Cryptography: A Primer for the Non-Technical
if you’re a regular reader of this blog you know that I generally write about privacy to those in the IT industry and prattle on about the importance of paying attention to the rapid changes in privacy norms. This time I’m going to reverse that. In my first ever two part post, I’m going to write to the privacy professional about a computer science topic. For the same reasons I think it’s important that infosec professionals have a basic understanding of privacy laws, regulations and best practices, I believe the privacy professional can benefit from some knowledge of information security as well.
Today, and continuing next week, I’m going to cover the basics of cryptography. An understanding of this science will help the privacy pro understand the options, opportunities and complexities of the science of keeping information secret. Cryptography is not one thing–well it is one thing, but it is applied in so many different ways and is so fundamental to the way we do business a primer is in order.
This is a very wide and deep topic so a rudimentary understanding is all l’m going to aim for, and actually a rudimentary understanding is all that is necessary for the privacy pro. Having a basic frame of reference at those times when the information security professional discusses or proposes cryptographic solutions is useful to both parties.
I want to reiterate that this primer is just a superficial overview of cryptography. It takes someone with experience and an education in the specifics of the science to be able to apply it correctly. Bruce Schneier wrote in his book Secret and Lies, “Anyone who creates his or her own cryptographic primitive is either a genius or a fool. Given the genius/fool ration for our species, the odds aren’t very good.”
The context of that quote is a rather lengthy explanation on the difficulties of getting encryption right and reasoning of why only experts should create cryptographic algorithms. I would take it further to say that anyone who tries to apply cryptography without either experience or clear guidance is just as big a fool.
Cryptography secures messages in transit (including messages passed over internet connections). It’s also used to authenticate the origin of a message, the integrity of a message and protect data in storage. Without it nothing on the internet would be secret and it’s a foundational technology to the way businesses operate today. However, at the most basic level cryptography is really simple.
Note: In this post when I refer to “messages” and “characters” I’m reducing a broader concept for simplicity and to ease the burden of the uninitiated to learn an entire vocabulary of technical terms. With regards to cryptography what I’m calling “messages” and “characters” are not just blocks of alphanumeric characters, this term also includes all forms of communications which could be a text email message, or a stream of bits representing a transaction between computers.
Substitution and Transposition
No matter how sophisticated or how complex the implementation, cryptography is simply the application of character substitutions and transpositions.
A substitution is the act of swapping one character for another. For example, in the sentence “See spot run” we could shift all of the letters by one character so that “a” becomes “b” and “b” becomes “c” and so on. Applying that substitution our sentence becomes “Tff tqpu svm.” That is a basic application of substitution but a substitution doesn’t just need to be letter-for-letter. It can also substitute characters with numbers or symbols. Cryptographic solutions can get pretty sophisticated about applying substitutions but no matter how complicated you want to make it, it is simply swapping the original for something else.
A transposition changes the order of the characters of a message. With this method the characters maintain their original text but they move positions. A simple transposition would be to reverse the order of the sentence. Applying that transposition to our previous example, the sentence would become “nur tops eeS” (“See spot run” written backwards).
Now if we were to apply both our substitution and transposition examples, our sentence becomes “mvs upqt ffT.” At first glance that is starting to appear secret right? Of course, neither example could be considered secure, but it does illustrate what happens in even the most sophisticated cryptography techniques. Where cryptography becomes effective is in many applications of layers of substitutions and transpositions.
The structured application of layers of substitutions and transpositions is known as the algorithm. An algorithm is a mathematical formula which is used to apply substitution and transposition to a message in an orderly manner (orderly so it can be reversed or repeated).
The algorithms we use today are complicated and involve high levels of math. Surprisingly for the uninitiated, the mathematical formulas that comprise most often used algorithms are publicly known. That’s right, everyone knows exactly how the most common algorithms scramble and unscramble messages. Making the details of the algorithm public is an important part of vetting it’s security by the scientific community. I won’t get into why that’s the case as that is beyond the intent of this post, but it is important to understand that anyone who wants to know precisely what substitutions and transpositions were used to encrypt a given message can just look it up. It’s not a secret.
If the method of encrypting a message isn’t secret then what stops someone from reversing the encryption algorithm? That would be the secret key. The key is a long (ridiculously long) random number. That random number is fed into the algorithm along with the message to perform the encryption. The key tells the algorithm when to use substitution and when to use transposition as well as provide the instructions on how to apply them.
At a base level that is all encryption is. You have an algorithm that is fed a message and a key. The algorithm uses that information to swap and substitute bits in the message. The output from them process is unreadable without the key (hopefully).
If you’ve read this far you should now have a basic understanding of what encryption is and you’re in good shape for my next post. Next week I’ll get to the the different types of algorithms and specific applications for these. This post was just background, next week you’ll see how understanding this foundational information will help you understand the opportunities and difficulties in the application of cryptographic algorithms.
One other note: You can now sign up for my BrightTalk presentation on May 22nd, and I hope to see you at my presentation on March 28th at SecureWorld.