Cryptographic Protections in an Online world

In our technology-driven world, keeping personal information safe from prying eyes is becoming increasingly important. Thankfully, for the everyday user, cryptography is widely implemented, and we can be confident that only intended recipients can view sensitive information. Anyone who has ever sent an e-mail, used online banking, purchased something with Bitcoin, or entered a password into their computer has undoubtedly used cryptography to safeguard their information. The tiny padlock next to the URL in web browsers serves as verification that you are interacting with a website that has a valid SSL/TLS certificate that has been digitally signed by a trusted certificate authority. In other words, any communication with that website is encrypted.

crypto1.png

Cryptography is often described as the science and art of secret codes. Historically, this was true; however, as increasingly complex codes were broken, mathematicians and computer scientists sought to add formality and rigor to the field. The textbook Introduction to Modern Cryptography defines cryptography as “the study of mathematical techniques for securing digital information, systems, and distributed computations against adversarial attacks.”

This definition helps to capture the breadth of what the field aims to do. Nowadays, modern cryptography is not just used for encrypting messages; it has a number of purposes, including:

  • Authentication: Verifying the identity of a user, process, or device.
  • Non-repudiation: Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. 
  • Privacy: Freedom from unauthorized intrusion or disclosure of information.
  • Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Cryptography can be broadly broken down into two categories: private (symmetric) key cryptography and public (asymmetric) key cryptography. Now, let’s suppose Alice and Bob want to communicate.

  • In private key encryption, Alice and Bob have a copy of the same key that they must keep as a secret between themselves. Alice encrypts a message using the private (secret) key along with the encryption algorithm to produce a ciphertext, which she then sends to Bob. Bob takes his copy of the private key along with the decryption algorithm and deciphers the ciphertext to obtain Alice’s original message. This type of security is based on the idea that only the intended senders/recipients have the private key and are able to correctly encrypt and decrypt messages. 
crypto2.png
  • In public key encryption, Alice has one public key that she can release publicly and one private key that she keeps a secret. The public and private key pair are usually related to each other in a specific, mathematical way. Bob can encrypt messages using Alice's public key along with an encryption algorithm to produce a ciphertext, which he passes to Alice. Since Alice is the only one who has access to her private key, she is the only one who is able to correctly decrypt the ciphertext. One example of a public key encryption scheme is the eponymous RSA (Rivest–Shamir–Adleman) cryptosystem widely used today.
crypto3.png

One interesting practice that is widely accepted is Kerckhoffs's principle, which states that cryptographic algorithms should be secure even if everything – barring the secret key – is made public. This seems counter-intuitive at first glance, but a deeper look will help clarify this concept. Remember that little green padlock that is displayed beside the URL in your web browser? If you click on the padlock and select view certificate, the digital certificate details can be viewed, including the type of algorithm used and your public key.

crypto4.png

Making the details of the algorithm freely available allows for public scrutiny and peer review. If researchers and industry professionals have not been able to break a cryptosystem over the course of several decades, then we can be reasonably confident in its security. Current public key cryptography is based on the assumption that certain problems are computationally hard. For example, we do not yet have an efficient algorithm for factoring a number into its prime factors using classical computers. Prime numbers are numbers that are indivisible, meaning they can only be divided by 1 and themselves.

Ex. 2, 3, 5, 7, etc.

Factoring a number into two prime components is relatively easy when the numbers are small.

Ex. 15 = 3 * 5, 161 = 7*23

However, as the numbers grow larger, finding prime factors becomes increasingly difficult and may take several lifetimes to solve. Other problems similarly used for their computational hardness include the RSA Problem, Decisional Diffie-Hellman, and the Discrete Logarithm Problem. As such, we can take comfort in the fact that, even if the cryptosystem’s algorithm is public knowledge, our sensitive data is safe!

Taking Precautions:

Computer scientists who study cryptography are often concerned with developing new cryptosystems and mathematically proving that they are secure. Just because a cryptographic scheme is provably secure in theory, correctly implementing it in practice is extremely important. For example, Cipher Block Chaining (CBC) mode is a way of encrypting variable length messages. The scheme for CBC requires that we use a random starting value known as an initialization vector (IV). However, if one were to use CBC-MAC, a similar-in-concept scheme for authenticating messages, then it is important to not use a random IV. In fact, using a random IV for CBC-MAC is not secure. Sometimes, seemingly innocuous changes can render an otherwise secure system unsecure. This small case study demonstrates the importance of using best practices when implementing cryptography at home or on the job. Never take “short-cuts” or change any aspect of the cryptographic algorithm without first ensuring the integrity of the system. 

Additional Resources:

  • Journey into Cryptography by Kahn Academy. Kahn Academy is a great online resource for learning science and math concepts. Free videos on a wide range of topics can be found on their website and on their Youtube account.
  • A Graduate Course in Applied Cryptography by Professor Dan Boneh (Stanford) and Professor Victor Shoup (NYU). The book provides an in-depth, rigorous introduction to the field and is freely available online.