From: Thomas, Kevin Sent: 24 August 2011 10:43To: Malik, Javvad Subject: Encryption
Jav
I’m updating the presentation pack for this month’s management meeting. Can you send me a short description of encryption so the SLT can better understand the solution?
Kev
From: Malik, Javvad Sent: 24 August 2011 11:03To: Thomas, Kevin Subject: Encryption
Hi Kevin,
Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. In many contexts, the word encryption also implicitly refers to the reverse process, decryption to make the encrypted information readable again.
Thanks,
Javvad
From: Thomas, Kevin Sent: 24 August 2011 11:09To: Malik, Javvad Subject: Encryption
If I wanted the Wikipedia description I would have copied and pasted it myself. I need a more business-speak definition.
From: Malik, Javvad Sent: 24 August 2011 12:52To: Thomas, Kevin Subject: Encryption
Sorry Kevin, I assumed that senior technology managers would have half a clue about technology. I have thought long and hard about this and think the easiest way to explain this would be to replace the word encryption with witchcraft. It too is misunderstood by the masses at large, but conveys a clearer message.
Witchcraft is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is witchcraft-ed information. In many contexts, the word witchcraft also implicitly refers to the reverse process, de-witchcrafting to make the witchcraft-ed information readable again.
Regards,
Javvad
From: Thomas, Kevin Sent: 24 August 2011 13:24 To: Malik, Javvad Subject: Encryption
stop messing around!!! I need this urgently to finalise the presentation.
From: Malik, JavvadSent: 24 August 2011 14:20To: Thomas, Kevin Subject: Encryption
Hi Kevin,
You’re right, it was naïve of me to think simply replacing one word would make it simple and easy to understand. I’ve now also amended the other words accordingly.
Witchcraft is the process of transforming a prince using a spell into a frog using special knowledge, usually referred to as a spell. The result of the process is witchcraft-ed prince who looks like a frog. In many contexts, the word witchcraft also implicitly refers to the reverse process, de-witchcrafting to make the witchcraft-ed frog a Prince again.
I’m sure you’ll find those senior managers who have daughters will particularly like this analogy and be able to understand it in its correct context now.
Regards,
Javvad
From: Thomas, Kevin Sent: 24 August 2011 14:43To: Malik, Javvad Subject: Encryption
Has anyone told you that you can be a right idiot! Sort it out NOW!
From: Malik, JavvadSent: 24 August 2011 15:21To: Thomas, Kevin Subject: Encryption
Hi Kevin,
Not, to my face to be honest. But thanks for the feedback. I assume that you are alluding to the fact I should include a pictorial description as senior managers love charts. I have corrected this for you below.
Hope this helps
Javvad
From: Thomas, Kevin Sent: 24 August 2011 15:37To: Malik, Javvad Subject: Encryption
I don’t want your stupid diagram!!!! THIS IS URGENT. Get it done NOW! I have to send this off today.
From: Malik, JavvadSent: 24 August 2011 16:00To: Thomas, Kevin Subject: Encryption
Hi Kevin,
Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. In many contexts, the word encryption also implicitly refers to the reverse process, decryption to make the encrypted information readable again.
Thanks,
Javvad
From: Thomas, Kevin Sent: 24 August 2011 16:02To: Malik, Javvad Subject: Encryption
Was that so hard? Why couldn’t you have sent this the first time I asked instead of wasting my time.
From: Malik, JavvadSent: 24 August 2011 16:43To: Thomas, Kevin Subject: Encryption
I did…
What is cryptography?
Cryptography, the dark art of information security. The deus-ex-machina, the silver bullet, the be all and end all of all security measures. Widely misunderstood, often poorly implemented.
My first introduction to cryptography was when I was told of this man called Phillip Zimmerman who’d created a piece of software called Pretty Good Privacy or PGP. A bit of sorcery that could protect emails so well, that even the prying eyes of Big Brother could not get at it easily. It was so profound, that the U.S. Government initiated an investigation against Zimmerman. This was on the premise that strong cryptography was classed as munitions so it was in the same classification as real life weapons.
How amazing could that be? This software called cryptography, according to the U.S. Government could be as potent as an AK47? I had to find out more.
Cryptography is a relatively simple concept to understand. It’s the ‘how’ that can get slightly complex.
In essence, it’s taking some information and scrambling it up so no-one else knows what it is. Then having a way to unscramble it back to the original information again.
And really that’s all there is to it. Just like how when you were a child you were told that’s all there is to a Rubik cube and wasted many frustrated hours failing to get it right before resorting to peeling off the stickers and sticking them on wherever you felt.
Everything else surrounding cryptography is about finding ways to make sure the scrambling of information is done in a quick and efficient manner that nobody else in the entire universe can unscramble unless they possess the McGuffin.
Think of it like a Witch who can cast a spell on a Prince and turn him into a frog. If she waves her wand and says “hocus pocus” the Prince turns into the frog and becomes completely unrecognisable. No-one would ever know that the frog was actually a Prince unless they had the Witch's wand and waved it over the frog saying “hocus pocus”.
Symmetric key cryptography
Symmetric key is something that is conceptually familiar as it is a simple flow. One key is used to transform the information from plaintext to ciphertext. Ciphertext is just the fancy way of saying that the plain or clear text has been converted into a format that makes no sense or doesn’t resemble the original text.
The same key is then used to reverse the process and convert the ciphertext into plaintext.
If we revisit the example of the Witch turning the Prince into the frog, the Prince is plaintext and the frog is ciphertext. The key that the Witch uses to convert the Prince into the frog and from a frog back into the Prince is the same, i.e. wave a wand and say ‘hocus pocus’.
Because the process is the same for both sides, one could say it’s symmetric. Hence the highly original definition of symmetric key cryptography.
Asymmetric (public) key cryptography
Asymmetric or public key cryptography isn’t as difficult in concept to understand as most books make it out to be.
In asymmetric key cryptography, you use a key (like in symmetric key) to encrypt some plaintext into ciphertext.
And again very much like symmetric encryption, you use a key to decrypt the cipher text back into plaintext.
The importance difference is that one key encrypts the data and a different key decrypts the data.
This sometimes confused people and I think this is because we’re so used to physical keys it’s difficult to rationalise how one key can only lock a door and not unlock it and vice versa. So, I’ll use a different analogy.
Remember I mentioned the Witch who waves her wand and says hocus pocus for the Prince to turn into a frog.
Now imagine, she didn’t have the ability to turn the frog back into the Prince. The wand only casts spells but can’t break the spells.
No, in order to break the spell, a certain Princess (only one of them) has to kiss the frog and it turns back into a Prince.
One key (the wand) was used to turn the Prince into the frog and another key (the kiss) was used to turn the frog back into the Prince.
This is how a key pair work in asymmetric encryption. One key encrypts and one key decrypts. Both the keys have a weird relationship to each other. It’s like they’re unidentical twins. They share the same parents but are totally different, yet connected to one another. That’s about as far as the mathematics of the key pair go. By all means, if you have an interest in understanding the mathematical way the key pairs are created, there are plenty of books that will explain it in great detail till your brain melts.
Now expanding on this example let’s say the princess is the one who created the magic wand and she went and put it in the market square. Anyone who wanted to send her a Prince could take the wand, say hocus pocus at a Prince and it would turn the frog, get delivered to the Princess and she could kiss the frog and turn it back into the Prince.
Bear with me… this is important.
Firstly, why would a Prince need to be changed to a frog to get to the Princess? Let’s assume that the guards didn’t let anyone into the palace, so a frog could easily get inside.
Secondly, because the wand was created by the Princess, only HER kiss would be able to change the frog back into the Prince so no other Princess would be able to claim the Prince as her own.
We’ve established that there are two keys. One is the Wand which is placed in the market place (public key) where anyone can pick it up and use it to turn a Prince (plaintext) into the frog (ciphertext).
This frog (ciphertext) can then waltz into the palace and to the Princess undetected by the guards (unreadable by anyone else). If anyone does try to kiss the frog, it will remain a frog.
Only the Princess, using her own kiss (private key) can turn the frog (cipher text) back into a prince (plaintext).
At a simple level then we have described how asymmetric key encryption works. You have a key pair, one part is public and one part is private. if someone wants to send a secret message, they will use the recipient's public key to encrypt the data and send it to them. That way they are assured that only the true recipient will be able to decrypt the data because only they have the private key needed to do so.
So if someone encrypts data using the public key, they can be sure that only the owner of the private key can decrypt it.
On the reverse side, if someone encrypts data with their private key and sends it out, then anyone can decrypt it using the senders public key. However, what it does guarantee is that the message indeed originated from the person owning that private key.
Hash functions
An important function within many aspects of cryptography is the hash function. The has function is one-way process. Data is passed through it and it produces a much smaller output called a hash value, or hash sum, or checksums.
Think of the hash value as your fingerprint. If your fingerprints are on a glass, then it leaves little doubt that you were holding that particular glass. Your fingerprint is unique to you and only you. If someone only had your fingerprint, they would not be able to draw any other conclusions, e.g. they can’t tell if you’re male or female, your age or hair colour etc. It only works one way.
In other words, your finger can produce the unique fingerprint. But the fingerprint can’t produce your finger.
Now that you’re an expert in understanding what hash functions are, we can look at what role they play in cryptography.
Continuing with the fingerprint analogy, let’s say a criminal is transferred from one prison to another. Before the prisoner is transferred, his fingerprints are taken and those are sent to the receiving prison. When the prisoner reaches the destination, the receiving prison can take his fingerprint and match it to those which were sent to them separately by the sending prison. If they match, then they can be sure that this is the right prisoner and there hasn’t been an elaborate switch conducted en-route.
However, if the fingerprints don’t match then, there is a bit of a problem.
This is one of the primary functions of a hash, it’s quick to reproduce a hash and compare its value to ensure the integrity of the item it is validating. Which is why when you go to a website and download a package, they sometimes have the hash displayed. The purpose of that is so that when you download the file you can check the hash of the downloaded file and compare it against what it should be. If the values match you’re ok, otherwise it could be you’ve downloaded an altered file which could contain some malware.
For the smart ones out there, you’ve probably noticed one flaw with using hashes to validate the integrity of a sent file. If I were a bad guy and could intercept the file and change or replace it before it got to you. Then I could just as easily change or replace the hash so that everything looked ok.
Which is why before the hash is sent, it is encrypted with the private key of the sender. That way the receiver can decrypt it using the sender’s public key and be assured that it was indeed sent by the right person. A hash encrypted with a private key is usually referred to as a digital signature.
So to break it down we have 3 core components,
- A public key
- A private key
- A digital signature
If you send an email to me using my public key, then that protects the confidentiality of the message because only I will be able to open it.
If you send an email to me using your private key, then I can be sure it came from you and only you. But anyone who can access your public key (everyone) will be able to read it.
A digital signature provides assurance that the message has not been altered in any way from the time it left you till I received it, i.e. it assures integrity
