A part of the Tech Premier Series
- Plaintext – Normal text anyone can read
- Cyphertext – Encrypted text no one can read
- Cypher – A pair of mathematical algorithms allowing encryption and decryption of information
- Key – Specifies how an algorithm transforms plaintext into cyphertext (e.g. a password)
- AES – Advanced Encryption Standard
Encryption is a method used to secure data by transforming ‘plaintext’ information into ‘cyphertext’. Encryption works by combining a ‘cypher’ with one or more keys. Most encryption breaches are due to poor technical implementation and password hygiene rather than a brute force attack. Performing a brute force attack – without exploiting social engineering or algorithmic defects – on the 256-bit key (A 256 long string of 1s and 0s; or 1.1 x 1077 possible combinations) used to secure your bank’s web session would take many billions of years.
The goal of an encryption scheme is to make it easy to encrypt a message, but difficult as possible to decrypt.
Alphabet shift cyphers are an early and simple example of a cryptographic algorithm. If we shift the word ‘itro’ by four letters, it becomes ‘mxvs.’ In this example, the cypher dictates that you must shift the characters in one direction to encrypt, and to shift in the opposite to decrypt. The ‘key’ is four, as it specifies the number of letters by which to shift.
In an alphabet shift cypher, it becomes relatively easy to decrypt messages once you know the algorithm. Cryptographic experts develop modern cyphers in such a way that anyone with knowledge of the algorithm in use cannot easily decrypt messages. Knowledge of how AES functions is freely available for implementation by anyone and underpin much of the modern internet.
In short, the goal of modern encryption schemes is that an unauthorised third party can possess both the algorithm and cyphertext, without the ability to revert said cyphertext without the key.
The two most popular cryptographic schemes today are symmetric-key and asymmetric-key systems:
- Symmetric-key systems utilise an algorithm with a single key to encrypt and decrypt data. The alphabet shift cypher detailed above is an example of such a system – You use the number 4 to both encrypt and decrypt messages.
- The disadvantage of a symmetric-key system is that you must find a way to communicate the key so the recipient can successfully decrypt the message. In modern encrypted communications, endpoints generate and exchange symmetrical keys via an asymmetric-key scheme.
- Asymmetric-key – or public-key cryptography – utilises a pair of keys; a public key used to encrypt, and a related private key used to decrypt. Although the two keys are related, a properly implemented asymmetric-key is computationally expensive to compromise.
- For example; James runs a blog, and would like readers to email him sensitive information securely. He generates a public and private key pair. He keeps his private key secret but puts his public key on his website. A reader can take his public key, encrypt a message and send it to James, at which point he can decrypt the message by combining his secret private key with the public key on his blog.
- When you connect to a secure website, your computer and the server initially communicate using an asymmetric-key system called the Diffie-Hellman key exchange. The devices will then negotiate the use of a symmetric-key algorithm and a pseudo-random key to continue communications.
Encryption relies on secure keys; if an attacker finds a way to compromise the secret key, they can decrypt any communications using said key. Security researchers, government agencies, and unethical hackers are extremely resourceful and can develop clever exploits, such as:
- Diffie-Hellman relies on large prime numbers to provide secure communications. Due to the expense of discovering new prime numbers, most implementations recycle a handful of primes. Security researchers strongly suspect that the NSA invested time and money cracking a handful of 1024-bit prime numbers (Each taking a year or two) allowing them to eavesdrop on much of the internet.
- Security researchers developed a reliable method to reconstruct private keys by recording and analysing sounds generated by a computer when it displays encrypted messages.
- Computers usually utilise pseudo-random numbers when generating keys. The reason that the numbers are pseudo-random is that computers are bad at generating random numbers. Psuedo-random algorithms can be cryptographically secure, but it requires an ‘unpredictable input.’ If you use an insufficiently secure pseudo-random algorithm, an attacker can use the numbers it spits out to infer what other numbers it has already generated.
- So, to get around this problem, Cloudflare uses a camera pointed at a wall of lava lamps to generate unpredictable input.
- When US government agents apprehended Ross Ulbricht (Behind the notorious Silk Road website), plainclothes FBI agents staged an argument, distracted Ross, and snatched his unlocked laptop.
A more common weakness is utilising an insecure password for your encrypted data. The key for your bank accounts or mailbox is the password you type, so it’s important to ensure you use strong credentials.
Cryptography is an incredibly powerful tool utilising a mathematical process to convert plaintext into unreadable ciphertext. However, you should not use encryption in isolation; it must be part of a wider security implementation which limits physical access and educates users on its shortfalls.