Cryptography

From RationalWiki
(Redirected from Encryption)
Jump to navigation Jump to search
We control what
you think with

Language
Icon language.svg
Said and done
Jargon, buzzwords, slogans

Cryptography or cryptology; from Greek κρυπτός kryptós, "hidden, secret"; and γράφειν graphein, "writing", or -λογία -logia, "study", respectively is the practice and study of techniques for secure communication in the presence of third parties called adversaries. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography.

Cryptography prior to the modern age was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense. Since World War I and the advent of the computer, the methods used to carry out cryptology have become increasingly complex and its application more widespread.

Modern cryptography is heavily based on mathematical theory and computer science practice; cryptographic algorithms are designed around computational hardness assumptions, making such algorithms hard to break in practice by any adversary. It is theoretically possible to break such a system, but it is infeasible to do so by any known practical means.

The growth of cryptographic technology has raised a number of legal issues in the information age. Cryptography's potential for use as a tool for espionage and sedition has led many governments to classify it as a weapon and to limit or even prohibit its use and export. In some jurisdictions where the use of cryptography is legal, laws permit investigators to compel the disclosure of encryption keys for documents relevant to an investigation.

Terminology[edit]

  • Code: When one word is substituted for another.
  • Code Name: A code where the name is a stand in for another entity or event.
  • Plaintext: A message to be encrypted.
  • Ciphertext: An encrypted message.
  • Cipher: An algorithm that scrambles the original plaintext into the ciphertext with the help of a random key. A cipher typically uses techniques such as substitution, transposition such as shifts and rotation, as well as bitwise operations such as XOR.
  • Encryption - The process of using a cipher to disguise a message, also called "encipherment".
  • Decryption - Reversal of the encryption process, also known as "decipherment".

Historical overview[edit]

Cryptography dates all the way to the earliest forms of writing, with some of the earliest codes being used to conceal messages from those ignorant in certain language due to the slow spread of literacy. Steganography was also developed around this time, which refers to the practice of hiding a message in plain sight, such as the story related by Herodotus of a slave having a message tattooed on his head and hidden with regrown hair.

Some of the earliest ciphers were substitution ciphers, where letters were switched for other letters to disguise the contents of the original.

The cipher is "customized" by the random key, which causes the plaintext to scramble into an unpredictable ciphertext. The science and art of decrypting the message without the key is called cryptanalysis, and it typically involves mathematical ingenuity to reduce the cipher's strength, and supercomputers to break the reduced problem.

Modern ciphers make use of computer technology, which often provides for more complex ciphering and deciphering methods than is possible with human help.

Encryption[edit]

An example of TLS certificate and encryption in Mozilla Firefox

Encryption is a method of protecting data or messages in transit. In the event that the storage for that information is copied or stolen, it is generally expected that the content itself isn't likely to be retrieved within a reasonable amount of time. For example, personal medical records might not be relevant if the person has been dead for many years already or information about an upcoming terrorist attack might not be relevant months or years after it has already happened.

Types[edit]

Cryptographic algorithms can be divided into types depending on their use:

  1. Symmetric-key cryptography: The same key is used to encrypt and decrypt large amounts of data (examples: AES, ChaCha20).
  2. Asymmetric-key cryptography: A key pair is created (public and private keys). (examples: RSA, Diffie-Hellman)
  3. Hash functions: A cryptographically secure checksum of some input (examples: SHA256, BLAKE2)
  4. Password hashing functions: A purposefully slow version of a hash function, used to convert password into cryptographic keys (examples: Argon2, scrypt)

Symmetrical algorithms are faster and can encrypt large plaintexts, but they require a pre-shared key, and therefore are alone unsuitable for encryption in situations where keys cannot be exchanged securely (such as the internet).

The RSA algorithm is used for two purposes. If the key that encrypts is public, it allows sending short encrypted messages, such as symmetric encryption keys to the recipient. The recipient can then decrypt the key with their private RSA key. If the key that encrypts is private, it can be used for digital signatures, where a cryptographic hash of some message is encrypted by the user. The recipient can then decrypt the signature to reveal the hash, and by comparing that hash with the hash of the purported message, they can verify the authorship of the message.

Diffie-Hellman and its elliptic curve variant do not encrypt data, but are used to establish a shared key to use in a symmetric cipher.

In cryptographic protocols such as TLS, the data is encrypted with a symmetrical cipher, but either RSA or Diffie-Hellman is used to agree on the symmetric key.

Hash functions are used for integrity and authorship verification. They have specific properties, the most important of which are

  • Collision resistance (hard to find two inputs that produce the same hash)
  • Pre-image resistance (hard to find input from given hash), and
  • Second pre-image resistance (given one pair of input and hash, it's hard to find another input that produces the same hash).


Weaknesses[edit]

All used ciphers are subjected to a constant barrage of cryptanalysis, which slowly erodes their security. However, modern ciphers have enough computational headroom to not be broken by even the most advanced supercomputers and methods. Cryptographic protocols are only as strong as their weakest link, and there are several attack vectors:

  • Using random number generators that are not designed for cryptographic purposes, and that leak their internal state and thus become predictable to a sophisticated attacker.
  • Using weak passwords as a source of entropy for cryptographic keys, which the attacker can exhaust with a brute force[1] or a dictionary attack (using a large list of common passwords or phrases, and their slightly modified, e.g. 1337-speak versions).
  • Duress, which involves using a rubber hose on a person's feet. Despite the protection provided by encryption, the key can be extracted from someone who is willing to cooperate to avoid prosecution or torture (or for cookiesWikipedia or ideological reasons). Some encryption systems use plausible deniability methods (such as an encrypted partition within an encrypted partition) to hide the real data when forced to reveal the key under duress.[2]
  • Key-theft, either by malware/key-logger, phishing, or by just plain real-life robbery or social engineering. This is usually the most reliable option to break a secure system, and the one that anyone looking to decrypt a system, whether it be a hacker in Russia or the FBI, uses most often.
  • Bad implementation of secure algorithms, exemplified by the Wired Equivalent Privacy (WEP) algorithm used to secure WiFi networks. It uses the same RC4 stream cipher as the more secure WPA-TKIP algorithm, but its bad implementation resulted in a vulnerability to statistical analysis of the traffic which allowed to derive the encryption key in one or two minutes with freely available software.[3] Critical parts of ciphers need to be implemented usually in low-level assembly code to avoid side channel attacks, such as cache timing attacks. Secure crypto-processors running cryptographic algorithms must also be resistant to advanced power analysis attacks.

Responses to cryptography[edit]

Governments have differing responses to cryptography.

  • The USA treats some encryption systems (such as those supporting key sizes above 128 bits) to be equivalent of "weapon-grade" cryptography (it is quite literally regulated by the Arms Control Export Act), and restricts their export. However, every U.S. citizen is permitted to utilize and possess cryptographic methods/implementation of any key size (provided they do not pass the technology to foreigners).
  • Some governments allow cryptography, and sometimes mandate that it be used to protect sensitive customer and research information. They may also make it illegal to use it for criminal purposes.
  • The United Kingdom passed the Regulation of Investigatory Powers Act 2000, which allows the government to demand keys from individuals, and refusal to do so can lead to a custodial sentence[4]. Other governments demand a key escrow.

Common misconceptions[edit]

Password-protecting a computer does not automatically mean that the data it contains has been encrypted. Usually, basic password-protection is only at the operating system-level and does not change how the data is stored on the disk. It is usually intended to prevent casual attackers who have physical access to the machine from impersonating an existing user. It also prevents other users on the same computer from accessing files owned by other users unless they have administrator/root/super user access rights to override ownership restrictions. This is trivially defeated by simply accessing the data through another operating system or another machine.

Not everything should be encrypted the same way, there needs to be a differentiation between:

  • Data at rest (file)
  • Data in transit (web page)
  • Stored passwords (database)
  • Passwords in transit (authentication)

Counter-intuitively, storing password in an encrypted format is not a secure practice. Traditional encryption means by definition that the information could be decrypted. Verifying authentication through passwords in that way would imply that the stored password has to be decrypted each time it needs to be verified so the encryption key would need to be known and stored in some way by the verifying entity. If the password database was compromised, the encryption key could be retrieved and used to access all the stored passwords it contains. The solution to this problem is storing passwords in hashed format.[5] However, hashes are still vulnerable to lookup tables, which an attacker can use to find a password with a given hash. An attacker can also gather a list of users with the same password simply by looking for all users with matching hashes. These attacks can be thwarted using salts; since the salts are randomly generated, the attacker will not be able to use a precomputed lookup table, and since no two users' passwords should be hashed using the same salt, it is impossible to find other users with a known password. The attacker's only way of cracking a salted hash is by brute force; hashing functions designed for passwords are deliberately designed to be slow so that attempting to iterate through every possible password would take an impractical amount of time.[6] With the growth of parallel computing power such as high speed ASICs and modern graphics cards, additional security is needed. These threads have been mitigated with with memory hard, slow hash functions such as Argon2. The slow nature means, it can take several seconds to test one password, and the memory-hard means converting the password into a key requires storing large amount of data into the RAM of the computer. With 1GB memory requirement, a RTX4090 GPU with 16,384 CUDA cores, can only use a fraction of those for parallel computing, as the device only has 24GB of RAM, and can only try 24 passwords simultaneously.

Cryptography woo[edit]

Cryptography is an intellectual art, requiring studies of the disciplines of mathematics and language for skilled practice, and since those disciplines have become the subject of woo-related conspiracy and misinformation in other areas, cryptography is no exception.

Some of the earliest woo comes from the earliest days of literacy, where written languages were only understood by very few, and thus encrypted writing was subject to superstition and fear on the part of those ignorant of its meaning. With the increase in literacy, the woo evolved as cryptography was often assumed to play a role in deciphering messages allegedly hidden in religious texts (like the Bible code), suspected as having a sinister purpose (since fraternal orders like the Freemasons used their own ciphers to keep their affairs private), and no end of conspiracy theories by those who assume messages are encrypted in everyday media that can only be understood by the non-sheeple.

See also[edit]

  • Alphabet: Some systems of encryption often form these via substitution of the original message text.
  • Black chamber: An organization for reading mail surreptitiously, often a part of discovering encrypted messages and codes.
  • Linguistics: An understanding of this is needed for cryptography.
  • Literature: Certain codes can be based off terms and phrases from various books.
  • Mathematics: An understanding of this is needed for cryptography.
  • Pseudonym: A type of code name.

External Links[edit]

References[edit]