Cryptography

Cryptography or cryptology; from Greek κρυπτός kryptós, "hidden, secret"; and γράφειν graphein, "writing", or -λογία -logia, "study", respectively is the practice and study of techniques for secure communication in the presence of third parties called adversaries. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography.

We control what
you think with
Language
Said and done
Jargon, buzzwords, slogans
v - t - e

Cryptography prior to the modern age was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense. Since World War I and the advent of the computer, the methods used to carry out cryptology have become increasingly complex and its application more widespread.

Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary. It is theoretically possible to break such a system, but it is infeasible to do so by any known practical means.

The growth of cryptographic technology has raised a number of legal issues in the information age. Cryptography's potential for use as a tool for espionage and sedition has led many governments to classify it as a weapon and to limit or even prohibit its use and export. In some jurisdictions where the use of cryptography is legal, laws permit investigators to compel the disclosure of encryption keys for documents relevant to an investigation.

Terminology
  • Code: When one word is substituted for another.
  • Code Name: A code where the name is a stand in for another entity or event.
  • Cipher: The text of the original message when reduced to a scrambled version, using either numbers, letters, or symbols, often rearranged, altered, or substituted for other.
  • Encryption - The process of using a cipher to disguise a message, also called "encipherment".
  • Decryption - Reversal of the encryption process, also known as "decipherment".

Historical overview

Cryptography dates all the way to the earliest forms of writing, with some of the earliest codes being used to conceal messages from those ignorant in certain language due to the slow spread of literacy. Steganography was also developed around this time, which refers to the practice of hiding a message in plain sight, such as the story related by Herodotus of a slave having a message tattooed on his head and hidden with regrown hair.

Some of the earliest ciphers were substitution ciphers, where letters were switched for other letters to disguise the contents of the original.

Ciphers usually employ a standard "key", which helps to encrypt and decrypt the message, though such devices are not necessarily needed to decipher the message by unintended recipients with the sister study of cryptanalysis, or the use of the disciplines of languages and mathematics to determine the key used to construct the enciphered text. Some ciphers can be strengthened by using more than one cipher method to further disguise the contents or by a changing key for added security.

Modern ciphers make use of computer technology, which often provides for more complex ciphering and deciphering methods than is possible with human help.

Encryption

Encryption is a method of protecting data or messages in transit. In the event that the storage for that information is copied or stolen, it is generally expected that the content itself isn't likely to be retrieved within a reasonable amount of time. For example, personal medical records might not be relevant if the person has been dead for many years already or information about an upcoming terrorist attack might not be relevant months or years after it has already happened.

Types

Generally encryption algorithms can be divided into three types:

  1. Symmetrical: The same key is used to encrypt and decrypt data (examples: RC4, Blowfish, 3DES)
  2. Asymmetrical: A key pair is created (public and private keys), and data encrypted with one key can only be decrypted with the corresponding key in the key pair (examples: RSA, Diffie–Hellman, elliptic curve)
  3. Hashing (One-way encryption): Means that the stored information cannot be decrypted but only bruteforced, mostly used for stored passwords in a database. (examples: NTLM, MD5, SHA-1)

While symmetrical algorithms tend to be faster, they require a preshared key and therefore are unsuitable for encryption in situations where keys cannot be exchanged securely (such as the internet). In TLS/SSL the data is encrypted with a symmetrical key, which itself is encrypted using the webserver's public key. The ciphertext and encrypted key are then sent to the server, where the server then decrypts the key using its private key, and then uses the decrypted key to decrypt the ciphertext, and the same key is used to encrypt the server's response.

Weaknesses

Depending on the method chosen, encryption has shortcomings[1] as an infallible security system:

  • Plaintext analysis, which uses known plaintext patterns to help decode the message (e.g. substitution ciphers are subject to frequency analysis)
  • Exhaustive key search or "brute force", which goes through every combination of keys possible to decode a message[2]. Most modern algorithms tend to avoid using too weak of a key. Where the password used is user-generated, key searches usually start with a dictionary attack (using a large list of common passwords or phrases), followed by a hybrid attack (using the same dictionary but adding numbers, changing letter cases, or substituting letters for numbers, e.g. rationalwiki => r4t10n4lw1k1), and then a brute force attack.
  • Mathematical analysis, designed to find efficient methods to crack the encryption.
  • Duress, which involves using a rubber hose on a person's feet. Despite protection provided by encryption, the key can be extracted from someone who is willing to cooperate to avoid torture (or for cookies). Some encryption systems use plausible deniability methods (such as an encrypted partition within an encrypted partition) to hide the real data when forced to reveal the key under duress[3]
  • Theft, either by malware/key-logger, phishing, or by just plain real-life robbery or social engineering. This is usually the most reliable option to break a secure system, and the one that anyone looking to decrypt a system, whether it be a hacker in Russia or the FBI, uses most often.
  • Bad implementation of secure algorithms, exemplified by the Wired Equivalent Privacy (WEP) algorithm used to secure WiFi networks. It uses the same RC4 stream cypher as the more secure WPA-TKIP algorithm but its bad implementation resulted in a vulnerability to statistical analysis of the traffic which allowed to derive the encryption key in one or two minutes with freely available software.[4]

Responses to cryptography

Governments have differing responses to cryptography.

  • The USA treats some encryption systems (such as those supporting key sizes above 128 bits) to be equivalent of "weapon-grade" cryptography (it is quite literally regulated by the Arms Control Export Act), and restricts their export. However, every U.S. citizen is permitted to utilize and possess cryptographic methods/implementation of any key size (provided they do not pass the technology to foreigners).
  • Some governments allow cryptography, and sometimes mandate that it be used to protect sensitive customer and research information. They may also make it illegal to use it for criminal purposes.
  • The United Kingdom passed the Regulation of Investigatory Powers Act 2000, which allows the government to demand keys from individuals, and refusal to do so can lead to a custodial sentence[5]. Other governments demand a key escrow.

Common misconceptions

Password-protecting a computer does not automatically mean that the data it contains has been encrypted. Usually, basic password-protection is only at the operating system-level and does not change how the data is stored on the disk. It is usually intended to prevent casual attackers who have physical access to the machine from impersonating an existing user. It also prevents other users on the same computer from accessing files owned by other users unless they have administrator/root/super user access rights to override ownership restrictions. This is trivially defeated by simply accessing the data through another operating system or another machine.


Not everything should be encrypted the same way, there needs to be a differentiation between:

  • Data at rest (file)
  • Data in transit (web page)
  • Stored passwords (database)
  • Passwords in transit (authentication)


Counter-intuitively, storing password in an encrypted format is not a secure practice. Traditional encryption means by definition that the information could be decrypted. Verifying authentication through passwords in that way would imply that the stored password has to be decrypted each time it needs to be verified so the encryption key would need to be known and stored in some way by the verifying entity. If the password database was compromised, the encryption key could be retrieved and used to access all the stored passwords it contains. The solution to this problem is storing passwords in hashed format, which constitutes one-way encryption.[6] However, hashes are still vulnerable to lookup tables, which an attacker can use to find a password with a given hash. An attacker can also gather a list of users with the same password simply by looking for all users with matching hashes. These attacks can be thwarted using salts; since the salts are randomly generated, the attacker will not be able to use a precomputed lookup table, and since no two users' passwords should be hashed using the same salt, it is impossible to find other users with a known password. The attacker's only way of cracking a salted hash is by brute force; hashing functions designed for passwords are deliberately designed to be slow so that attempting to iterate through every possible password would take an impractical amount of time.[7]

Cryptography woo

Cryptography is an intellectual art, requiring studies of the disciplines of mathematics and language for skilled practice, and since those disciplines have become the subject of woo related conspiracy and misinformation in other areas, cryptography is no exception.

Some of the earliest woo comes from the earliest days of literacy, where written languages were only understood by very few, and thus encrypted writing was subject to superstition and fear on the part of those ignorant of its meaning. With the increase in literacy, the woo evolved as cryptography was often assumed to play a role in deciphering messages allegedly hidden in religious texts (like the Bible code), suspected as having a sinister purpose (since fraternal orders like the Freemasons used their own ciphers to keep their affairs private), and no end of conspiracy theories by those who assume messages are encrypted in everyday media that can only be understood by the non sheeple.

See Also
  • Alphabet: Some systems of encryption often form these via substitution of the original message text.
  • Black chamber: An organization for reading mail surreptitiously, often a part of discovering encrypted messages and codes.
  • Linguistics: An understanding of this is needed for cryptography.
  • Literature: Certain codes can be based off terms and phrases from various books.
  • Mathematics: An understanding of this is needed for cryptography.
  • Pseudonym - A type of code name.
gollark: Rust = Good
gollark: Python < Rust
gollark: C [approximately equal] C++
gollark: ```c#define C "BAD"#define C++ "BAD AND COMPLEX"```
gollark: 🇭 🇴 🇼 🇩 🇦 🇷 🇪 🇾 🇴 🇺 ?

References
  1. Elvidence - Encryption: Protecting the Information
  2. TechTarget - Brute force cracking
  3. TrueCrypt - Plausible Deniability
  4. Original paper by Fluhrer, Mantin and Shamir
  5. BBC News - Man jailed over computer password refusal
  6. Encryption vs Hashing
  7. Serious Security: How to store your users’ passwords safely
This article is issued from Rationalwiki. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.