A Beginner's Guide To Cryptography
Even though you might not be aware of it, you encounter cryptography multiple times a day. Heck, whether you realize it or not, you may have even used cryptography yourself to send “secret” notes to your friends in grade school.
Whether you’re pumping gas at the gas pump, ordering something from Amazon, paying for your groceries with a credit card or watching a movie you’ve rented from iTunes, cryptography protects your information every step of the way.
But if you think that the subject of cryptography is better left to developers, hackers and the battles between Apple and the FBI, you’re wrong.
You need to understand what cryptography (encryption) is, how it’s used to protect your data both on the net and on your devices, and how you can take advantage of it to keep your valuable information safe from prying eyes.
If you don’t, you’re leaving yourself open to the bad guys.
In this article, I’ll go over how cryptography has been used (even in the days before computers), how it works, why it matters and the types of cryptography used today.
I will also explain how cryptography is used in today’s world, how you can use it to protect yourself online and offline, and why cryptography isn’t a perfect solution to your data protection needs.
The History of Cryptography
The history of cryptography goes back to way beyond the advent of the computer - or any machine, for that matter.
Clay tablets from Mesopotamia, from around 1500 BC, show signs of encryption being used to protect information. The tablets record a craftsman’s formula for pottery glaze. It is believed the tablets were encrypted to protect the potter’s formula from being stolen for commercial reasons.
Hebrew scholars are also known to have made use of a simple alphabetical substitution cipher around 500 to 600 BC. An alphabetical substitution cipher is a simple code where a letter in the alphabet is replaced by a different letter. For example: A = Y, B = W, C = G, etc. More about this later.
Wartime Use of Cryptography
Cryptography came into its own in times of war. During the American Revolutionary War, which took place in the late 1700s, British forces used various forms of cryptography to communicate between generals.
Using ciphers, the British army could encode messages to be delivered to generals on the battlefield with no fear that the plans might fall into enemy hands or that a messenger might read it and leak the information to the other side.
The cipher used to encode the messages was shared with only the most trusted members of the British military, keeping the information safe from being stolen by the opposing army.
While the British successfully used a particular cipher for an extended period of time, American forces were eventually able to crack the cipher being used, allowing them to learn of British attack plans.
By the time of the Second World War, mechanical and electromechanical cipher machines were being used widely by all of the major participants in the conflict.
Perhaps the best-known cipher machine used during World War II was one used by the Germans in various versions: an electro-mechanical rotor cipher machine known as the Enigma machine.
The country used the device to encode their battle plans and other sensitive communications for much of the war.
English mathematician/cryptanalyst Alan Turing worked during the Second World War to create techniques to break several of the German ciphers. Turing played a crucial role in cracking the coded messages that allowed the Allies to defeat the Nazis in many critical battles.
Many believe Turing’s work shortened the war in Europe by over two years, saving more than 14 million lives.
Modern Uses of Cryptography
Stepping forward to more modern times, cryptography is used by banks, credit unions and other financial institutions to encrypt data sent between banks, credit card companies, their customers and other businesses.
Cryptography protects the data both during transmission and when it is saved in large databases.
When you swipe your credit card at a grocery store to pay for your food purchase, the information stored on the card’s magnetic strip or embedded chip is encrypted.
The encrypted information is transferred to the payment processor, who checks to make sure your credit card limit hasn’t been reached (with another encrypted transmission), and then replies with an encrypted approval code.
Without the use of encryption, data breaches would be so common that they would likely happen on a daily or even hourly basis, instead of the monthly occurrences they seem to be in recent times.
The data breaches that do hit the news on a regular basis can usually be attributed to a lack of proper encryption or to the use a particularly weak form of cryptography to protect the data.
How Does Cryptography Work?
In this section, I’ll be taking a look at how cryptography works. I’ll demonstrate how a plaintext message is encrypted and stored as ciphertext data. I’ll then explain how ciphertext is decrypted back into plaintext when that step is required.
Before we begin, let me go over key vocabulary, so that we’re all on the same page.
Encryption is the process of making a plaintext (readable) message into a ciphertext (unreadable) message, which is a message that is unintelligible to outsiders who don’t possess the secret “key” to “unscramble” the message.
Decryption is the process of using a secret key to “unscramble” ciphertext and turn the information into readable plaintext once more.
A cipher is the algorithm used to encrypt and decrypt a message.
To demonstrate how everything works, I’ll use a simple encoding method many of us may have used in our younger days to send and receive “secret” messages from our friends.
The encryption method I’ll demonstrate is a simple letter shift cipher, where each letter of the alphabet is replaced by another letter.
A letter shift cipher is known as “Caesar’s cipher,” named for Julius Caesar, who was the first recorded person to use it.
My example will remind older readers of the code card they received when they joined the “Supermen of America” club from the back of Superman and Action Comics magazines.
A Caesar’s cipher is a substitution cipher that replaces each letter in the original message with a letter corresponding to a certain number of letters up or down in the alphabet. In this case, I’ll keep things simple, and only shift up one letter from the original letter.
Get the idea?
By applying the cipher, we could turn a plaintext message like “The Bat flies at midnight” into an “encrypted” message of “Uif Cbu gmjft bu njeojhiu.” Did you just get a chill down your spine? I know I did.
True, this is a very simple cipher and could be decoded by your average 8-year-old in just a few minutes. However, it is an excellent example of how cryptography works.
If you wanted to throw that nosy 8-year-old off your scent, you could apply another layer of encryption to the message, which is called “polymorphism.”
While the subject goes much deeper than I’ll dig in this section, it’s important to understand in order to understand modern cryptographic methods. Simply put, polymorphism is a cipher that changes itself every time it is used.
So, if we took our coded message and ran it through our encryption algorithm again, shifting by one letter once again, then the word “bat” in our plaintext message, which was encoded to “cbu” in our encrypted message, would be changed to “dcv” the second time around.
Only a user with the knowledge that the message had a polymorphic cipher applied to it would be able to decrypt the message back to its original form. Now we’re talking about at least the brain power of a 9-year-old to be able to successfully decrypt the message.
Okay, I was a bit simplistic in that explanation, but I wanted to explain how cryptography worked in the simplest way possible.
In the next sections of this article, we’ll see that the actual encryption ciphers used to protect your data in today’s hacker-heavy world are much more complicated and tougher to decode.
Why Is Cryptography Important?
Cryptography is arguably the best method available today for protecting security-sensitive data.
The unique “code/key/calculations” combination required to encrypt and decrypt data makes the technique an efficient method for keeping information protected from prying eyes.
The heavy usage of the internet for business and personal communications makes encryption a must for any sensitive data.
Without cryptography, any message you send on the internet could be intercepted and read. Everything from a private message to your spouse to the information about your bank account would be open to public examination.
What Types of Cryptography Are Used Today?
There are 4 types of cryptography in use to protect data in today’s always-online world.
All 4 cryptography methods have advantages and disadvantages. In this area, I’ll take a look at all 4 methods, explain how they work and disclose their pros and cons.
Hashing is a function designed to take a message string of any length and produce a fixed-length hash value. The reason to use hashing is not to hide the information included in the string, but to instead verify the string’s contents.
Hashing is most commonly used to protect the transmission of and verify software downloads. A vendor will calculate a hash for a downloadable file and publish the hashed checksum string.
When a user downloads the file, they can run it through the same hashing algorithm. If the hashed checksum strings both match, then the download is complete and the file is authentic.
If there is a variation between the two checksums, it indicates that either the download did not complete properly, or it was intentionally modified by an outside party.
Hashing is a particularly good way to verify downloads of operating system software, such as Windows .ISO files or Mac .DMG files used to install apps.
A demonstration of how it works is shown in the screenshot below. If a user wanted to verify that the movie quote below was the exact one sent by their movie-loving friend, they would run the quote through the SHA-256 Hash Calculator to verify it.
If the message has been modified during transmission - even by only one character! - it will show a vastly different hash, as seen below, indicating that the message has been changed.
In the past, the most common hashing algorithms in use were MD5 and SHA-1. However, both algorithms have been discovered to have multiple security flaws, so many users are now using SHA-256 in their place.
Hashing is a great way to ensure the integrity of a message or a downloaded file. If the hashed value for a file matches on both ends of a transmission, the user can feel secure that the file has been completely downloaded and has not been tampered with.
Hashing doesn’t actually encrypt a file. This is better left to the types of cryptography I’ll be discussing in the following sections.
Symmetric cryptography is one of the simplest types of encryption, as it involves the use of only one secret key to both encrypt and decrypt data. This is one of the oldest and best-known methods of encryption available today.
Symmetric cryptography uses a secret key, which can be a number, word or a string of random letters. The key must be known to both the sender and the recipient in order to complete the process.
The example I used earlier, relating to how cryptography was used during the Revolutionary War for sending messages to generals on the battlefield, is an example of symmetric cryptography.
This method of cryptography is easy to use due to the simplicity of all parties using a single key.
There is also a slight advantage in speed, as a single key is used for encryption/decryption, reducing the mathematical complexity of the process.
Symmetric cryptography isn’t generally used for sending messages over the internet, as the key needs to be sent separately. If a third party were to somehow obtain the key, they would be able to view the encrypted data.
It’s a Catch-22: If you want to send encrypted messages in order to keep the contents hidden from prying eyes, you have to first send an unencrypted message that is completely visible to those same prying eyes. That makes this method extremely insecure.
That’s why symmetric cryptography is usually used to encrypt local databases, such as those found on a server’s hard drive or the data in your iPhone.
Asymmetric cryptography uses two separate keys: one for encryption and the other for decryption.
Asymmetric cryptography uses both a private and a public key.
The public key is used to encrypt the message or other data, while the private key is used to decrypt the information. A message encrypted using a public key can only be decrypted by using the private key.
The public key can be made freely available to anyone who wants to send you a message, while the private key is a secret that only you know. While this is a bit more complicated, it provides an added level of security over symmetric encryption.
Just a few popular uses of asymmetric encryption include sending emails and attachments, connecting to remote servers and accessing secure websites. (The URL for a secure website begins with “https://” - more about that later.)
Asymmetric cryptography is more secure than symmetric cryptography due to its use of a public and private key for the cryptography process.
It eliminates the need to share a single key, making it more secure than symmetric cryptography.
Asymmetric cryptography is a more mathematically complex form of cryptography than symmetric, with more overhead, meaning the encryption and decryption processes take longer, slowing data transmission by a bit.
This is why, when you use a VPN to protect your internet connection, the asymmetrically-encrypted connection speed is slower than your normal, ISP-only speeds.
Also, if you were to lose your private key, it would be impossible to decrypt any ciphertext you might receive, leaving the information permanently unreadable.
Key Exchange Algorithms
Cryptography using key exchange algorithms aren’t used much by individuals outside of the cyber-security industry. However, I’m going to give you a brief overview of this method, so you’ll gain an understanding of this public key cryptography.
Key exchange algorithms allow for the safe exchange of encryption keys with an unknown party. Users don’t share information during the key exchange. The end goal is to create a custom encryption key that can be used by both parties at a later date.
Perhaps the best known key exchange algorithm is Diffie-Hellman.
Diffie-Hellman establishes a shared secret between two users that can then be used to exchange secret information over a public network.
The Diffie-Hellman wiki page, linked above, provides a simplified conceptual diagram, as well as a mathematical explanation, complete with technical jargon. For the sake of simplicity, I’ll be going over the simplified diagram, which uses colors instead of numbers.
To begin the process, two parties - let’s call them Alice and Bob - agree on a color that, while it doesn’t need to be kept secret, should be different every time. In the diagram below, that color is yellow.
Now, each party selects a secret color that they keep to themselves. In the diagram, Alice has selected orange, and Bob has reached into his color palette and selected blue-green.
Alice and Bob now mix their secret color with the mutually selected color - yellow - which results in Alice having an orange-tan paint mixture, while Bob comes up with a light blue mixture. The two now publicly exchange the two mixed colors.
In the final step, each of the two mix the color they received from the other party with their own, private color. The result is that both wind up with a rather putrid, yellow-brown mixture that is identical to their partner’s color.
If a third party attempted to eavesdrop on the color exchanges, it would be difficult to detect the secret color of each user, making it impossible to come up with the same final paint mixture.
In real life, the above process would use large numbers instead of colors, as computers could easily do the required computations in a short period of time.
In real life applications, key exchange algorithms would use large numbers raised to specific powers to create keys. This alone makes the process of breaking the code mathematically overwhelming.
Communications using these algorithms are vulnerable to “Man-in-the-Middle” attacks. Ideally, this method should be used in conjunction with other authentication methods, such as a digital signature.
How Is Cryptography Used in Security?
(AKA “Cryptographic Functions”)
Okay then, all of this cryptography stuff is pretty cool, but how is it used in today’s modern world?
I’m glad you asked.
There are 4 main ways that cryptography is used to ensure data security. These are called “cryptographic functions.”
Authentication, simply put, is a process put in place to ensure that the parties on both ends of the connection are actually who they claim to be.
You encounter at least one type of authentication used on the web whenever you use a secure website, such as your company’s intranet site or even Amazon.
Secure websites use what is called an SSL certificate, which provides proof that the owner of the website owns a public cryptography key and shows that a user is connected to the correct server.
Depending on the browser they use, an online user will see a closed padlock or a green URL (or both) to indicate that the website they are connected to is the one it claims to be.
This is particularly valuable when you’re shopping online, or you’re doing your banking or bill-paying online. This helps ensure that you’re not handing your banking or credit card info over to a hacker.
Another example of cryptography being used for authentication purposes is Pretty Good Privacy, which is a freeware software package that is used to provide encryption and authentication for messaging, digital signatures and data compression, as well as emails and their attachments.
In the early days of online financial and e-commerce dealings, some users would approve an online transaction, then later claim they had never approved the transaction.
Cryptographic non-repudiation tools were created to ensure that a specific user had indeed made a transaction, which could not be disclaimed later on for the purposes of a refund.
This prevents online banking users from authorizing a funds transfer to an outside account, then coming back a few days later claiming they had not made the transaction and demanding the money be refunded to their account.
A bank can prevent the above attempt to steal funds by putting the correct non-repudiation measures in place, which can consist of hashed data, digital certificates and more.
Confidentiality, or keeping your private data private, is one of the most important security applications for any user.
Today’s constant data breaches, which are usually due to a lack of proper cryptography for the task at hand, make the appropriate use of cryptography a must for any secure process.
Cryptography can ensure that no one can change or view data while it’s in transit or in storage.
Cryptography can ensure that a rival company, or any other party hoping to profit from data tampering, cannot screw around with a company’s sensitive data and internal correspondence.
How Can Cryptography Be Used by Average Users?
As I mentioned at the beginning of this article, you make use of cryptography every day. Buying groceries with a credit card or Apple Pay, streaming a movie on Netflix or simply connecting to your home or office Wi-Fi requires the use of cryptography.
While it’s true that your daily life is already protected to some extent by cryptography, there are ways to use it to add another layer of security to your everyday activities.
Virtual Private Networks (VPNs)
A Virtual Private Network (VPN), such as ExpressVPN, encrypts your internet connection, preventing any outsiders from monitoring your online activities or stealing any of your valuable personal or business-related information.
A VPN encases your internet connection in a tunnel of encryption, which acts like a subway tunnel does for a subway train. What I mean is that, while you may know that there are subway trains in the tunnel, you don’t know where they are, how many cars are on the train or where the train is headed.
A VPN provides similar protection, as your Internet Service Provider, government, law enforcement agencies and the shifty-looking guy at Starbucks can’t tell which websites you’re visiting or which files you’re downloading.
Recently, VPNs have become a favorite tool for online users who want to protect their online antics from being observed by outsiders.
For more information about VPNs and the many ways they can protect and enhance your online activities, visit the VPN section of my website.
Let’s try something “fun.” How about you log into your bank’s website, then go get the next-door neighbor you’ve never even talked to, and allow them to sit down at your computer and begin browsing through your checking account info.
That would be weird (and a bit reckless), right? However, you’re doing something similar if you’re conducting business on websites that aren’t protected via an encrypted HTTPS connection.
HTTPS (the “S” stands for “secure”) offers a layer of encryption, protecting any data you receive or send to the website from outside monitoring. This includes your login information, your account numbers and any other type of info you wouldn’t normally share with your next-door neighbor.
When you’re connected to a secure website, you’ll see a little green padlock in the address field, and the URL will begin with “https://”, as shown below.
While a modern, well-designed website should provide HTTPS protection on every page, many don’t, which can leave your private information up for grabs.
Luckily, Chrome, Firefox and Opera users can use a free, open-source browser extension called “HTTPS Everywhere,” which enables a full-time HTTPS connection for websites that support HTTPS.
Using the extension ensures that you’ll be protected by HTTPS during your entire journey through a website, even if the page isn’t normally secured.
Safari and Internet Explorer are left out when it comes to HTTPS Everywhere. Sorry, folks.
Encrypt Your Computer or Mobile Device
While your Windows or Mac computer might be protected with a login password, did you know that data can still be retrieved from its hard drive if you haven’t encrypted it?
Luckily, there are applications available on both platforms that use AES encryption to encrypt your drive, keeping them safe from anyone who doesn’t know the decryption password.
Be sure to use a password you can remember, or put the password in a safe place, such as a password manager app on your mobile device, because if you forget the password, you are royally screwed.
Mac users can make use of the built-in encryption package, included with macOS, called FileVault 2. FileVault is available in Mac OS X Lion or later.
Windows users can use BitLocker, which is Windows 10’s built-in drive encryption feature.
Most Android device users can turn encryption on for their device by making a few changes in the Settings menu. Encryption is not turned on by default, so make sure to follow the steps found here to protect your device.
iOS users are protected by in-device encryption by default ever since the release of iOS 8. If you lock your iOS device using a passcode or fingerprint, encryption is enabled.
Is Cryptography Foolproof? Can It Be Cracked?
Hopefully, by now, you have a good understanding of how cryptology works, and how it protects you and your precious data. However, I don’t want you to be lulled into a false sense of security.
Although cryptography increases your security level, nothing can provide a total level of security, as recent attacks on the Department of Justice, Ashley Madison and Target department stores should prove.
It should be noted that many of the “hacks” in cases like these were successful due to a lack of proper cryptography usage on the target’s end of things.
Don’t lay awake at night wondering if a hacker is working at that moment to steal the $187.46 you have in your savings account. But also don’t simply give up, not taking the proper precautions to protect your information. You should continue to use encryption whenever it is available.
In this article, we’ve taken a look at the history of cryptography, how it works, what types of cryptography are available, and how they protect you in your daily life.
While there are a number of ways to enable cryptography to protect your information, perhaps the best way to ensure a secure layer of encryption to all of your online activities is to use a quality VPN provider.
Stay safe out there, my friends!