What if I told you that there is something that you use almost every day, something that most of us are not even aware of? You use it every time you purchase with your credit or debit card, send a text message, use the ATM, check your emails, use a fingerprint scanner, or log in to your favorite social media account. It allows you and only you to access your accounts from these services securely. This security is made possible through the use of cryptography.
Think of cryptography as a kind of secret code that protects the information that you send over the Internet or when you save it on your computer. It’s like locking up your messages in a suitcase before sending them, and only the one with the correct key can open the suitcase and access the information.
Passwords and credit card numbers are some examples of personal information that cryptography helps keep private and safe from prying eyes and hackers. It works like communicating with your pals in a secret language, except it’s done using sophisticated mathematical algorithms.
In this article, I’ll present a simple overview of cryptography, what it is, and how it protects our data and information. Let’s get to it.
Cryptography is used in two different scenarios – for protecting communications and for protecting stored data. In cryptography, we generally concentrate more on the communication of data over various channels a bit more than the storing of data. Although cryptography is important for data that is stored in a particular medium, securing communication channels is the core focus of cryptography, which aims to maintain the confidentiality, integrity, and authenticity of data communicated between parties.
So let me explain in the simplest way how cryptography is used to secure a message from a sender to a receiver over a communication channel. Let’s say you have a message that you (the sender) want to deliver to a friend (the receiver). To keep the message (also known as the plaintext) secured, it must first be enciphered or encrypted.
Encryption is a means of scrambling the message and is done using an encryption algorithm and an encryption key to produce a cryptograph. The cryptograph (scrambled message or ciphertext) is then sent to the receiver. When the receiver gets the cryptograph, the process is reversed, the cryptograph is then deciphered or decrypted with a decryption algorithm and a decryption key, which unscrambles the cryptograph to reveal the original message.
This in a nutshell is what cryptography is all about, scrambling a message so if it’s obtained by an interceptor, it is unintelligible to anyone who doesn’t know the decryption algorithm and decryption key.
What is a Cryptographic Algorithm
I’ve mentioned the use of an encryption and decryption algorithm for encrypting and decrypting a message. But what exactly is a cryptographic algorithm? Well, it’s nothing more than a set of rules. I won’t get too detailed regarding algorithms, suffice it to say that these rules are many complicated mathematical functions.
For a very simplistic view, think of encryption and decryption algorithms as a bit of magic. You don’t necessarily need to understand everything about the magic, all you need to know is that the magic can be done, but to be undone, you need to know the decryption key. So the decryption key unlocks the magic, and it’s this key that attackers want to get a hold of.
Uses of Cryptography
Cryptography has various important uses, and the uses can be classified into four main categories.
1. Secrecy
Keeping sensitive information hidden from those not allowed to access it is one of the main objectives of cryptography. Through the process of encryption and decryption, cryptography transforms a message or data into an unintelligible form, allowing it to be kept secret from anyone who does not possess the deciphering algorithm and the decryption key. The ability to maintain this confidentiality relies heavily on keeping the decryption key confidential. If someone gains access to the decryption key they would be able to access the data.
2. Data integrity
Maintaining data integrity is essentially protecting data from being accessed, modified, or deleted by unauthorized parties. Cryptography offers integrity protection by detecting any alteration, insertion, deletion, or replay of data throughout the complete data stream. This ensures that the integrity of any user data that is transferred across a communication channel is protected.
3. Data verification
Cryptography provides techniques to guarantee data verification. The two main methods used are:
Cryptographic hash functions — I won’t delve too deep into hash functions, because it can get quite complicated. A hash function is simply a function that maps an input of any size to a fixed output. Let’s say you are downloading a file, a hash function can be used to generate a hash value for a downloaded file. This hash value can be compared to the one provided by the distributor to ensure the file hasn’t been tampered with during download.
Digital Signatures — A digital signature is a technique for establishing the origin of a particular message to settle later disputes (non-repudiation) about a message (if any) that was sent. The purpose of a digital signature is for a sender or receiver to link its identity to a message. Asymmetric cipher systems are used to generate digital signatures, which provide a method for the authentication of data and protection against unauthorized changes.
Digital signatures consist of two entities; a signer, which is an entity that creates a digital signature, and a verifier, who receives a signed message and attempts to check whether the digital signature is “correct or not”
4. Non-repudiation
This is a fundamental concept of cryptography, and it is where someone is not able to deny that they had indeed sent or received a message. It ensures that both parties cannot deny their participation in a particular transaction.
Digital signatures, described above, provide evidence to demonstrate the origin of a particular message. When any party digitally signs a document or message using their private keys, it then becomes cryptographically linked to them. In this way, it will now be impossible for them to deny involvement in the future. Non-repudiation techniques are widely used in legal and financial transactions where integrity and authenticity are vital.
Types of Cryptographic Systems
Cryptography is divided into two categories
Symmetric or Conventional Cipher Systems
This kind of cipher system, often called secret key cryptography, uses a single key for both encryption and decryption. The decryption key is easily obtained from the encryption key, and these keys must be kept secret since it’s the decryption key that attackers want. The same key must be held by both the sender and the recipient, who must keep it confidential. Think of symmetric cipher systems like a Mortice lock; where the same key is used to lock and unlock it.
AES (Advanced Encryption Standard), DES (Data Encryption Standard), and 3DES (Triple DES) are a few examples of symmetric key algorithms. Generally speaking, symmetric key cryptography is quicker and more effective than its counterpart, asymmetric systems, which I’ll discuss next.
Symmetric systems do have one drawback, they suffer from the ‘key distribution problem’, which necessitates a secure key exchange mechanism. This means a secure method has to be found to get the key from the sender to the receiver. This is a major disadvantage of symmetric systems, however, asymmetric systems came along to address this issue.
Asymmetric or Public Cipher Systems
Unlike symmetric cipher systems that use one key, asymmetric cipher systems use two separate keys, a public key and a private key. As its name suggests, the public key is publicly available and is used for encryption of the message. It has all the data needed by the sender to encrypt the message, but it doesn’t have any data that would make it possible for someone to decipher the message from the ciphertext. RSA and ElGammalare examples of Public Cipher System algorithms.
Anyone may have access to the receiver’s public key and use it to transmit encrypted messages. Think of asymmetric cipher systems like a Bevelled sprung lock; where anyone can lock it, but only the keyholder can unlock it.
The private key should be known only to the receiver and should be kept secret and used for decryption. The private key contains all the information necessary to decrypt the message. Asymmetric cipher systems tend to be rather mathematically complicated and are generally slower than symmetric cipher systems. They do however solve the key distribution problem. The diagram below demonstrates the main difference between symmetric and asymmetric cipher systems.
Weaknesses of Cryptography
Although cryptography is an extremely robust tool for securing our information, it’s not invulnerable. Below are some weaknesses of cryptography.
Exhaustive Key Search or Brute-Force attack
Think for a moment about your debit card, we all have one, at least most of us. Your bank card is protected with a 4-digit personal identification number (PIN). For you to use the card, you must first enter your 4-digit PIN. Only you know the PIN, however, nothing is preventing someone from guessing your PIN. There are approximately 10,000 possible key combinations that can be generated from 4 digits.
That would certainly take someone a long time to hit your PIN, but what about a computer? Certainly, a computer can run through all possible combinations much faster than a human and stumble upon your PIN. This is what is called an exhaustive key search or brute force attack because the attacker tries all possible combinations until the key is found.
There is no defense against guessing a key or trying to guess all the possible key combinations. To counteract this, most modern cryptographic algorithms have an extremely large number of keys, this is known as having a large key space. The larger the key space, the more difficult it is to perform a brute-force attack.
Key Management Weaknesses
Proper management of keys is extremely important, and is about protecting and defining the use of cryptographic keys throughout their lifetimes. Weaknesses in key generation, storage, and distribution (the key distribution problem is a major issue with symmetric cipher systems) can compromise the security of cryptographic algorithms and can spell disaster. Proper key management is necessary to mitigate this weakness.
Weaknesses in Algorithms
Although most cryptographic algorithms are designed well, if for some reason an algorithm was not designed properly, attackers can potentially take advantage of its security flaws. The security of cryptographic systems can be compromised by more than just weaknesses in algorithm design. Improper implementation or new developments in cryptanalysis can be just as damaging to the security of the cryptographic algorithm. To address security flaws, cryptographic algorithms need to be reviewed often and updated.
Quantum Computing
I did my master’s thesis entitled “Quantum Cryptography and its application to secure satellite communications”. Here is an excerpt from the work I did showing the power of a quantum computer and the devastating effects it could have on existing cipher systems.
Ordinary computers operate at a relatively macroscopic level to change and interpret the encoding of binary bits into a useful computational result. A bit is a binary digit taking the value of either a zero (0) or a one (1) and is the basic unit of information storage. Each bit represents either a zero or a one, and a string of data that is represented by n bytes on a hard disk of a computer and is therefore represented by a string of 8n zeros and ones. In traditional computers, every computation is an amalgamation of ones and zeros (bits), and at any particular moment, the bit can be either a one or a zero.
In a quantum computer, the bits can be in a state of quantum superposition, which essentially means that a bit can be a zero, a one, or a zero and a one at the same time. Since a quantum computer deals with bits in a state of quantum superposition, the bits are called quantum bits or qubits. Qubits are composed of controlled particles and the means to control the particles by switching them from one state to another.
The awesome power of a quantum computer could spell disaster for existing ciphers. The Data Encryption Standard’s (3DES) triple DES or double length DES has a key size of 112 bits (i.e. 2112 keys) and it is considered computationally infeasible to conduct an exhaustive search on such a large key space using existing computing power.
Assuming a conventional computer is capable of checking a billion billion (1018) keys per second, the amount of time required to search a 112-bit keyspace would be approximately 1012 years, which is longer than the age of the universe. If we attempt to break the Advanced Encryption Standard (AES) 256-bit keyspace using the same computing power of searching 1018 keys a second, it would take approximately 1050 years to complete. A quantum computer however, can theoretically find the key in minutes.
There is of course quantum cryptography which can serve as a defense against the awesome speed of a quantum computer to crack any existing cipher. I’ll have another article about quantum cryptography in the near future.
Even though the weaknesses described above do present legitimate dangers, cryptography is nevertheless crucial for protecting data and communications in the digital realm.
Conclusion
As I mentioned at the start of this post, many of the things we do digitally would not be possible without cryptography. It is an essential component of contemporary digital security measures, guaranteeing the privacy, authenticity, and integrity of data transmitted online. The strength of cryptography lies in its use of complex mathematical methods and algorithms. This allows people, organizations, and governments to protect private information through encrypted lines of communication.
Cryptography does indeed have its challenges, but with continued research, advancements in technology, and adherence to best practices, it will continue to provide an effective defense against information security threats. So the next time you send a text message, log in to Instagram, or check your email, remember there’s a little magic keeping everything secure.
