Cryptography originated about 4000 years ago, and the world of cryptography has evolved a lot since then. Today ‘Cryptography’ is omnipresent in our lives without most of us realizing it. The fundamental aspect of ‘Cryptography’ has remained the same through time which is to hide information in transit and make it available only for the intended recipients. We will see the basic types of cryptography followed by the application and use of cryptography in real life.
Cryptography involves the use of terms like plain text, cipher text, algorithm, key, encryption, and decryption. ‘Plain text’ is the text or message that needs to be transmitted to the intended recipients and which needs to be hidden. ‘Cipher text’ on the other hand, is the text that has been transformed by algorithms and which is gibberish.
The process of converting the information from ‘plain text’ to ‘cipher text’ is known as ‘encryption.’ On similar lines, the process of converting ‘cipher text’ to ‘plain text’ is decryption.
The complex mathematical formula that is used to convert ‘plain text’ to ‘cipher text’ is known as ‘algorithm.’ Further, both the sender and the receiver have similar or different “keys” to encrypt and decrypt the message. A “key” is a “value that comprises a large sequence of random bits” (Harris 2008). The larger the key size, the more difficult will it be to crack the algorithm. The “algorithm” and the “key” are the two important components of a cryptosystem.
Auguste Kerckhoff in 1883 stated that encryption algorithms should be made public and the “keys” be kept secret. While the academic sector is in favor of the idea, the other sectors are not in perfect synchronization with this idea. The encryption algorithms in the academic sector are made public to enable one to find new vulnerabilities and improve their algorithm. The government sector prefers to keep encryption algorithms private as an additional step to security.
There are two types of encryption – symmetric encryption and asymmetric encryption.
In symmetric encryption, the sender and receiver use a separate instance of the same “key” to encrypt and decrypt messages. Symmetric encryption heavily relies on the fact that the keys “must” be kept secret. Distributing the key in a secure way is one of the primary challenges of symmetric encryption. This is also known as the “key distribution problem.” Further, as per Kerckhoff’s principle, since the algorithm in symmetric encryption is public, anyone can have access to it. It is the “key” that is the vital link in symmetric cryptography and which must be kept secret. It cannot be lost or misplaced. If the individual keys are misplaced, the message can be decrypted by scrupulous elements. Further, symmetric cryptography upholds only the ‘confidentiality’ tenet of the CIA triad. Confidentiality is making sure that the information that is sent is received only by the intended recipients.
One of the main advantages of symmetric cryptography is that it is much faster than asymmetric cryptography. Two important disadvantages of symmetric encryption include key distribution problem and. “key management problem.” When the number of keys needed grows in number with growth in users, it becomes the “Key management problem.” This happens because each set of users needs a pair of instance keys.
Some examples of symmetric encryption are DES (Data encryption standard), Triple DES (3DES) and Blowfish.
Asymmetric encryption is when the sender and the receiver use different “keys” to encrypt and decrypt messages. Here a public key is used to encrypt the message, and a private key is used to decrypt the message. In asymmetric cryptography, the public keys are widely known – whereas the private key is kept protected. The two keys are mathematically related. In spite of being mathematically related, one will not be able to calculate the private key even if the public key is known.
Asymmetric cryptography upholds the security tenets of authenticity and non-repudiation. When one encrypts a message with a private key and sends it, authenticity (proof of identity) is established. Similarly, non-repudiation (cannot deny sending it) is established when a message is encrypted with a private key. It should be noted that any key (public or private) can be used to encrypt and any key (public or private) can be used to be decrypt as well.
One of the main disadvantages of asymmetric encryption is that it is slow when compared with symmetric encryption. The main advantage of asymmetric encryption is the lack of “key distribution problem” and “key management problem.”
Some examples of asymmetric encryption algorithms are, RSA (Rivest, Shamir, Adleman), AES (Advanced Encryption Standard) and El Gamal.
Having seen the two basic types of encryption, let us next see the practical applications of cryptography. We will see cryptography being implemented in mobile messaging tool, “Whatsapp,” “Digital signatures” and HTTP (HTTP over SSL or ‘Secure Sockets Layer’)
Encryption in Whatsapp:
‘Whatsapp’ is currently one of the most popular mobile messaging software. It is available for different platforms such as Android, Windows Phone, and iPhone. ‘Whatsapp’ also enables users to make free calls with other users. In the latest version of ‘Whatsapp,’ the conversations and calls are “end-to-end” encrypted.
What does end-to-end encryption mean?
In end-to-end encryption, only the data is encrypted. The headers, trailers, and routing information are not encrypted. End-to-to end encryption in Whatsapp has been developed in collaboration with ‘Open Whisper Systems.’
End-to-end encryption makes sure that a message that is sent is received only by the intended recipient and none other. Whatsapp has ensured, that even “it” cannot read the messages bolstering a very strong messaging platform. It also means that outsiders or third party individuals cannot snoop on conversations between intended recipients as well.
How is end-to-end encryption in Whatsapp implemented?
Whatsapp end-to-end encryption is implemented using asymmetric cryptography or public key systems. Recall, that in asymmetric encryption, when one key is used to encrypt (here, the public key), the other key is used to decrypt (here, the private key) the message.
Once ‘Whatsapp’ is installed on a user’s smartphone, the public keys of ‘Whatsapp’ clients are registered with the Whatsapp server. It is important to note here that the private key is not stored on Whatsapp servers.
Encrypted session between Whatsapp clients:
Once the client is registered, an encrypted session is created between two clients willing to take part in a conversation. A session needs to be re-created only when the device is changed or when the Whatsapp software is re-installed.
If for example, client1 wants to send a message to client 2, the public keys of the client2 are retrieved from the Whatsapp server, and this used to encrypt the message and send it to the client2. Client2 then decrypts the message with his own private key. “Once a session has been established, clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication” (WhatsApp Encryption Overview 2016)
Having seen how encryption is implemented in Whatsapp, let us see the next practical application of cryptography – Digital signatures. Digital signatures are signatures applied digitally. They enforce the concepts of authentication, non-repudiation, and confidentiality. Wikipedia defines digital signatures the following way: “A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or documents.” (Digital Signature 2016)
With the world being more technically tuned now, business transactions occurring all around the world are fairly common. Manually signing a document and transferring it to different locations is time-consuming. This time lag might not bode well for either the customer or the client. By digitally signing the documents, the business transaction will be completed on time.
Consider another case when two parties are required to sign documents relating to a business transaction. The two parties might never have met each other and might not trust each other. Digital signatures thus ensure timeliness and authenticity of business transactions.
Ethical Hacking Training – Resources (InfoSec)
Implementing Digital signatures:
A digital signature uses public key encryption. A digital signature is technically a “string of bits.” (Digital Signature Standard (DSS) 2013) Let us assume that ‘A’ would like to send a “digitally signed” message to ‘B.’ Since a digital signature uses public key encryption, ‘A’ and ‘B’ will both have a public-private key pair. To create a digital signature and use it along with a message between two clients, the following steps are followed:
- The message that has to be digitally signed is “hashed, ” and a few lines are generated which is known as “message digest.” “Hashing” is the process that is used to enforce data integrity. Hashing functions take the message and add a string value and convert it to another value (message digest). Hashing functions are one-way which means that the message digest cannot be re-converted back to the message.
- The message digest is then encrypted by ‘A’s private key. This is “digital signature.”
- The “digital signature” is now attached to the message and sent to ‘B.’
- ‘B’ verifies the digital signature by decrypting the signature with his public key. This decryption results in a message digest.
- ‘B’ also hashes the message which results in the message digest again. If both the message digests are the same, then ‘B’ can be sure that ‘A’ signed the message and had the message indeed.
The encryption algorithm employed in digital signatures ensures confidentiality. The hashing algorithm ensures data integrity in digital signatures. Digitally signing the documents makes sure that the message or document is authenticated. It also enforces non-repudiation (they cannot deny sending it)
Having seen two practical applications of cryptography, let us move onto the next application of cryptography, ‘HTTP Secure.’
HTTP is ‘Hypertext transfer protocol’ is a protocol responsible for communicating on the Internet. It is the fundamental block of the World Wide Web. HTTP is a stateless protocol since the server forgets the client once the transaction is over.
HTTPS, on the other hand, is HTTP running on top of SSL (Secure Sockets Layer) Most of our day to day transactions like shopping or bill payments are done online. This results in critical and vital data like credit card numbers and bank account numbers being sent online. This crucial data cannot fall into the wrong hands which might be used for malicious purposes.
This creates an absolute necessity that the communication between the server and client be secure. SSL ensures this secure channel of communication using cryptography. Most users are assured of the SSL guarantee by seeing the “padlock” on the left part of the address bar along with the “https” instead of “http.”
How is SSL implemented?
SSL is one practical application of cryptography that makes use of both symmetric and asymmetric encryption. SSL makes use of asymmetric public-private key pair and ‘symmetric session keys.’ A ‘session key’ is a one- time use symmetric key which is used for encryption and decryption. They are randomly chosen and are used only for any particular session.
- For the server and client to engage in a secure conversation, an ‘SSL certificate’ needs to be created and verified by the Certificate Authority (CA). This SSL certificate is installed on the server. (What Is SSL (Secure Sockets Layer) and What Are SSL Certificates? 2016)
- The browser next indicates that it would like to start a conversation with a secure server.
- The server sends its SSL certificate along with the server’s asymmetric public key.
- If the browser trusts the certificate, it encrypts the just created ‘symmetric session key’ with the server’s asymmetric public key and sends it back to the server.
- The server decrypts the symmetric session key with its own asymmetric private key.
- This decrypted session key is then used for creating a secure means of communication between the server and client. (Behind the Scenes of SSL Cryptography 2016)
It should be noted that both the client and server must enable SSL to secure communication between them. SSL works only by encrypting the communication and does not secure data once it has been delivered.
We have seen the two different types of cryptography namely symmetric encryption or asymmetric encryption. We also have seen that cryptography plays a crucial role in encrypting modern day applications such as Whatsapp, Digital signatures, and HTTPS. Cryptography will continue to play a very vital and crucial role in securing all aspects of our technical world.
Behind the Scenes of SSL Cryptography. 2016. https://www.digicert.com/ssl-cryptography.htm (accessed September 22, 2016).
Digital Signature. September 15, 2016. https://en.wikipedia.org/wiki/Digital_signature (accessed Sept 21, 2016).
Digital Signature Standard (DSS). July 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.
Harris, Shon. “All in one CISSP.” By Shon Harris. 2008.
What Is SSL (Secure Sockets Layer) and What Are SSL Certificates? 2016. https://www.digicert.com/ssl.htm (accessed September 22, 2016).
WhatsApp Encryption Overview. April 4, 2016. https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf.