The basics of cryptography are valuable fundamentals for building a secure network. In this video, you’ll learn about cryptographic terms, the value of the key, the concepts of confusion and diffusion, and more.
<< Previous Video: Data Roles and Retention Next: Symmetric and Asymmetric Encryption >>
Cryptography is derived from the Greek word “kryptos,” which means hidden or secret. And when we think about cryptography, that is one of the first things we think about– is keeping things secret. Cryptography allows us to have confidentiality of data, but cryptography also allows some other capabilities, such as authentication and access control. We can really determine if somebody is who they say they are.
Another nice security feature that cryptography provides is non-repudiation, which means not only were we able to authenticate that it came from you, we were able to verify that everything that we’re reading was really written by you. And cryptography allows us to check the integrity of data. We can verify that the information we’ve received is exactly the information that was sent.
There are a number of terms that are used when you’re working with cryptography. One of these is the plaintext. This is the original message before it undergoes any type of cryptographic changes. Some people think of this as the unencrypted message or the message that’s provided in the clear.
When we refer to the ciphertext, we’re referring to the information once it has gone through an encryption process. So this would be the encrypted message that you would send to someone else. To be able to get from the plaintext to the ciphertext and back again, you need a cipher. This is the algorithm that is used to encrypt the plaintext, and it’s the algorithm that is used to decrypt from the ciphertext.
There are many different methods for encrypting data, and the art of cracking this encryption is called cryptanalysis. There are researchers that are constantly working on finding shortcomings and problems with the way that we are encrypting and protecting our data so that we can make sure that our data is as safe as possible.
To encrypt data, you commonly need the plaintext that you’re going to start with, the cipher that you’re going to use, and then you need a key. This cryptographic key is added to the cipher to be able to encrypt the plaintext. Larger keys are generally more secure, because brute force is often used to find the key that’s used during an encryption process. We tend to make these keys larger to provide more security.
Some encryption methods only use a single key to encrypt the data. Other encryption ciphers will use the key in multiple ways or will use multiple keys. The methodology that’s used will depend on the cipher that’s in use. The key that’s on this page is my PGP public key that’s available for anyone to see, and this is the key that’s associated with my email address, which is james@professormesser.com.
Two of the most important characteristics that encryption relies on is confusion and diffusion. Confusion means that the data that we have encrypted looks drastically different than the plaintext that we began with. There shouldn’t be any patterns, and there should be no way to recognize any part of the plaintext by simply looking at the ciphertext.
Here’s a good example of confusion. We’ll take a bit of plaintext. My plaintext simply says, “hello, world.” And I’m going to encrypt that with my PGP key. And you can see that the message that’s created is very different than the original plaintext. In fact, there’s really no way to discern that that original plaintext is any part of the ciphertext, and that’s a very good example of implementing confusion in your encryption method.
The characteristic of diffusion means that if we change one character of this plain text input, the ciphertext will be very different. Let’s take an example of this by using that same bit of plaintext, “hello, world.” This one has a period at the end of that sentence. And when I encrypt it, I get this PGP message.
Now let’s take this same plaintext, but instead of having a period at the end of the sentence, let’s use an exclamation mark. And let’s see what the results are of encrypting that bit of plaintext. You can see that these two bits of ciphertext are very, very different. There’s really nothing that’s the same between them except this little bit of text at the beginning. In this particular case, this is encrypted with PGP, and PGP puts a PGP header at the beginning of the encrypted information, which contains format information, encryption algorithms, the recipient’s key ID, and other information.
The best kind of security exists when the attacker would know everything about the way the system works but still would not be able to gain access to any of the data. If you’re trying to keep the design of a security system secret as its only method of security, we call that security through obscurity. A good example of security through obscurity is the substitution cipher. This is the Caesar cipher, where you substitute one letter with another one.
We often refer to this as ROT13– “rot” 13– where you can take a particular set of letters, like “hello,” and convert all of them to a number that is simply rotated 13 characters different. So “H-E-L-L-O” turns into “U-R-Y-Y-B.” Since we know how the security was designed for a substitution cipher, it makes it very easy to circumvent the security, meaning that this is security through obscurity. Some modern versions of security through obscurity might be something like a wireless network that has SSID broadcast suppression or MAC filtering. Since these so-called security features are easily circumvented if you know how they’re implemented, this is a good example of security through obscurity.
We use random numbers extensively in cryptography. For example, we use randomisation when we are generating keys, and we use random numbers when we’re creating salt for hashes. One of the challenges with creating random numbers with a machine is that they’re not truly random. They’re machine generated. Sometimes we’ll include some type of natural input to help provide more randomization. For example, the PGP key generation process asks you to move your mouse around for a few seconds, and it uses that randomization as part of the key generation process.
Our computers do a pretty good job of approximating what might be random, but these are really pseudo-random numbers that are created by our computers. They are all based on a starting seed number. For example, if you use the same starting seed number that was used in a previous process, you should be able to duplicate that pseudo-random number generation.
Fortunately, application developers don’t have to become experts in cryptography to be able to use cryptography in their applications. They simply use an application programming interface to a cryptography module. They will send their plaintext into the cryptography module, and it simply provides the ciphertext as an output. This means that there’s no extra programming that has to be done, and the programmers themselves don’t have to worry what the implementation of the cryptography. They only have to worry about the mechanics of providing it to the API and getting the answer back from the API.
Microsoft has a library for cryptography called the Cryptographic Service Provider, or the CSP. The application developers only need to write to Microsoft’s cryptography API, and that becomes the middleman between the application and the CSP.