Cryptography And Its Uses

Cryptography. You've heard about it; You've read the stories; most of you have probably even used it, if you've ever bought anything online with a credit card, though you may not have even realized it. Many would like to paint the art & science of obscuring communications as something that only criminals and terrorists use to hide their information from the rightful authorities. The fact is, crypto is used every day to protect innumerable legitimate transactions that fly back & forth across the Internet.

Of course, most people don't know the first thing about crypto, because the powers that be have taken great pains to make it transparent, because, hey, who doesn't want to make it easy for consumers to give them money? As a result, unfortunately, people don't end up learning what crypto is, or how to use it for their own purposes rather than for benefit of the people they do business with.

In addition, crypto, like most information security issues, isn't exactly easy to understand. There have been numerous attempts to make the use of cryptography easy enough for the masses to understand and use regularly, which have met with varying degrees of success.

The purpose of this article is two-fold: first, a brief introduction to how modern crypto works, in order to develop in the layman reader the understanding necessary to use it securely and properly. Next will be an introduction to the front runners in the easiest and most accessible implementations of personal cryptography technologies available on the web today, which you can check out and start using immediately.

Part I: Theory

Encryption is a process by which a meaningful string if information is turned into what looks like meaningless noise, in such a way that the process can be reversed only by select persons. In order to accomplish this, the use of a different string, called a key, is used. the decrypted message is refered to as the plaintext, whereas the obfuscated data is called the ciphertext.

The most basic type of cryptographic algorithm is a symmetric one, so called because the key, distributed only to persons authorized to view the messages, works both directions; it can be used to turn plaintext into ciphertext, and vice versa. This method is pretty problematic toi implement and manage, because in order to insure secure communications, you have to trade different keys with each party you want to talk to. Being the simplest method, this is what most people think of when they think about crypto.

Fortunately, some more sophisticated methods evolved, invented/discovered int he 1970s. Asymmetric cryptography works not with a single key, but with a pair of keys which are generated together, and only once for each user. One key, known as the public key, can only be used to encrypt messages meant for that user, while another, the private key, is only usable to decrypt them. Public keys can't decrypt messages, and private ones can't encrypt them.

What you do then, is publish your public key far and wide for all to see, so that anyone who wants to can encrypt messatges to you, knowing that only your private key, which you keep to yourself, is the only way those messages to be decrypted. to send secure messages back, you acquire their public key to encrypt the messages, which only they can decrypt with their public key.

The keys used in asymmetric methods are quite long, and, unlike simpler symmetric keys, can't be arbitrarily chosen by users like passwords. It is not practical to be able to memorize your key pair, which would likely take up more than a third of this page of printed. As a result, you have to record it in a file somewhere, which makes it vulnerable to theft. As a result, most private keys are additionally protected by an extra, symmetric encryption algorithm before being recorded to disk. The key for this algorithm is called a passphrase, and, being a symmetric algorithm, the key can be arbitrarily selected by the user. Any time you need to use the private key to deccrypt messages, the software prompts for your symmetric passphrase, decrypts the private key, and then can use it to decrypt the message. This way, if your private key file does get stolen, the passphrase - which only you know - will still be required to use the key.

Asymmetric crypto also introduces a new application that isn't possible with symmetric crypto: digital sugnatures. Using the converse application of the method used to insure that a message only gets to it's intended recipient, it's also possible to insure that messages only come FROM certain people.

When a person creates a message, they can use their private key to encapsulate the message in a signature, which is a generated string appended to the end of the messsage. The signature string is a kind of foreshortened ciphertext fingerprint of the message, which can only be decrypted by your public key - the opposite principal of the encryption/decryption process. Using your public key, recipients can decrypt the fingerprint signature into certain portions of the message. If they all match, they can be sure you sent it, because only your private key is mathematically capable of generating the signature string for that message.

Encryption and signatures can be used together or separately. You can sign plaintext messages and leave them unencrypted, with the signature "hanging out" at the bottom of your messages. your message can be read by all, of course, but this is often useful to introduce people to the use of cryptography: "What's this PGP signature gibberish at the bottom of your emails?". Once signed, a message can be encrypted as well. Once the recipient decrypts the message, they can then verify the signature as well.

So much for theory. Let's get some hands dirty.
By Roto
<<Back