RSS

Encryption (Sort of) Explained

11 Nov

When I discussed Password Policies, I talked about the one-way encryption used to store passwords but more generally you want to encrypt something to make it private and later decrypt it to use it. Here I’ll try to give a basic idea of how that works. Again the real math is hard but a useful understanding is not.

Substitution

A very simple example of protecting a message is a substitution cipher where each letter of a message is replaced by a different letter using a plan agreed upon by the sender and receiver of the message. You’ll find substitution in the secret decoder rings of yore and the rot13 (rotate 13) algorithm. In rot13, every letter is replaced by the one 13 letters later in the alphabet (wrapping around to A from the second half of the alphabet). A becomes N, B becomes O, and P becomes C.

A message enciphered with rot13 can be decoded either by applying rot13 again or by reversing it.

Encode: BLOCK + 13 = OYBPX
Reverse: OYBPX – 13 = BLOCK
Encode: OYBPX + 13 = BLOCK

Such simple encoding is easy to understand and implement and the message doesn’t change size when it is encoded, but substitution ciphers are easily broken based on the well-known frequency of letters in English text. Given a message of any significant size, we can look for the most frequent letter and be fairly sure that it is a substitute for E. T is the next most common letter. Then if we see “TXE” we can guess that X represents H. Clearly we need something stronger to keep your online banking safe and private.

How Keys Work

If you think of a key as something that gives you access, a computer password is a sort of key. Unfortunately, passwords are the skeleton keys of computer security. It is possible to make passwords long and complex, but then they are hard to remember or type. However, computers often excel at things people don’t do well and remembering long, meaningless strings of characters is one of those tasks. The state of the art in encryption is called Public Key Infrastructure and it takes advantage of this strength of computers.

The software that secures your session with your bank’s website manipulates very long keys to encrypt and decrypt the data flowing between your computer and the bank. The keys look something like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZ2R9o2S7n86yV4X23yG3gD/xWzZ0FdCNHPmhogm
Lh+/batLhfkXBZxR7bUrjVe0Lwr+JrdT0czQp6DGZLhjiGsAihKFTbvvyowFoLLcH34/KisTTj6k1m
BFNU/oAUyHd74SZdmnaU3qnZ6QmYylxavN67TWjcPuzepiGwvmv3dpXrPr76qKRG/+huac9fZ04Ld5
tZRUkoILOPWh5+WJ4Ak7mx5652QVWT2MloGxW+qHr3RCoUEAklXdUSkC8HsOv0np8Q4NK7UFC+l+yh
t37+AL8IOe7j9HiPovoY+OVB99F472QywjrOiDzHR27dgs8YrYJ5QqGckd8v2McS2i83 chris@chris-XPS-99-1234

Keys used in this way are generated as a pair, one which is kept private and one which can be freely shared. In the rot13 example above, the same “key” (13) was used to encode and decode. But what if you used 12 to encode and told your friend to use 14 to decode. C + 12 = O and O + 14 (wrapped around at Z) = C.

Public/private key pairs are useful because the math involved in creating and using them makes them only work going forward.

  • With a rot13-like encoding, there are two keys that may be used to decode a message (you can subtract the encoding key or add the decoding key). Public/private key pairs don’t work like that; a message encoded with the private key can only be decoded with the public key. Knowing the private key does not allow you to reverse the encryption.
  • With rot13-like encoding, you know that the two keys must add up to 26, so if I tell you to decode with 14, you know I encoded with 12. There is no such simple relationship between the keys in a public/private pair.

A few examples may help. I’ll illustrate encryption as if it was addition but the “+” is meant to represent a sort of vague “combines with.”

Start with some data (a stock report or a love letter or whatever) and a public/private key pair. Combine the data with the private key and you get what appears to be gibberish:

Data
+ Private Key
Gibberish

You can’t use the private key to get the data back from the gibberish, rather you combine the public key with the gibberish to get back the data:

Gibberish
+ Public Key
Data

So, if I want to send you a message securely, I can give you my public key, encrypt the message with my private key, and send it to you. Not only is the message in transit gibberish, but you will know that the message came from me because my public key can only decrypt a message encrypted with my private key.

Of course, if my public key is public, anyone might have it and be able to intercept the gibberish and decrypt it on their computer. There is one more property of the key pair that helps us: data encrypted with one can be decrypted with the other. Knowing that, I can do:

Data
+ My Private Key
My Gibberish
+ Your Public Key
My Gibberish for You

And when you get it you can do:

My Gibberish for You
+ Your Private Key
My Gibberish
+ My Public Key
Data

Certificate Authorities

Individuals and organizations can and do create their own keys, but most people don’t want to be bothered. It’s a truism of computer security that if the system is hard, it won’t be used.

It’s more complicated than this, but essentially the technology industry has agreed to trust a few organizations called Certificate Authorities (or CAs) to generate keys. Anyone who wants to secure their communication goes to a CA, proves their identity, and asks for a pair of keys. The CA generates the keys, sends the private key to the requestor and prepares a digital certificate that says, “This public key belongs to this organization.”

Software makers who want to provide secure communication build into their software a list of CAs. When a browser starts a session with a new website, the site sends a certificate and tells the browser which CA signed it. The browser then uses the CA’s public key to verify the signature. If it all checks out, you’re connected.

But it may not all check out. Keys expire. Partly because CAs charge for them and want recurring revenue, but also because it provides some additional level of security. And keys can be stolen or leaked. When it’s a signing certificate used by a CA, all the certificates issued by that CA are compromised and a lot of people work fast to fix the security hole.

Learning More

In this post, and when talking about passwords, I’ve taken some liberties while giving you a way to think about a complicated topic in a simple way. If you are curious about the real details, I recommend Cryptography Engineering. It is deeper and more accurate, yet still mostly avoids complex mathematics.

 
Leave a comment

Posted by on November 11, 2019 in Cybersecurity

 

Leave a Reply

 

Discover more from No Perfect Program

Subscribe now to keep reading and get access to the full archive.

Continue reading