Cryptography is derived
from the Greek word
"kryptos," which means
hidden or secret.
And when we think
about cryptography,
that is one of the first
things we think about--
is keeping things secret.
Cryptography allows us to
have confidentiality of data,
but cryptography also allows
some other capabilities,
such as authentication
and access control.
We can really
determine if somebody
is who they say they are.
Another nice security feature
that cryptography provides
is non-repudiation,
which means not only
were we able to authenticate
that it came from you,
we were able to verify that
everything that we're reading
was really written by you.
And cryptography allows us to
check the integrity of data.
We can verify that the
information we've received
is exactly the
information that was sent.
There are a number of terms
that are used when you're
working with cryptography.
One of these is the plaintext.
This is the original message
before it undergoes any type
of cryptographic changes.
Some people think of this
as the unencrypted message
or the message that's
provided in the clear.
When we refer to the
ciphertext, we're
referring to the
information once it has gone
through an encryption process.
So this would be the
encrypted message
that you would send
to someone else.
To be able to get from the
plaintext to the ciphertext
and back again,
you need a cipher.
This is the algorithm that is
used to encrypt the plaintext,
and it's the
algorithm that is used
to decrypt from the ciphertext.
There are many different
methods for encrypting data,
and the art of cracking
this encryption
is called cryptanalysis.
There are researchers
that are constantly
working on finding
shortcomings and problems
with the way that we are
encrypting and protecting
our data so that we can
make sure that our data is
as safe as possible.
To encrypt data, you
commonly need the plaintext
that you're going to
start with, the cipher
that you're going to use,
and then you need a key.
This cryptographic key
is added to the cipher
to be able to encrypt
the plaintext.
Larger keys are
generally more secure,
because brute
force is often used
to find the key that's used
during an encryption process.
We tend to make
these keys larger
to provide more security.
Some encryption methods
only use a single key
to encrypt the data.
Other encryption ciphers will
use the key in multiple ways
or will use multiple keys.
The methodology that's
used will depend
on the cipher that's in use.
The key that's on this
page is my PGP public key
that's available
for anyone to see,
and this is the key
that's associated
with my email address, which
is james@professormesser.com.
Two of the most
important characteristics
that encryption relies on
is confusion and diffusion.
Confusion means that the
data that we have encrypted
looks drastically different
than the plaintext
that we began with.
There shouldn't be any
patterns, and there
should be no way to recognize
any part of the plaintext
by simply looking
at the ciphertext.
Here's a good
example of confusion.
We'll take a bit of plaintext.
My plaintext simply
says, "hello, world."
And I'm going to encrypt
that with my PGP key.
And you can see that the
message that's created
is very different than
the original plaintext.
In fact, there's really
no way to discern
that that original plaintext
is any part of the ciphertext,
and that's a very good example
of implementing confusion
in your encryption method.
The characteristic
of diffusion means
that if we change one character
of this plain text input,
the ciphertext will
be very different.
Let's take an example of
this by using that same bit
of plaintext, "hello, world."
This one has a period at
the end of that sentence.
And when I encrypt it,
I get this PGP message.
Now let's take this
same plaintext,
but instead of having a period
at the end of the sentence,
let's use an exclamation mark.
And let's see what the
results are of encrypting
that bit of plaintext.
You can see that these
two bits of ciphertext
are very, very different.
There's really nothing
that's the same between them
except this little bit
of text at the beginning.
In this particular case,
this is encrypted with PGP,
and PGP puts a PGP
header at the beginning
of the encrypted
information, which
contains format
information, encryption
algorithms, the recipient's
key ID, and other information.
The best kind of security
exists when the attacker
would know everything about the
way the system works but still
would not be able to gain
access to any of the data.
If you're trying to keep the
design of a security system
secret as its only
method of security,
we call that security
through obscurity.
A good example of
security through obscurity
is the substitution cipher.
This is the Caesar cipher,
where you substitute
one letter with another one.
We often refer to
this as ROT13--
"rot" 13-- where you can take
a particular set of letters,
like "hello," and convert all of
them to a number that is simply
rotated 13 characters different.
So "H-E-L-L-O" turns
into "U-R-Y-Y-B."
Since we know how the security
was designed for a substitution
cipher, it makes it very easy
to circumvent the security,
meaning that this is
security through obscurity.
Some modern versions of
security through obscurity
might be something like
a wireless network that
has SSID broadcast
suppression or MAC filtering.
Since these so-called
security features are easily
circumvented if you know
how they're implemented,
this is a good example of
security through obscurity.
We use random numbers
extensively in cryptography.
For example, we
use randomisation
when we are generating keys,
and we use random numbers when
we're creating salt for hashes.
One of the challenges
with creating
random numbers with a machine is
that they're not truly random.
They're machine generated.
Sometimes we'll include
some type of natural input
to help provide
more randomization.
For example, the PGP
key generation process
asks you to move your mouse
around for a few seconds,
and it uses that randomization
as part of the key generation
process.
Our computers do
a pretty good job
of approximating
what might be random,
but these are really
pseudo-random numbers that
are created by our computers.
They are all based on
a starting seed number.
For example, if you use
the same starting seed
number that was used
in a previous process,
you should be able to duplicate
that pseudo-random number
generation.
Fortunately,
application developers
don't have to become
experts in cryptography
to be able to use cryptography
in their applications.
They simply use an application
programming interface
to a cryptography module.
They will send their plaintext
into the cryptography module,
and it simply provides the
ciphertext as an output.
This means that there's
no extra programming that
has to be done, and the
programmers themselves
don't have to worry
what the implementation
of the cryptography.
They only have to worry about
the mechanics of providing it
to the API and getting the
answer back from the API.
Microsoft has a library
for cryptography
called the Cryptographic
Service Provider, or the CSP.
The application
developers only need
to write to Microsoft's
cryptography API,
and that becomes the middleman
between the application
and the CSP.
