Encryption

I don’t want your stupid diagram!!!! THIS IS URGENT. Get it done NOW! I have to send this off today.
 
From: Malik, Javvad
Sent: 24 August 2019 16:00
To: Thomas, Kevin
Subject: Encryption

Hi Kevin,
Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. In many contexts, the word encryption also implicitly refers to the reverse process, decryption to make the encrypted information readable again.

Thanks,
Javvad
 
From: Thomas, Kevin
Sent: 24 August 2019 16:02
To: Malik, Javvad
Subject: Encryption

Was that so hard? Why couldn’t you have sent this the first time I asked instead of wasting my time. 
 
From: Malik, Javvad
Sent: 24 August 2019 16:43
To: Thomas, Kevin
Subject: Encryption

I did…

What is Cryptography?

Cryptography, the dark art of information security. The deus-ex-machina, the silver bullet, the be all and end all of all security measures. Widely misunderstood, often poorly implemented.

My first introduction to cryptography was when I was told of this man called Phillip Zimmerman who’d created a piece of software called Pretty Good Privacy or PGP. A bit of sorcery that could protect emails so well, that even the prying eyes of Big Brother could not get at it easily. It was so profound, that the U.S. government initiated an investigation against Zimmerman. This was on the premise that strong cryptography was classed as munitions, so it was in the same classification as real life weapons.

How amazing could that be? This software called cryptography, according to the U.S. government could be as potent as an AK47? I had to find out more.

Cryptography is a relatively simple concept to understand. It’s the ‘how’ that can get slightly complex.

In essence, it’s taking some information and scrambling it up so no one else knows what it is; then, having a way to unscramble it back to the original information again.

And really that’s all there is to it. Just as if when you were a child, you were told that’s all there is to a Rubik’s cube and wasted many frustrated hours failing to get it right before resorting to peeling off the stickers and sticking them on wherever.

Everything else surrounding cryptography is about finding ways to make sure the scrambling of information is done in a quick and efficient manner that nobody else in the entire universe can unscramble unless they possess the McGuffin.

Think of it like a witch who can cast a spell on a prince and turn him into a frog. If she waves her wand and says “hocus pocus” the prince turns into the frog and becomes completely unrecognisable. No one would ever know that the frog was actually a prince unless they had the witch’s wand and waved it over the frog saying, “hocus pocus”.

Symmetric Key Cryptography

Symmetric key is something that is conceptually familiar, as it is a simple flow. One key is used to transform the information from plaintext to ciphertext. Ciphertext is just the fancy way of saying that the plain or clear text has been converted into a format that makes no sense or doesn’t resemble the original text.

The same key is then used to reverse the process and convert the ciphertext into plaintext.

If we revisit the example of the witch turning the prince into the frog, the prince is plaintext and the frog is ciphertext. The key that the witch uses to convert the prince into the frog and from a frog back into the prince is the same; in other words, wave a wand and say, “hocus pocus”.

Because the process is the same for both sides, one could say it’s symmetric. Hence the highly original definition of symmetric key cryptography. 

Encryption-frog Asymmetric (Public) Key Cryptography

Asymmetric or public key cryptography isn’t as difficult in concept to understand as most books make it out to be.

In asymmetric key cryptography, you use a key (like in symmetric key) to encrypt some plaintext into ciphertext.

Again, very much like symmetric encryption, you use a key to decrypt the cipher text back into plaintext.

The important difference is that one key encrypts the data and a different key decrypts the data.

This sometimes confuses people and I think this is because we’re so used to physical keys it’s difficult to rationalise how one key can only lock a door and not unlock it and vice versa. So, I’ll use a different analogy.

Remember I mentioned the witch who waves her wand and says “hocus pocus” for the prince to turn into a frog.

Now imagine, she didn’t have the ability to turn the frog back into the prince. The wand only casts spells, but can’t break the spells.

No, in order to break the spell, a certain princess (only one of them) has to kiss the frog and it turns back into a prince.

One key (the wand) was used to turn the prince into the frog and another key (the kiss) was used to turn the frog back into the prince.

This is how a key pair work in asymmetric encryption. One key encrypts and one key decrypts. Both the keys have a weird relationship to each other. It’s like they’re unidentical twins. They share the same parents, but are totally different, yet connected to one another. That’s about as far as the mathematics of the key pair go. By all means, if you have an interest in understanding the mathematical way the key pairs are created, there are plenty of books that will explain it in great detail until your brain melts.

Now expanding on this example, let’s say the princess is the one who created the magic wand and she went and put it in the market square. Anyone who wanted to send her a prince could take the wand, say “hocus pocus” at a prince and it would turn the frog, get delivered to the princess and she could kiss the frog and turn it back into the prince.

Bear with me… this is important.

Firstly, why would a prince need to be changed to a frog to get to the princess? Let’s assume that the guards didn’t let anyone into the palace, so a frog could easily get inside.

Secondly, because the wand was created by the princess, only HER kiss would be able to change the frog back into the prince, so no other princess would be able to claim the prince as her own.

We’ve established that there are two keys. One is the wand, which is placed in the marketplace (public key) where anyone can pick it up and use it to turn a prince (plaintext) into the frog (ciphertext).

This frog (ciphertext) can then waltz into the palace and to the princess undetected by the guards (unreadable by anyone else). If anyone does try to kiss the frog, it will remain a frog.

Only the princess, using her own kiss (private key) can turn the frog (cipher text) back into a prince (plaintext).

Next-key At a simple level then, we have described how asymmetric key encryption works. You have a key pair, one part is public and one part is private. if someone wants to send a secret message, they will use the recipient’s public key to encrypt the data and send it to them. That way, they are assured that only the true recipient will be able to decrypt the data because only they have the private key needed to do so.

So if someone encrypts data using the public key, they can be sure that only the owner of the private key can decrypt it.

On the reverse side, if someone encrypts data with their private key and sends it out, then anyone can decrypt it using the sender’s public key. However, what it does guarantee is that the message indeed originated from the person owning that private key.

Hash Functions

An important function within many aspects of cryptography is the hash function. The hash function is one-way process. Data is passed through it and it produces a much smaller output called a hash value, or hash sum, or checksums.

Think of the hash value as your fingerprint. If your fingerprints are on a glass, then it leaves little doubt that you were holding that particular glass. Your fingerprint is unique to you and only you. If someone only had your fingerprint, they would not be able to draw any other conclusions. For example, they can’t tell if you’re male or female, your age or hair colour, etc. It only works one way.

In other words, your finger can produce the unique fingerprint. But the fingerprint can’t produce your finger.

Now that you’re an expert in understanding what hash functions are, we can look at what role they play in cryptography.

Continuing with the fingerprint analogy, let’s say a criminal is transferred from one prison to another. Before the prisoner is transferred, his fingerprints are taken and those are sent to the receiving prison. When the prisoner reaches the destination, the receiving prison can take his fingerprint and match it to those which were sent to them separately by the sending prison. If they match, then they can be sure that this is the right prisoner and there hasn’t been an elaborate switch conducted en-route.

However, if the fingerprints don’t match, then there is a bit of a problem.

This is one of the primary functions of a hash, it’s quick to reproduce a hash and compare its value to ensure the integrity of the item it is validating. Which is why when you go to a website and download a package, they sometimes have the hash displayed. The purpose of that is so that when you download the file, you can check the hash of the downloaded file and compare it against what it should be. If the values match, you’re ok, otherwise it could be you’ve downloaded an altered file which could contain some malware.

For the smart ones out there, you’ve probably noticed one flaw with using hashes to validate the integrity of a sent file. If I were a bad guy and could intercept the file and change or replace it before it got to you, then I could just as easily change or replace the hash so that everything looked ok. Which is why before the hash is sent, it is encrypted with the private key of the sender. That way, the receiver can decrypt it using the sender’s public key and be assured that it was indeed sent by the right person. A hash encrypted with a private key is usually referred to as a digital signature.

So, to break it down we have three core components:

  • A public key
  • A private key
  • A digital signature

If you send an email to me using my public key, then that protects the confidentiality of the message because only I will be able to open it.

If you send an email to me using your private key, then I can be sure it came from you and only you. But anyone who can access your public key (everyone) will be able to read it.

A digital signature provides assurance that the message has not been altered in any way from the time it left you till I received it; in other words, it assures integrity.