Based in Denver, CO, Agile Ideation collects the thoughts and experiences of Ed Schaefer. His posts explore agile and devops related topics as he works to maximize team effectiveness and minimize waste through continuous learning, coaching and empowering teams.

Cryptology

 

 

For thousands of years there has been a necessity for protecting sensitive data, especially when this information needed to be shared with others. This has proved challenging as the information must be obscured so if someone were to intercept the information they could not read it, but must still be accessible by the desired recipient. From this need came the process of encryption or converting a message from its original form to something that is unreadable by any unauthorized individuals. Only those individuals with the tools would be able to decrypt, or return the encrypted information to its plaintext form. The science of encryption, cryptology, was born. From the Greek words for "hidden," kryptos, and "to write," graphein, cryptography is the process of creating and utilizing codes to secure information transmission. On the opposing front is Cryptanalysis, the process of decrypting ciphertext to plaintext without knowing the keys or algorithm used for the encryption process.

Before evaluating the various types of encryption, it is important to know there are two main methods used for encryption. First is bit stream encryption which means each bit (or character) is encrypted one at a time, essentially translating a message directly. The second method is known as block cipher and involves breaking the message into blocks and these blocks are then encrypted. The importance of differentiating these two methods will soon be clear. One of the earliest forms of encryption was symmetric encryption. This methodology uses the same key for the processes of both encrypting and decrypting a message. Originally bit stream encryption was the most widely used, and when combined with symmetric encryption the resulting security method is a symmetric stream cipher. The simplest concept of a symmetric stream cipher is the decoder ring or wheel with inner and outer rings. The outer ring is fixed and displays 28 characters - all 26 letters of the alphabet, plus period and space. The inner ring may show the same series of characters or numbers. By rotating the inner ring, a starting position is chosen and by moving through the original message and replacing the original letter with the new character, one by one, the resulting output is an encrypted version of the original message (“#31”, Gibson & LaPorte, 2006). This type of encryption is trivial to bypass, however, as with only 28 possible choices it would be easy to guess the starting position and decrypt the rest of the message (“#31”, Gibson & LaPorte, 2006). A solution to this flaw was to create a one-time pad. Under this method numbers or letters are randomly selected to replace existing characters - a character could be represented by various characters throughout the document (“#31”, Gibson & LaPorte, 2006). Since frequency could no longer be used as a method of decryption, the only way to read the original message would be to have the one time pad. This is one of the most secure methods of cryptology, but potentially one of the riskiest (“#31”, Gibson & LaPorte, 2006). Difficulties in decrypting the message arise - the one-time pad must be secure, so transmission is not really an option. Additionally if a one-time pad is used more than once and the messages are intercepted, the two messages can be compared and a frequency pattern now exists meaning the message could be cracked (“#31”, Gibson & LaPorte, 2006).

To reduce some of these risks, the block cipher method was created. By this method the message is broken into chunks, or blocks, and each block is then encrypted. This method makes decryption much more complicated. If a single character within a block is changed, the entire encrypted output will be substantially different than it would have been without the change (“#33”, Gibson & LaPorte, 2006). This method also involves padding the message if there is an incomplete block. If, for example, block length is eight characters and the final block only contains four, an additional four random characters will be added to the block before encrypting (“#33”, Gibson & LaPorte, 2006). Not only does this make it more difficult to determine the underlying characters, but it also means the resulting message will bear no resemblance in length to the original (“#33”, Gibson & LaPorte, 2006). Symmetric block ciphers are generally considered to provide very strong security; they were even utilized by the United States government to create the Data Encryption Standard or DES. When DES was first introduced it was a very strong block cipher and provided strong security, but over time has become easy to crack due to a short key length of 56 bits (“#33”, Gibson & LaPorte, 2006). An enhancement was made to DES called Triple DES or 3DES to eliminate this vulnerability. Under 3DES two different 56-bit keys are used, effectively creating a 112-bit key, and three DES operations are performed. While DES has been considered insecure since 1999, with all the enhancements 3DES is still considered fairly secure (“#33”, Gibson & LaPorte, 2006). There are dozens of modern, popular block ciphers that are considered secure in use today. From AES (aka Rijndael) to Blowfish, Serpent to 2fish, it is really a matter of personal preference as all symmetric modern block ciphers are considered highly secure (“#33”, Gibson & LaPorte, 2006).

While symmetric encryption seems to have solved the problem of obscuring and securing information, there are still issues around transmission and sharing of the key to verify the sender and guarantee only the desired recipient will gain access. As was previously examined a one-time pad is certainly the most secure, but plagued with issues since the pad can only be used once. Something once used for physical security provides a solution. If needing to guarantee the security of a crate one could attach a lock, send it to the recipient who attaches their own lock and sends it back. The sender (who just received the package) removes the original lock sending it back to its final destination. The original recipient removes their padlock and opens the box. Unfortunately this cannot be performed in this way with cryptography as decryption steps must be performed in the opposite direction as the encryption (“#34”, Gibson, & LaPorte, 2006). The first public-key invented, Diffie-Hellman, was created in 1976 and uses a very simple mathematic principal (Schneier, 1996). Using exponentiation Diffie-Hellman allows two people to create a key, but does not provide any method to encrypt or decrypt messages (Schneier, 1996). First the involved parties, Alice and Bob, must designate a large prime (Schneier, 1996). This prime must be n and g where g is primitive mod n (Schneier, 1996). Selecting the agreed upon figure does not need to be done securely and can be transmitted over a public channel (Schneier, 1996). Next Alice and Bob each select a unique large integer (x and y, respectively) (Schneier, 1996). Alice uses x such that X=gx mod n, sending the result to Bob, and Bob uses y such that Y = gy mod n (Schneier, 1996). Alice is able to compute k = Yx mod n and Bob is able to compute k’ = Xy mod n, due to the law of exponents (Schneier, 1996).

This leads to more modern asymmetric ciphers. With an asymmetric cipher there is one key to encrypt and one key to decrypt (“#34”, Gibson, & LaPorte, 2006). More importantly it does not matter which key you use, so anything encrypted with key 1 can be decrypted with key 2 and vice versa (“#34”, Gibson, & LaPorte, 2006). This can be used as a method of authentication by publishing one key on a website or other public database and signing all legitimate documents with the opposite key (“#34”, Gibson, & LaPorte, 2006). More interestingly, this provides an excellent method to ensure that no one but the intended recipient can access the encrypted file (“#34”, Gibson, & LaPorte, 2006). If anyone wanted to send something and ensure only the intended recipient could read it, encrypt it using the recipients public key, and only this person will be able to decrypt using the private key (“#34”, Gibson, & LaPorte, 2006). Now the question arises, how does one authenticate it was sent by the anticipated sender? This can be done by using double encryption. First the sender encrypts with her private key (thus the recipient will need to decrypt using her public key) then encrypts it again with the recipients public key (thus the recipient will need to unlock using his private key) (“#34”, Gibson, & LaPorte, 2006). This method provides both authentication and verification of sender and recipient (“#34”, Gibson, & LaPorte, 2006).

Public key encryption is one of the most substantial additions to cryptography in the last 30 plus years. Now used at almost every level, including simple things such as email, this method of cryptography creates a very high level of security with a very low level of computing power requirements. This makes it trivial to securely transmit the key to encrypted information allowing the process of encryption and decryption to be much simpler than encrypting and decrypting all of the data, and therefore more feasible for everyday use.

Cryptology Tools and Solutions

 

Digital Signature: Validates a message originated from the expected sender and verifies it has not been altered. Digital signatures became necessary as verifying information transmitted across electronic channels became more important (Whitman, & Mattord, 2012). This is one of the most common uses of asymmetric encryption.

Digital Certificate: Links and provides verification a specific public key belongs to a certain identity. A document or container file, digital certificates are digitally signed to certify origin and integrity (Whitman, & Mattord, 2012). While digital signatures authenticate the origin of a message, the digital certificate provides authentication for the public key contained in the certificate (Whitman, & Mattord, 2012). These certificates are often issued and certified by a third party, as is the case if issued by a Certificate Authority (CA) (Whitman, & Mattord, 2012). Certificates are also frequently self-signed by the user or other individuals in the form of endorsements as an alternative method of verification.

Public-Key Infrastructure (PKI): Provides a framework for managing digital certificates for all involved parties (Ciampa, 2009). The PKI integrated solution of encryption methodologies, agreements, protocols, software and other services to provide users with secure communications (Whitman, & Mattord, 2012). PKIs provide a number of benefits including authentication of involved parties, confirmation content maintains integrity, ensures information is not intercepted and kept private, authorization rules and nonrepudiation (Whitman, & Mattord, 2012)

Hybrid Cryptography Systems: Combines features of public-key and symmetric-key cryptography. A symmetric key is created and used to encrypt a message. The symmetric key is then encrypted using the recipient’s public key. Both the encrypted message and the encrypted key are sent to the recipient. The recipient decrypts the new symmetric key using her private key, and then uses the now accessible symmetric key to decrypt the original message. Diffie-Hellman is often considered a form of hybrid cryptography. 

Steganography: Hiding information where it can only be retrieved if you know where to look. The ultimate form of security through obscurity, only the sender and the intended recipient know the information is there. Today this is commonly used for marketing and alternate reality games. A message is hidden within a file such as an audio clip or image. In the case of an audio file it may exist where the human ear cannot register it, or information may be laid over a primary audio element within a song so it can only be found when analyzed. This can be done with pictures by altering every insubstantial color bit so when the main image is removed, only the hidden image remains.

Conclusion

Cryptology was important long before the invention of the microprocessor, but as technology becomes more and more prominent the importance of keeping data secure will only continue to rise. There are many ways one can cryptographically secure information, but it depends how important the information is as well as the true purpose of the encryption. Cryptography can be used to protect, identify, secure, validate and authenticate. By understanding how various types of cryptography perform these tasks, it becomes easier to evaluate what is necessary, what is insufficient and what is overkill. It is also important to recognize that a strong cryptographic algorithm is only as strong as the key securing it, and how it is implemented. As the number of websites under attack continues to rise, and the amount of potentially damaging data that could be released increases, it will be important for more stern security practices to be instituted by organizations and individuals and cryptography will be one of the most significant tools to master.

 

Physical Security

Access Controls