Information Security – Ciphers and Cryptography

One of the most accessible aspects of information security for students is the use of cryptography and ciphers. A cipher is a tool for encoding a message, and the history of the use of ciphers extends back thousands of years particularly with regard to military entities.

See the video on “Encryption and Public Keys” at code.org for a great introduction to cryptography.

Some vocabulary

The words cryptography (from the Greek for “hidden” and “writing”) and cryptology (from the Greek for “hidden” and “study”) are often used interchangeably for the study of code systems. The fields of study look at code systems.

  • Before a message has been enciphered, it is known as the plaintext. After it has been enciphered, it is known as the ciphertext.
  • Turning plaintext into ciphertext is known as encryption, and turning ciphertext back into plaintext is known as decryption.
  • The method used for encryption is called the encryption algorithm, and the method used for decryption is called the decryption algorithm.
  • Most encryption/decryption systems rely on a secret key.
  • Cryptanalysis is the study of analyzing encryption systems to look for vulnerabilities to see what it would take to break them.

Security Principles

One major contributor to the field of cryptography was William Kerckhoff. He came up with an important cryptographic idea known today as Kerckhoff’s Principle. He said that the security of an encryption system should only depend on the secrecy of the key and not on the secrecy of the encryption algorithm itself. One reason for this is that good cryptographic systems are difficult to develop, and they need to be thoroughly tested. Making the algorithm public is one way to ensure that it is strong enough to resist common attacks.

It’s important to understand that “strong enough” does not mean “unbreakable.” Only one encryption scheme, the One Time Pad, has been proven to be unbreakable. Unfortunately, it is difficult to use commonly, so most cryptographic systems today settle for being “strong enough”-meaning they are able to resist most types of attacks given the computing power available. For example, a good cryptographic scheme today must be able to resist a brute-force attack, which means an attack that tests all possible keys until it finds the correct one. For example, the alphabetic rotation cipher has 26 possible keys, which is a very small number. A computer could check those keys in a very short amount of time. On the other hand, a simple substitution cipher has 26! possible keys, which is far too many to be tested with today’s computing capabilities. Unfortunately, there are other kinds of attacks that can break a substitution cipher. (For more information about the ciphers mentioned above, see the link below for private-key encryption systems.)

Private-key vs. public-key cryptography

There are two main types of cryptographic systems used today. Private- or symmetric-key encryption is the most intuitive because it allows parties to communicate using a shared secret key. Alice encrypts a message with key K, and Bob decrypts the same message with the same key K. Public- or asymmetric-key encryption is a much newer, much more revolutionary idea because it does not rely on a shared secret key. Instead, each party has a pair of keys–one private, one public. Alice shares her public key with EVERYONE but her private key with NO ONE! See the links below for more discussion of private and public key cryptography, including examples.

Further Discussion and Examples

  • Private-key encryption systems
  • This post contains a discussion of several classic cryptographic systems, such as the Caesar and Vigenere ciphers, as well as a brief discussion of current private-key systems.

  • Public-key encryption systems
  • This post contains a discussion of public-key principles, including the concept of complexity and why it is important in public-key cryptography, as well as two examples of public-key cryptography in use today.