Thursday, November 27, 2014

Information Security Basics Part 3: Cryptography

image source:

In a nutshell, this cartoon depict what cryptography is - hidden writing.

Cryptography has 2 distinct operations:
  • Encryption
  • Decryption
When we hide a message, we need a way to return it to it original form.  A cipher is an algorithm to perform the encryption and decryption.

Cryptography History
Wikipedia has a very comprehensive wiki on the history of cryptography. Way back to the ancient Egyptian Kingdom in 1900 B.C. cryptography is a very simple is being used.  Julius Caesar in 100 B.C has the Caesar Cipher to encrypt secret message to his generals. His cipher is a simple substitution method of shifting the character by 3.

As time progress, more and more complicated cipher is used.  In the 16 century, Vigenere introduced a primitive form of encryption keys.  At the beginning of the 19 century, machines was used as a cipher in the field of Cryptography.

Of course the most famous cryptography machine is the Engima machine used by the German. The movie U-571 is still one of my favorite war movies.

image source:

As a side note not the U.S. Army is very smart in using the Navajo Indian to use their native language to communicate with each other at the Pacific theater.  In essence,  the Navajo Indian is the cipher machine.  U.S. Marine is assigned to protect this asset and sadly, if necessary the marine has to "destroy" this unique cipher machine and not to let it fall into the hand of the enemy - the Japanese.

Modern Cryptography is based on complex mathematical algorithms.

Cryptography Goal
What we have discussed so far is that Cryptography is the way to encrypt and decrypt messages.  In fact there are all together 4 goals in Cryptography:
  • Confidentiality
  • Authentication
  • Integrity of Data
  • Non-repudiation
I think for confidentiality, authentication and data integrity, it is self explanatory.  As for non-repudiation, it means the sender cannot deny sending the message.  For example, my 4 year old son is playing with my laptop and he managed to send you an Email saying I will pay you $1,000 and signed the Email with my private key.  In the eye of the court, I am obligated to pay you the $1,000 because the Email is signed by my private key which no one should have.

Cryptography Types
There are 3 general types of Cryptographic algorithms:
  • Secret Key
  • Public Key
  • Hashing
Secret Key
It is also called Symmetric key cryptography because the message is encrypted and decrypted with the same key. The advantage is speed for encrypting and decrypting.  It is vulnerable for brute force attack for the key to be cracked by hackers.  Key creation and distribution to the various party is also vulnerable for the key being compromised.

The longer the key the more difficult or needs longer time to crack by hackers.  Commonly used symmetric encryption algorithms are AES (Advanced Encryption Standard), DES (Data Encryption Standare) or Triple DES.  Sometimes in the movies or TV show we can see that 1024-bit or 2048-bit encryption is used and how the hacker is able to gain access to a certain computer system or network.

Note: Double DES is not used because it is found that doing the encryption only twice does not increase the efficiency of the key size.

Public Key
It is also called Asymmetric Key cryptography because there are 2 keys one for encrypting the message and the other is used to decrypting the message.  One key is called the private key which should be kept in secret and the other is public.  When I send a message to you, I encrypted it with my private key and you will use my public key to decrypt it.  When you reply, you will use my public key to encrypt the message and then I will use my private key to decrypt it.  The draw back for this method is that it is slow due to the complex mathematics algorithm.

As mentioned in the previous section on non-repudiation, when a message is encrypted by a private key, one cannot dispute that the message is NOT send by that person holding the private key.

Example of an asymmetric-key system is the Diffie-Hellman Key Exchange.

One of the application of this method is to use the Asymmetric key to exchange a symmetric key between 2 parties and after that all the communication between these 2 parties will be encrypted with a symmetric key which is much faster.

Hashing is different then the symmetric and asymmetric key cryptography.  It is a one-way encryption.  Plain text go through a hashing function and become a cipher text.  This cipher text, however, cannot be convert back to it original form.

If it is not possible to convert the cipher text back to the original plain text, what is the use of this method.  This method is good for data integrity.  On top of keeping the message confidential, the use of hashing function can show that the message has not been altered either intentionally by another party or unintentionally due to hardware or communication error.

Example of hashing functions are MD5, SHA256/SHA-384/SHA-512

Cryptography Use Cases
The most commonly used case for cryptography is the Secure Socket Layer (SSL).  Everyone uses the web and some website choose to use https instead of http for the communication between the web browser and the web server and https is to have http run on top of SSL.

In OpenStack, as I have blogged about the messaging and queuing system as part of my OpenStack series, SSL is being used to secure RabbitMQ or Qpid.

In an Microsoft infrastructure, Kerberos is used to allow user to log on to the infrastructure and gain access the various compute resources in the infrastructure without having to perform authentication and authorization repeatedly.

Related Post:
Information Security Basics Part 1: Security Models
Information Security Basics Part 2: Defense in Depth
Information Security Basics Part 4: Public Key Infrastructure (PKI)


  1. Very helpful article ! I was always curious about all these complex algorithms that are being used in these ssl encryptions.