# Cryptography basics for infosecurity managers

## Mike Chapple explains the basics of cryptography.

Let's face it – cryptography is intimidating. The idea that cryptography is full of complicated mathematical algorithms...

causes IT managers to shy away from it and delegate responsibility without truly understanding what's going on behind the scenes. However, this shouldn't be the case. Every IT professional should have a basic understanding of how cryptography works and this comprehension doesn't require an advanced degree in mathematics.

The basic concept of cryptography is simple – you use mathematical algorithms in combination with cryptographic keys to provide users with confidentiality, integrity and/or non-repudiation. We'll take a look at each of these goals, but first we need to take a brief journey through the world of cryptographic algorithms.

Cryptographic algorithms all perform the same basic function: They take two inputs – a message and a key -- and transform them into a single output. There are two ways to perform this function. Encryption, as shown in Figure 1, uses the cryptographic key to transform the original message into an encrypted form. Decryption, as shown in Figure 2, does the reverse; it uses a cryptographic key to transform an encrypted message back into its original (a.k.a. plaintext) form.

There are two basic types of cryptographic algorithms that implement the functionality described above. They differ only in the number of cryptographic keys used in each communication. Private key algorithms (a.k.a. secret key algorithms) use a single key. Each participant in a communication must have access to this key prior to initiating the communication. Public key algorithms, on the other hand, use pairs of keys. Each participant has two keys: a public key (which is made freely available to anyone who wants it) and a private key (which is kept secret). The inner workings of these algorithms are beyond the scope of this article. Suffice it to say that a well-designed public key algorithm guarantees the security of communications as long as you keep your private key private. It doesn't matter if Osama bin Laden himself has access to your public key.

That's enough about algorithms. Let's move on to the nitty-gritty – how you can use these algorithms to achieve confidentiality, integrity and non-repudiation.

When most people think of cryptography, they think of confidentiality. Indeed, it's the most common use of cryptographic algorithms – protecting data from prying eyes while in transit over an insecure communications channel like the Internet. Confidentiality may be achieved through the use of either private or public key algorithms. When using a private key algorithm, the sender encrypts the message using the secret key (refer back to Figure 1) and then transmits the encrypted version to the recipient. When the recipient receives the encrypted message, he simply decrypts it using the same secret key (as in Figure 2) and may then read the original message. If someone intercepts the message along the way, he has no way of reading it without access to the secret key.

Public key cryptosystems may also be used to achieve confidentiality. The process works the same way it does for private key cryptosystems, but different keys are used. The sender encrypts the message using the recipient's public key. The recipient then decrypts the message with his own private key. Once the sender has encrypted the message with the recipient's public key no one (not even the sender) can decrypt it without access to the recipient's private key.

The second goal of cryptography is to ensure the integrity of messages transmitted between two parties. Integrity provides communicating parties with the assurance that a message was not modified while in transit. Even if you've already taken steps to ensure confidentiality, it's possible that a third party could interfere with your communications by altering the encrypted version of the message while in transit. Most likely, this would result in a bunch of gobbledygook when you attempt to decrypt the message, but it's not a chance that's worth taking.

To ensure integrity, the sender of a message uses a hash function, a mathematical algorithm that creates a unique summary of a message known as a message digest and transmits it along with the message. When the recipient decrypts the message, he uses the same hash function (the details of hash functions are generally not secret) to create his own version of the message digest and then compares it to the digest transmitted with the message. If the two digests match, the recipient knows that the integrity of the message is preserved. If the digests differ, something altered the message along the way. (This alteration could be the result of intentional mischief or happenstance, such as electrical interference, faulty networking equipment or similar failures.)

The final goal of cryptography is to provide the recipient of a message with guarantees of non-repudiation. That is, the recipient should be able to prove that a message actually originated with the purported sender and is not a forgery. With private key algorithms, this is not possible. Remember, all parties in a communication share the same secret key. Therefore, it's possible that any given encrypted message was generated by anyone with access to the key. There's simply no way to prove who created the original message.

Public key cryptography, on the other hand, does provide a mechanism (known as digital signatures) to enforce non-repudiation. When the sender creates a message, he also uses a hash function to generate a message digest (which provides integrity). There's one additional step required to ensure non-repudiation – the sender must encrypt the digital signature using the sender's private key. When the recipient receives the message, he decrypts the digital signature using the sender's public key and then compares it to a self-generated message digest. If the two match, the recipient has irrefutable proof that the sender (or someone with access to the sender's private key) originated the message. There's no way that anyone could have created the correct digital signature for any given message without access to that key.

And that's it! You should now have a basic understanding of how cryptography works to ensure the confidentiality, integrity and non-repudiation of messages transmitted between two parties. Stay tuned to this space for future articles on specific applications of cryptography!

Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.

This was last published in November 2003

## Content

Find more PRO+ content and other member only offers, here.

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### How to effectively manage the cloud logs of security events

Cloud logs of security events produce an abundance of data. Expert Dave Shackleford discusses how to filter through it and get to...

• ### How the Flip Feng Shui technique undermines cloud security

The Flip Feng Shui attack against hypervisors could have both short and long-term effects on enterprises. Expert Ed Moyle ...

• ### How cloud endpoint protection products benefit enterprises

Cloud endpoint protection products are outpacing standard endpoint protections. Expert Frank Siemons discusses the evolution of ...

## SearchNetworking

• ### Why OSPF isn't your best option when using DMVPN Phase 3

Cisco's DMVPN Phase 3 protocol offers many benefits, but make sure you evaluate options before using Open Shortest Path First.

• ### IT infrastructure market jumps by 8% as Ethernet sales grow

The IT infrastructure market grows by 8%, while HPE acquires SimpliVity and Barefoot Networks strikes a chip deal with vendors.

• ### Cumulus NOS, Edgecore switch bundle unlikely to beat incumbent vendors

Analysts are skeptical of networking supplier Cumulus's entry into the hardware business. The vendor is selling and supporting an...

## SearchCIO

• ### Selling the value of cloud computing to the C-suite

Selling the value of cloud computing to business leaders requires more than the usual bromides about cost savings and ...

• ### For CIOs, creating a DevOps culture goes beyond tech expertise

Moving to DevOps doesn't happen overnight. Drawing on the experience of CIOs, our latest handbook offers a step-by-step approach ...

Adopting DevOps doesn't simply mean taking up a few practices. It also requires embracing the attitude, culture and philosophy. ...

## SearchConsumerization

• ### Android, Windows tablets from HP take aim at business users

HP released a new line of tablets targeting business users. The HP Pro Slate 8 and Pro Slate 12 run Android and cost \$449 and ...

• ### Microsoft to lay off 18,000, Nokia X moves to Windows Phone

Microsoft will lay off 18,000 people over the next year while the Nokia X line of Android smartphones, which was unveiled earlier...

• ### Microsoft Surface Pro 3 vs. Microsoft Surface Pro 2

Surface Pro 2 and Surface Pro 3 are different enough that Microsoft is keeping both on the market as competing products. Which ...

## SearchEnterpriseDesktop

• ### Five Windows 10 security risks that are easy to overlook

Sometimes the biggest security problems in Windows 10 are the ones admins forget about, including user-induced issues, poor ...

• ### IT pros applaud new Windows 10 privacy controls

The Windows 10 Creators Update will provide new settings for users and IT admins to control more of the data the operating system...

• ### Prepare for the challenging move to Windows 10

Organizations can cling to past versions of Windows as long as they want. But, eventually, they will have to accept Windows 10, ...

## SearchCloudComputing

• ### Test your knowledge of big data cloud services

Big data in the cloud is a big deal. But without the right management and analytic tools, you won't get far. Test your knowledge ...

• ### Choose the right mix of hybrid cloud management for your enterprise

Buyers must evaluate hybrid cloud management tools carefully, knowing their team's needs and experience level, to choose the most...

• ### Words to go: Google cloud storage services

When it comes to cloud storage, going in blind will cause inefficiency and high costs. Familiar yourself with these key Google ...

## ComputerWeekly

• ### Post Office offers banking for all UK accounts as bank branch closures continue

Customers of all UK banks can receive branch services through the Post Office after a deal agreed last year takes effect

• ### Executive interview: Kirk Bresniker, chief architect, HPE

HPE has developed a concept computing architecture which it says will power future generations of applications. We find out how ...

• ### SAP 2016 results: cloud revenue almost €3bn, 5,400 S/4 customers

SAP declares full-year 2016 revenue of €22bn, of which nearly €3bn was cloud – almost 14%

Close