Cryptography is as old as the desire of humans to communicate secretly. A famous example is that of the so-called Caesar cypher, named after Julius Caesar. He used to encrypt his correspondence by shifting the letters of the alphabet to the right or left an agreed-upon number of spaces.
Image Credit: Cypher disc By Hubert Berberich (HubiB) – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=25964875
Another example is the Enigma machine used during World War II by the germans for secret military communications. The device used an electromechanical rotor system to scramble the letters of the alphabet.
Image credit: Enygma Machine By Alessandro Nassiri – Museo della Scienza e della Tecnologia “Leonardo da Vinci”, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=47910919
Cryptography is a vast domain of study, and this blogpost will only contain some definitions and basic understanding of the field, mainly in the context of CompTIA Security + certification.
Definitions
The computer can read-only binary, meaning a long list of 0s and 1s. The context that we give to the computer helps to give meaning to the 0s and 1s, like numbers, text, photo, video or computer code, all referred to as data.
Plaintext represents the data that computers and humans can read. Cyphertext is any data that is made unreadable. The process of transforming data from plaintext to ciphertext is called encryption. The reverse process is decryption.
An algorithm or cypher is a mathematical formula used to encrypt and decrypt data using a variable known as a key. If we take the Caesar cypher as an example, the algorithm is the character substitution, and the key is the actual number of spaces the alphabet is shifted by.
The cypher might process a single bit of data at a time, a technique called a stream cypher or a block of data, a block cypher.
Keys and how to use them
Keys are fundamental for algorithm implementations. The longer and more complex the key, the more secure the algorithm is, i.e. a key based on a password. Even if malicious users know the algorithm used, they cannot decrypt any information without the cryptographic key.
If the same key is used to encrypt and decrypt the data, the system uses a symmetric, secret key, private key or shared secret cryptography. For example, imagine a safe deposit box: if someone is trying to leave some secure information for you, she needs the key to the box. Likewise, as the receiver, you will need the same key to get access to the information.
Symmetric cryptography By Munkhzaya Ganbold – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=63789996
If different keys, usually public key for encryption and private for decryption, are used, the system uses asymmetric or public-key cryptography. Let’s take a postbox as an example here: anyone with your postbox (public key) location can leave secure mail in the box, but only the receiver who has the key to the postbox (private key) has access to the mail.
Image Credit: Asymmetric cryptography By Bananenfalter – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=14688673
How does this all work?
To better understand the cryptographic process, we need to define a few more terms:
Confidentiality refers to the assurance that other parties have not read the message. This is usually achieved by encryption.
Integrity refers to the assurance that the message has not been changed during transport. The sender creates a “digital fingerprint” of the message or a hash that verifies the message has not been modified. The hashing process is irreversible and one-way, meaning the initial message cannot be recreated from the resulting hash. The receiver gets the message and the hash and processes the message through the same hashing algorithm, and compares the two hashes. If they are the same, integrity is assured.
Authentication is the process of proving the identity of a user to get access to confidential data. It usually involves a password (something a user knows) but might involve some extra factors like ID cards, security tokens (something a user has), or biometric identifiers (something a user is) in a process called multifactor authentication.
Asymmetric cryptography is used for digital signatures, which implies that for the receiver to be sure the document comes from the named sender, the sender will sign the document with his private key. The receiver can check the signature with the sender’s public key. With this proof, the sender cannot deny she sent the message, and the receiver cannot deny she received the data (nonrepudiation).
Image Credit: Digital signature https://i.stack.imgur.com/Q0a0u.png
The implementations of asymmetric cryptography tend to be quite computationally intensive, and, in the case of symmetric cryptography, the problem is the key exchange, or how do you get the secret key to the intended receiver without interception by bad actors.
So modern systems need to balance usability and privacy and use a combination of symmetric and asymmetric cryptography topped up by hashing and digital certificates.
This blog post is just an introduction to the introduction into the cryptography field, a very complex and mathematically intensive area of cybersecurity. This blog post attempted to make some of the definitions of cryptography easier to grasp and help out while preparing for CompTIA Security + certification.
References
- Weiss, M. (2021). CompTIA Security+ SY0-601 exam cram. Hoboken, Nj: Pearson.
- Mike Meyers’ CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601), 3rd Edition. (n.d.). Mcgraw-Hill.
- Wm Arthur Conklin, White, G., Cothren Cothren, L Roger Davis and Williams, D. (2021). CompTIA Security+ All-in-One Exam Guide, Sixth Edition (Exam SY0-601) /. New York, N.Y.: Mcgraw-Hill Education.
- https://en.wikipedia.org/wiki/Enigma_machine
- Image by Yuri Samoilov/Flickr