Encryption technologies form the cornerstone of many information security technologies. Unfortunately, many security practitioners don't understand encryption well due to the technology's ill-deserved reputation as the unapproachable domain of mathematicians and cryptographers.
In this tip, I hope to provide you with a simple breakdown of how encryption works and the general categories of encryption algorithms. This basic level of knowledge is critical to your successful deployment of secure websites, encrypted electronic mail, laptop data theft protection, virtual private networks and many other security technologies.
What is encryption?
Quite simply, encryption is the process of taking information and transforming it using a mathematical algorithm and an encryption key to make it unreadable to anyone who might come across it inadvertently or illegitimately. When an authorized user of the information encounters it, he or she decrypts the information using a similar mathematical algorithm and a key to take the encrypted ciphertext and transform it back into the original plaintext.
In all modern cryptosystems, the secret resides in the keys used to encrypt and decrypt messages. Commonly accepted practice dictates that you use an algorithm that has been publicly disclosed and has withstood the scrutiny of cryptographers and mathematicians. The algorithm should also rely upon the use of a secret key to transform plaintext to ciphertext and vice-versa. It may help to think of encryption keys as the "passwords" to the encrypted information.
Let's consider a very simple example: the Caesar shift cipher. This algorithm, which was actually used by Julius Caesar, involves taking each letter of the message and shifting it by a certain number of places (where the number is the encryption key). For example, if one used the Caesar cipher with a key of three, all of the As in the plaintext would be replaced by Ds in the ciphertext while the Bs would become Es, the Cs would become Fs and so on. Using this approach, you could encrypt the message:
When the intended recipient receives the message, he or she must know that it was encrypted using the Caesar cipher with a key of three. Then the recipient simply reverses the process to decrypt the message, converting Ds to As and so on.
This, of course, is a very simplistic example of an encryption algorithm and it could be broken very easily by the use of cryptanalytic techniques. Modern cryptographic algorithms are much more sophisticated and depend upon advanced mathematics to ensure their security. Fortunately, you don't need to understand how these algorithms work, you merely need to understand the concepts of encryption and decryption and select an algorithm that has been generally accepted by the cryptographic community to protect your information.
Symmetric vs. Asymmetric Cryptography
There are two types of cryptosystems in use today: symmetric and asymmetric cryptography. They differ in the way they use keys to encrypt and decrypt messages. Basically, in a symmetric cryptosytem, the sender and receiver use the same key to encrypt and decrypt the message. The Caesar cipher described above is a good example of this: both the sender and receiver use the key of three when encrypting and decrypting the message. This is easily understood and is a great way to transfer information among very small groups of people. The problem is that it is not scalable if you wish to keep secrets within the group. For example, consider Caesar's situation. If he wanted to send encrypted messages to all of his generals so that they could all receive and decrypt the same message, this system works fine. However, if he wanted to send one general a message that he didn't want other generals to read, the system breaks down: he would have to have separate encryption keys for each general in his army. The table below illustrates how this can quickly become a scalability problem.
|Number of Participants||Number of Symmetric Keys|
Asymmetric algorithms solve this problem by providing each user with a pair of keys: one public and one private. Any message encrypted with one key from the pair can only be decrypted with the other key from the pair. For example, consider two users of a cryptosystem: Alice and Bob. Each has a pair of public and private keys and distributes their public keys freely to other users. If Alice wants to send a message to Bob, she encrypts it with Bob's public key (which everyone knows). When he receives the message, he uses his own private key (known only to him) to decrypt it. This solves our scalability issue by requiring only two keys per user. Consider the same table below, updated to include the number of asymmetric keys required for each scenario:
|Number of Participants||Number of Symmetric Keys||Number of Asymmetric Keys|
Those are the basics of encryption. While the underlying mathematics are certainly sophisticated, there's no reason you should feel intimidated by the basic fundamentals of how symmetric and asymmetric encryption work. In future tips, we'll explore some of the hands-on applications of encryption technology in the mid-sized organization, including file security, e-mail security and secure web transactions.
Send comments on this technical tip firstname.lastname@example.org.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.