Cryptography for Practitioners

Cryptography Explained

Cryptography is the art and science of secret writing. It is the foundation of online identity, privacy, and security. Only careful and well-executed application of cryptography will allow keeping private information hidden from prying eyes and ears. The origins of the term 'cryptography' itself stem from two words of the Greek language - κρυπτός (kryptós) meaning secret or hidden, and γράφειν (graphein) meaning writing.

Our modern world relies on electronic means for creating, storing, and transferring information. The security of this digital life owes much to cryptography. Cryptography intersects our daily lives in more ways people commonly realize.

Practical Everyday Applications

Our mobile phones, computers, online services, and nearly all personal online communications rely on different cryptographic algorithms and methods for the protection of the privacy and integrity of the identities and data involved.

Over the course of an ordinary day, we use many, sometimes rather advanced, cryptographic devices - there are smartcards in our wallets, laptops on our desks, mobile phones in our pockets, vehicle information systems in our cars, electronic locks on our doors, and so on.

Algorithms - Transforming Data

Cryptographic algorithms are the basic tools of this trade. An algorithm is a method or a technique that is applied to data. When an algorithm is used to encrypt (hide) the data, the readable information (often referred to as plaintext) is transformed to an unreadable (encrypted) form. When an encrypted data (or ciphertext) is returned to its readable form the process is called decryption.

Some algorithms are bi-directional (or symmetric) which means that the same algorithm (and key) are used for both encryption and decryption. In contrast, a one-directional algorithm works in only one way (ie. the operation cannot be reversed). An example of a one-directional cryptographic algorithm is a hash algorithm that produces a hash - a digital fingerprint of the processed data. The hash reliably identifies the origina data and no two data sets produce the same hash, yet this digital fingerprint cannot be turned back into the original data.

There are three main categories of these algorithms: - Public key cryptography algorithms - Data integrity protection algorithms - Symmetric cipher algorithms.

Roughly these three categories of algorithms cater for three different basic needs: - Reliable authentication (of users and other entities) - Data integrity protection - Protection of data privacy.

This division is somewhat of a simplification, but will serve for this article. For a more thorough analysis, see an authoritative source such as Applied Cryptography by Mr Bruce Schneier.

Authentication with Public Keys

While public key cryptography allows data encryption for privacy protection (and is used for that in some cases such as the PGP email protection scheme), it is cumbersome and computationally expensive to be used for bulk data protection. Instead, it is most commonly used to implement strong online authentication.

Strong authentication is the most prominent use case of public key cryptography, and in this role we (often unknowingly) use it daily.

Important concepts in public key cryptosystems are:

Integrity Protection

Our daily lives break down into amazing volumes of data every day - our health records, financial information, employment records, service subscriptions, and other parts of our everyday life, are recorded in, and transmitted between various online systems. The fabric of our lives is dependent on the integrity of that staggering mass of data - every bit of this information must stay exactly as it is. The integrity of data keeps us alive - in some cases quite literally.

Cryptography offers methods for protecting and inspecting the integrity of digital data in the form of hashing and message digest algorithms. These one-way functions can take an given piece of data of arbitrary size and calculate a unique, small fingerprint of that data. This fingerprint, the hash, is unique to that particular piece of data, and even a tiny change in the data results in an entirely different hash. These hashes allow the detection of modifications in data and are an essential component of any cryptosystem that requires protection of data integrity.

SHA-1 and SHA-2 are common hash algorithms.

Data Privacy Protection

The most common and probably easiest understood use of cryptography are the symmetric ciphers. A symmetric encryption algorithm is a method that renders data hidden when applied in one direction and returns the data readable when used in the other direction. The symmetric (secret) key functions like the password for the protected data. These algorithms are typically rather fast to execute, and they are used extensively to guarantee the privacy of data in network communications, databases/hard drives, and other applications where relatively large volumes of data need to be cryptographically processed in real time (or close to real time).

Since the key that is used for data encryption and decryption needs to be shared with each endpoint of the encrypted connection, or with every recipient of the encrypted data, the key generation and exchange are a critical feature of cryptosystems that use symmetric ciphers. A common key exchange mechanism in security protocols is the Diffie-Hellman key exchange.

Common symmetric ciphers are for example:

Cryptographic Keys and Key Management

A cryptosystem is a multiple of its parts - an essential security concern on any system is the way the encryption keys are managed. Even the strongest encryption algorithm offers no security if the attacker can get access to the encryption keys.

Enterprise networks in general have been designed with careful considerations for identity and access management. The guiding principles of providing access to resources based on the role of an individual (be it a user or a process) or of segregation of duties provide a starting point for a well designed access control implementation. These principles need to be applied to practice in all aspects of enterprise access. So far the user level access control has been in the spotlight of IAM, but in recent times the focus has been shifting towards the so far unaddressed issues of trusted access.