Manage Learn to apply best practices and optimize your operations.

# Cryptography basics for infosecurity managers

## Mike Chapple explains the basics of cryptography.

Let's face it – cryptography is intimidating. The idea that cryptography is full of complicated mathematical algorithms...

causes IT managers to shy away from it and delegate responsibility without truly understanding what's going on behind the scenes. However, this shouldn't be the case. Every IT professional should have a basic understanding of how cryptography works and this comprehension doesn't require an advanced degree in mathematics.

The basic concept of cryptography is simple – you use mathematical algorithms in combination with cryptographic keys to provide users with confidentiality, integrity and/or non-repudiation. We'll take a look at each of these goals, but first we need to take a brief journey through the world of cryptographic algorithms.

Cryptographic algorithms all perform the same basic function: They take two inputs – a message and a key -- and transform them into a single output. There are two ways to perform this function. Encryption, as shown in Figure 1, uses the cryptographic key to transform the original message into an encrypted form. Decryption, as shown in Figure 2, does the reverse; it uses a cryptographic key to transform an encrypted message back into its original (a.k.a. plaintext) form.

There are two basic types of cryptographic algorithms that implement the functionality described above. They differ only in the number of cryptographic keys used in each communication. Private key algorithms (a.k.a. secret key algorithms) use a single key. Each participant in a communication must have access to this key prior to initiating the communication. Public key algorithms, on the other hand, use pairs of keys. Each participant has two keys: a public key (which is made freely available to anyone who wants it) and a private key (which is kept secret). The inner workings of these algorithms are beyond the scope of this article. Suffice it to say that a well-designed public key algorithm guarantees the security of communications as long as you keep your private key private. It doesn't matter if Osama bin Laden himself has access to your public key.

That's enough about algorithms. Let's move on to the nitty-gritty – how you can use these algorithms to achieve confidentiality, integrity and non-repudiation.

When most people think of cryptography, they think of confidentiality. Indeed, it's the most common use of cryptographic algorithms – protecting data from prying eyes while in transit over an insecure communications channel like the Internet. Confidentiality may be achieved through the use of either private or public key algorithms. When using a private key algorithm, the sender encrypts the message using the secret key (refer back to Figure 1) and then transmits the encrypted version to the recipient. When the recipient receives the encrypted message, he simply decrypts it using the same secret key (as in Figure 2) and may then read the original message. If someone intercepts the message along the way, he has no way of reading it without access to the secret key.

Public key cryptosystems may also be used to achieve confidentiality. The process works the same way it does for private key cryptosystems, but different keys are used. The sender encrypts the message using the recipient's public key. The recipient then decrypts the message with his own private key. Once the sender has encrypted the message with the recipient's public key no one (not even the sender) can decrypt it without access to the recipient's private key.

The second goal of cryptography is to ensure the integrity of messages transmitted between two parties. Integrity provides communicating parties with the assurance that a message was not modified while in transit. Even if you've already taken steps to ensure confidentiality, it's possible that a third party could interfere with your communications by altering the encrypted version of the message while in transit. Most likely, this would result in a bunch of gobbledygook when you attempt to decrypt the message, but it's not a chance that's worth taking.

To ensure integrity, the sender of a message uses a hash function, a mathematical algorithm that creates a unique summary of a message known as a message digest and transmits it along with the message. When the recipient decrypts the message, he uses the same hash function (the details of hash functions are generally not secret) to create his own version of the message digest and then compares it to the digest transmitted with the message. If the two digests match, the recipient knows that the integrity of the message is preserved. If the digests differ, something altered the message along the way. (This alteration could be the result of intentional mischief or happenstance, such as electrical interference, faulty networking equipment or similar failures.)

The final goal of cryptography is to provide the recipient of a message with guarantees of non-repudiation. That is, the recipient should be able to prove that a message actually originated with the purported sender and is not a forgery. With private key algorithms, this is not possible. Remember, all parties in a communication share the same secret key. Therefore, it's possible that any given encrypted message was generated by anyone with access to the key. There's simply no way to prove who created the original message.

Public key cryptography, on the other hand, does provide a mechanism (known as digital signatures) to enforce non-repudiation. When the sender creates a message, he also uses a hash function to generate a message digest (which provides integrity). There's one additional step required to ensure non-repudiation – the sender must encrypt the digital signature using the sender's private key. When the recipient receives the message, he decrypts the digital signature using the sender's public key and then compares it to a self-generated message digest. If the two match, the recipient has irrefutable proof that the sender (or someone with access to the sender's private key) originated the message. There's no way that anyone could have created the correct digital signature for any given message without access to that key.

And that's it! You should now have a basic understanding of how cryptography works to ensure the confidentiality, integrity and non-repudiation of messages transmitted between two parties. Stay tuned to this space for future articles on specific applications of cryptography!

Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.

This was last published in November 2003

## Content

Find more PRO+ content and other member only offers, here.

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### Cloudflare Access takes on VPNs with reverse proxy approach

Cloudflare takes inspiration from Google's BeyondCorp with a new service called Cloudflare Access, which aims to replace ...

• ### TLS 1.3: What it means for enterprise cloud use

The latest draft version of TLS 1.3 is out, and it will likely affect enterprises that use cloud services. Expert Ed Moyle ...

• ### The biggest cloud security threats, according to the CSA

The Cloud Security Alliance reported what it found to be the biggest cloud security threats. Expert Rob Shapland looks at how ...

## SearchNetworking

• ### ThousandEyes-Juniper pact focuses on hybrid WANs

ThousandEyes and Juniper boost visibility for hybrid WANs; IDC records sharp rise in cloud spending; and a vendor group issues ...

• ### ExtremeLocation latest addition to Extreme wireless portfolio

Extreme Networks is targeting retailers with a new set of services, called ExtremeLocation. The latest technology adds ...

• ### Take network configuration management tools to the next level

Script management systems and intent-based networking are driving the future of network configuration management tools, shifting ...

## SearchCIO

• ### Wayfair's chief architect talks AI-driven innovation, impactful IT

Wayfair sells home furnishings, but under the covers, it's a tech juggernaut. Chief Architect Ben Clark explains how AI-driven ...

• ### Synthetic data could ease the burden of training data for AI models

Sometimes it's better to manufacture training data for machine learning models than it is to collect it.

• ### CES 2018 for CIOs: Rise of the AI voice assistant class

What happens in Vegas doesn't stay there -- not at CES 2018, where AI voice assistants and sentient objects were ubiquitous and ...

## SearchEnterpriseDesktop

• ### Ten Windows 10 Fall Creators Update features to know

Microsoft introduced some significant changes to Windows 10 in the Fall Creators Update. The My People app, for example, lets ...

• ### Guard the line with Windows Defender features

The Windows 10 Fall Creators Update took Windows 10 security up a notch by adding advanced features to Windows Defender, ...

• ### Ready to master virtualization-based security in Windows 10?

Put your knowledge of virtualization-based security in Windows 10 on the line with this quiz covering the ins and outs of ...

## SearchCloudComputing

• ### Google Cloud Dedicated Interconnect offers VPN alternative

Google's Dedicated Interconnect enables an enterprise to privately connect its data center to the public cloud. Here's a ...

• ### Chip bugs hit cloud computing usage less than first feared

IT shops expected their cloud usage to flag due to recent chip bugs, but most environments survived the patches unscathed.

• ### Providers continue to push hybrid cloud technologies in 2018

The hybrid cloud market changes rapidly, as major cloud providers release new services to bridge private and public platforms, ...

## ComputerWeekly.com

• ### UK and France to collaborate on digital tech

The UK and French governments have joined forces to increase technology and innovation cooperation between the two nations

• ### Create security culture to boost cyber defences, says Troy Hunt

Security suffers when there is tension between software developers and security professionals, but it is common in many ...

• ### Nordic IT executive interview: Daniel Kjellén, CEO, Tink

Sweden could have a head start in the race to open up banking through the European Union’s PSD2 regulation

Close