It should come as no surprise that in this modern era of digital data we need encryption. But what exactly is it? How do you know what kind of encryption you need? If you were to ask someone what kind of encryption they use, they may respond with a specific encryption-based product, like full-disk encryption. Or they may mention an encryption-based protocol, like HTTPS (HyperText Transport Protocol over SSL). But encryption is much more complicated than that. In fact, when I teach security classes, encryption tends to be the toughest topic to understand even to experienced technicians. My goal is to help unlock the secrets of “Secret Writing” or Cryptography.
The sticking point for many of us is when we get into understanding mathematical ciphers. Now, I’m not going to pretend to be some brilliant mathematician. I’ll be the first one to admit that the core algorithms remain a mystery to me, but, thankfully, I can still take full advantage of this amazing process without swimming through the mire of advanced mathematics, and so can you. All you need is to understand the general function of three categories of mathematical ciphers: Symmetric, Asymmetric and Hashing. And it makes it easier to keep it all straight if you can grasp how and why we use each of these categories.
Symmetric ciphers are used to keep data secret. I know that sounds simplistic, but this will be clearer after you learn about the other two types of ciphers. Let me be more specific. Symmetric ciphers are used to store and share secret data with the intent of reading it later. This means we need to be able to decrypt it with a key. What makes it symmetric is that the same key is used to encrypt as is used to decrypt.
Think of it like a lockbox. I have a secret message for you, so I put it in a box and lock it with a key. I then hand you the box, so you can open it. But you need the key, too. In fact, this is one of the biggest issues with symmetric ciphers. How do you create a lockbox and its key and then share the key with others without someone stealing the key in the process? More on that in a moment.
Symmetric ciphers are strong and can encrypt pretty much any size message with the least amount of effort, which is why we use it to encrypt things like hard drives, files and e-mails. We also use it for wireless encryption and encrypted data across the internet. Like I said, key distribution is an issue with symmetric ciphers, but so is key storage. Where do I keep my key so no one steals it and accesses my secret data? We’ll address distribution today, but we’ll save the storage discussion for another time.
The answer to the distribution question is the second category of encryption: asymmetric encryption. If symmetric is the same key for locking and unlocking, asymmetric should be obvious. If the key was used to lock it, a different key will be needed to unlock it. We call this pair of keys private/public key pairs. The private keys should be kept, well, private at all times whereas the public key can be shared freely with anyone who wants it. Either key can lock but once locked, the other must be used to unlock. Now, asymmetric ciphers can only encrypt small pieces of data, so we can’t use them to encrypt actual secret messages. Our application of asymmetric ciphers is normally limited to two basic purposes.
The first is key distribution. I have a secret message encrypted with a symmetric cipher. I need to share that message with you, but you don’t have the key. If I get your public key, I can lock the symmetric key (aka session key), and only your private key can unlock it. Even though everyone else in the world has access to the public key, it can only lock in this scenario, not unlock. Once you unlock the session key, you would then be able to unlock my secret message. All of this, up to this point, supports the security concept called confidentiality.
But how do you know it’s really me sending you this information? We can also use this private/public key pair for digitally signing my message, too. Since you’ve got a copy of my public key, I can send you a little bit of data attached to my message and then encrypt it with my private key. Since my private key was used to lock it, only my public key can unlock it. Now, this little packet of data is not a secret-the whole world can read it using my public key. But the purpose was not to keep it a secret. It was to prove that I sent it. And since no one else has my private key, no one else could have sent this signed packet of data. This is what we call authentication.
Now what is that small packet of data? It’s our third type of encryption called hashing. Hashing is a little different. The point is not to encrypt and then decrypt. In fact, hashing algorithms are irreversible. Instead, we take our plaintext of any length and run it through the hashing algorithm. The result is a fixed-length set of 0s and 1s called a digest. It doesn’t matter how large or small the original message was and could range in size from a single character to an entire set of encyclopedias. The digest will be the same size. Furthermore, the resulting digest is predictable. If I put the same plaintext through the algorithm over and over, the resulting digest will always be the same.
So let’s go back to this small packet of data that I sign with my digital signature. Where did it come from? If I take my original message, in plaintext, I can run it through a hashing algorithm and create a digest. Most digests range from 160 bits to 384 bits long. I then attach this digest as my small packet of data. Once you get through all of the other encryption to my original plaintext, you can run the same hashing algorithm to generate the hash again. If your version of the hash matches my version of the hash, you can rest assured that this is my original message, and no one tampered with it. In security, this is called message integrity.
Putting It All Together
So now that I’ve described all of the pieces of the puzzle, let me put it all together for you. Encryption gives us confidentiality, integrity and authentication. Here is the process using all three types of encryption.
- I create a plaintext message and generate a digest of the data using a hashing algorithm.
- I ask you for your public key and give you my public key (asymmetric cipher).
- Using a symmetric cipher, I generate the session key and encrypt the plaintext message.
- I use your public key to encrypt the session key.
- I use my private key to encrypt the digest.
- I send the encrypted message, with the encrypted session key and the encrypted digest to you.
- You decrypt the digest with my public key, confirming my identity.
- You decrypt the session key with your private key.
- You use the session key to decrypt my message.
- You run my decrypted plaintext through the hashing algorithm, generating another digest.
- You compare your digest with my digest verifying the integrity of my message.
- You read my message.
Now that we have established a secure communication path with that session key, we can now exchange data freely and securely. However, nothing is perfect. There are many ways that our encryption can be compromised. And clearly, this explanation is only a start. There are so many more things to learn about cryptography and the specific uses of encryption.
Becoming a certified security professional will help you down your path to understanding encryption better. Certifications like Security+, CASP and CISSP demand a deeper understanding of cryptography. Global Knowledge can help get you there.