Simply put, Cryptography provides a method for secure communication. It stops unauthorized parties, commonly referred to as adversaries or hackers, from gaining access to the secret messages communicated between authorized parties. The method that cryptography provides is called encryption.
Encryption transforms a key and input, the plaintext, into an encrypted output, the ciphertext. Encryption algorithms are only considered secure if attackers cannot determine any properties of the plaintext or the key when presented with only the ciphertext. An attacker should not be able to find out anything about a key, even if they have many plaintext/ciphertext combinations that use that key.
A real-world example would be credit card information that you use for purchases on Amazon or other e-commerce sites. The code in your web browser encrypts the plaintext, your card number, into ciphertext, which to someone without the keys would look like illegible, random text. However, once your card number reaches its intended recipient, the online store, their software would decrypt it back into plaintext so they can charge you for your purchase.
The core principles of modern-day cryptography include:
Let’s go over each one by one.
Data Confidentiality ensures that the data is limited to those who are authorized to view it. The data should only be visible to those who possess some critical information, like the decryption key, for example.
Data integrity refers to the accuracy, legitimacy, and consistency of information in a system. When a message is sent, particularly using an untrusted medium like the internet, data integrity ensures us that a message wasn’t tampered with or accidentally altered.
Let’s use the example of military orders. We’re at war and an army general needs to send an order of retreat to his troops across the sea. Without a guarantee of data integrity, a hacker could intercept the message, change the order, and send it on its way. The army might receive an order to advance and walk right into a trap the general knew about.
Non-Repudiation assures that no one can deny the validity of the data in question, and is actually a legal term used in cyber security. Non-Repudiation is typically accomplished by the use of a service that provides proof of the origin and integrity of the information. It makes it nearly impossible to successfully deny who or where a message came from.
Non-repudiation is similar to data integrity, but it has more to do with knowing who sent the information, and less with whether or not it was changed along the way. In the military example from above, even if we could guarantee that the retreat order was never tampered with, non-repudiation would be a way to ensure it was the general who gave the order in the first place, and not some enemy spy.
There are two kinds of authentication typically used in cryptography.
Never try to design your own cryptosystem. The best cryptographers in the world routinely design cryptosystems with serious security flaws. As it turns out, it’s really hard to build a secure system. There are just too many attack vectors to consider.
For a cryptosystem to be considered “secure enough” it needs to go through intense scrutiny by the security community. “Security through obscurity”, or the fact that attackers may not have knowledge of your system, is something that should never be relied on. In fact, good systems do expose to attackers how they work. Only the private keys should be kept secret.
The enemy knows the system. One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.
According to Kerckhoffs’s principle
Always take reasonable steps to protect any keys that your software systems use.
Never store encryption keys in plain text with the data they protect. That’s the virtual equivalent of locking your front door and leaving the key on the frame. It’s the first place an attacker will look.
Let’s take a look at a few rules of thumb for securely storing keys.
Lastly, ensure you only use key strengths and operating modes that comply with the latest industry best practices. For example, AES-256 should typically be used over AES-128, if for no other reason than its larger key size provides more entropy when going up against a quantum algorithm.
For more information, read our post on whether open-source cryptography really is secure
A secure system provides the four principles of cryptography to systems in the real world. Confidentiality, integrity, authentication, and non-repudiation are necessary properties in modern software, and they wouldn’t be possible without cryptography.
Software systems, especially those that exist on the web, often have many endpoints, clients, dependencies, networks, and servers. All the physical machines that are required to make your crossword app work need to communicate over networks that can not be trusted. Internet communication takes place over open, public networks that can be trivially compromised by external attackers.
There are two main types of attacks that exist on open networks:
The confidentiality and integrity protection provided by cryptographic protocols such as SSL/TLS can protect communications from malicious eavesdropping and tampering. Authentication protection ensures that the data you receive really came from who you thought it came from. For example, are you sending your social security number to your bank, or to a Nigerian prince?
Cryptography isn’t only useful for data in transit, it can also be used to protect data at rest. Data that is simply stored on a disk in a database can be encrypted to prevent future accesses from reading it. This kind of encryption happens when you lock your phone or computer and keeps your information safe if your devices are stolen.
There are three main types of cryptography:
Symmetric encryption uses the same key for encryption and decryption. The sender and receiver of the message use a single shared key to encrypt and decrypt messages. Symmetric key systems are faster and simpler, but sharing keys is difficult. If you need to communicate over an insecure medium, how would you get the key to the recipient in the first place?
The answer is that for communication to another party, you’ll probably want to use asymmetric encryption, which we’ll cover shortly. Symmetric encryption excels when you’re encrypting information at rest. For example, your password manager encrypts your passwords, but they aren’t being sent to anyone. You only need one key, because you’re the only one using it.
Asymmetric encryption uses different keys for encryption and decryption. A pair of keys that are cryptographically related are used to encrypt and decrypt information. A public key is used for encryption while its private key is used for decryption.
If I want to receive a message from my wife, I would send her my public key. The public key is just that, public. If someone intercepts the key, it’s not a problem, they won’t be able to use it to decrypt anything.
My wife would then use my public key to encrypt a message for me. Now, since I’m the only one that owns the corresponding private key, I’ll be able to decrypt that message once I receive it.
The third most common type of cryptography involves hash functions. No key is used in this algorithm. A fixed-length value is calculated from the plaintext, which makes it impossible for the contents of the plaintext to be recovered.
However, because the same plaintext will always hash to the same output, it can be used to, for example, compare passwords without ever storing them.
Cryptology is the science of secret messages. Anything that has to do with making or breaking codes falls into cryptology’s domain. Cryptology can also be thought of as the study of encryption and decryption. In a nutshell, cryptography and cryptanalysis are the two branches under the umbrella of cryptology.
Cryptology is extremely heavy on mathematics, such as number theory and the application of formulas and algorithms. An interesting anecdote is that cryptology was the main field of study of the first computer scientists, including Alan Turing himself.
People often lazily use “cryptography” in place of the word “cryptology”, but in reality, cryptography focuses only on building cryptosystems.
For example, the design of AES-256, the system that allows us to encrypt the personal information on our phones and laptops, would have been primarily cryptography work.
Cryptanalysis is the inverse of cryptography. It’s the study of how to break secret codes, not make them. Having a solid understanding of cryptanalysis is fundamental in cryptography, however, as one must know their enemy.
Imagine that the FBI gets ahold of your personal mobile phone, and they want to snoop around to see what you’ve been up to. The methods they would employ to “crack” the code and decrypt the contents of your phone would be cryptanalysis techniques.
For more information, we have a full post on cryptology vs cryptography
Where a classical bit holds a single binary value such as
1, a qubit can hold both values simultaneously. This means a single qubit can hold much more information than a classical bit, and all this is made possible by the phenomenon of superposition. This unique property allows them to process information in potentially logarithmic time, or in other words, exponentially faster than classical computers.
Many asymmetric encryption algorithms have been mathematically proven to be broken by quantum computers using Shor’s algorithm. Because algorithms like RSA rely heavily on the fact that normal computers can’t find prime factors quickly, they have remained secure for years. With quantum computers breaking that assumption, then it may be time to find new standards.
On the other hand, symmetric encryption, or more specifically AES-256, is believed to be quantum-resistant. That means that quantum computers are not expected to be able to reduce the attack time enough to be effective if the key sizes are large enough.
For more information, read our post on whether AES-256 is quantum resistant.
Bitcoin and other cryptocurrencies rely on cryptographic algorithms to function, hence the “crypto” in the name. Bitcoin uses two primary cryptographic methods. The first is asymmetric encryption. A bitcoin wallet is, at its core, a collection of private keys that can be used to sign transactions on the network. Bitcoin and other blockchain technologies utilize cryptographic signatures, which are a form of asymmetric encryption, to guarantee that when you send a Bitcoin to your friend, it was actually you that sent it.
The second is hashing. Bitcoin mining makes use of the SHA-256 algorithm to act as a proof-of-work on the network. Because the output of hash functions can’t be easily guessed, the network can trust that an actor in the network has expended a good deal of energy computing the result of a calculation.
The reason we care that it took someone a lot of work to add a new block to the blockchain is to make it more secure. Every miner has to solve a difficult “hashing lottery” to add a new block, but if it were too easy, anyone could add new blocks quickly to rewrite the blockchain to their advantage. Proof-of-work consensus is what makes Bitcoin the most secure public network ever created in human history.
If you’re interested in reading more in-depth about how Bitcoin works, you can do so on bitcoin.org.
Cryptology is a very young science. Although humans have had rudimentary forms of cryptography for thousands of years, the systematic study of cryptology as a science only began about a hundred years ago. The advent of computers made cryptography many orders of magnitude more complex than it had been previously.
For experienced coders: We recommend our Practical Cryptography course which covers everything from the basics of encryption and brute force attacks to stream ciphers, block ciphers, and hash functions.
Originally published here.