What makes cryptography assure you and me security? – The 3 pillars. Privacy. Data Integrity. Authentication.
Privacy and Confidentiality
Let’s admit it. It is privacy that keeps most of us sane in this world - The fact that we have time to ourselves, our very own little world and the power to share it with whom we choose to. Would you be willing to compromise on that?
Confidentiality ensures that there shall be no information disclosure whatsoever. This is incorporated by encryption. If you use a simple cipher mechanism to encrypt your information, it doesn’t matter who intercepts it – Jane or Joe or Jack. They won’t be able to make any sense out of it!
There are intruders everywhere. If Alice sends a message to Bob, imagine if Eve intercepts the message and changes it to her advantage. DANGER.
Data integrity helps ensure that the information is not tampered with. Regular encryption techniques don’t guard against tampering. For example, suppose Alice sent a message “Hello” which is encrypted using a regular substitution encryption technique with key=1, the message becomes “Ifmmp”. If Eve intercepts it now, she maynot be able to make sense of it, but she can alter it! What if she makes it “tffzb”, when Bob receives it, the message will be decrypted as “seeya”, which changes the whole meaning of the message!
Data integrity can be ensured using public key/asymmetric key encryption algorithms. It involves the usage of two keys – public key and private key. The public key is distributed, whereas the private key is kept confidential. A message is encrypted using a public key, and only be decrypted with the private key. So it doesn’t matter if anyone gets a hand on the public key as long as the private key is kept secret.
Read more about public key cryptography
Alice takes her message makes a summary (shorter version) of it called a message digest usually using hashing (one way transformation). She encrypts her message regularly via public key cryptography, and also encrypts the message digest using her private key. This encrypted message digest is called a digital signature. Both the encrypted message as well as the message digest is sent over to Bob. He decrypts the message digest using Alice’s public key. He also decrypts the message sent over and feeds it to the same hash generator as the one Alice did, and compares the newly generated message digest and the old message digest. If they are EXACTLY the same, the message has not been tampered with.
Read more about hashing
When Bob receives a message, how can he be sure that Alice was the one who sent it? And what if Alice, having sent the message, denies having sent it later? Poor Bob, how can he verify the truth? Well cryptography provides the solution.
The above example does to some extent confirm the Alice’s identity because you need to use the Alice’s public key for decryption. But hmm, how do you know that you are using the authentic sender’s key? Maybe it’s an imposter claiming to be the Alice and distributing her public key! This can be solved using a digital certificate. A digital certificate is one that certifies that the public key belongs to the particular sender.
Read more about digital certificates
If you are trying to send a message to someone, how does the other person know you are genuine and not some impostor? You could probably use a pre-decided user-id or password or fingerprint recognition or even a secret handshake! But none of these techniques are foolproof. A person can still impersonate you and get away with it.
To make things more secure, Alice can have a device which can perform certain computations. If she tries logging on to the system and identifying herself, the system will generate a random challenge and send it to her. She has to now enter the challenge with her keyboard… and then the device generates a response using secret information allocated to her. This response obtained is now sent back to the system and it performs the verification. This actually authenticates Alice’s device rather than her. So if she wants herself to be authenticated, she should be able to authenticate herself to her device using some secret information. This way, if an impostor steals her device, it is practically worthless to him!
Cryptography helps guard against many evils. But no matter how foolproof the security system, it can be broken in a fraction of second by even one slip up by the people behind it.
Read more about the human element
- Public Key Cryptography & PGP - Jay D. Dyson, Computer Systems Specialist
- Introduction to Cryptography, Mark Vandenwauver
- What is a secure communication?