Problem solve Get help with specific problems with your technologies, process and projects.

# Tales From The Crypto - Part I

Think of this series of tips as a very simplified explanation of current encryption technologies, with some suggestions...

for specific situations thrown in.

Problem Number 1: Your host application needs to exchange "private" data with another application somewhere out there on the Internet.

Tip: Consider symmetric or private key cryptography where both sender and receiver share a hopefully secret key. The algorithm to encrypt (scramble) and the algorithm to decrypt (unscramble) are both publicly known. The secrecy is strictly in the key and not in the algorithms.

Example: You want to send data "CAT". You and recipient share a secret key

3. A rudimentary form of encryption might be to promote every letter in the data by the key amount (if necessary, letters wrap at "Z" back to "A"). Demoting does decryption. You promote "CAT" by 3 and send "FDW". The recipient decrypts "FDW" by demoting each letter by 3 to get back "CAT". Voila!

Note: This is the actual encryption technique that Julius Caesar used!

Problem Number 2: Your host application needs to exchange data with more and more applications or users on the web. The exchanging of secret keys is getting quite cumbersome and even losing the security it once had.

Tip: Consider a newer form of cryptography, called asymmetric or public key cryptography. It eliminates the need to exchange or share a secret key between every two parties wishing to communicate privately. In public key cryptography every participant has a pair of keys: a public key anyone can know and a private key that should be, err, private There is a complex mathematical relationship between the two keys such that data encrypted using one of the keys can only be decrypted by using the other key. The same publicly known algorithm is used to both encrypt and decrypt. Again the secrecy is solely in the private key and not the algorithm.

Example: You want to send "NOW" to a user who has public key 6 and private key 20. The algorithm is to simply promote each letter by the key amount. You promote the letters in "NOW" by 6 and sends "TUC". Recipient promotes "TUC" by 20 to get "NOW" as you intended.

Note: A hundred users wishing to hold secure two-party conversations need one key pair each for a total of 100 key pairs, or 200 keys. With private key the hundred users need to share a secret key with each of the other ninety-nine for a total of almost 5000 keys. Key management becomes a nightmare, and security can go out the window.

Problem Number 3: How can you or some user on the web be sure of incoming data's integrity? Has it been corrupted or modified in transit?

Tip: Use a checksum or hash of the data. The receiver can calculate the hash of the data using a publicly known hashing algorithm and verify the hashes match. If even a single bit of data or hash has been altered, inserted or deleted the hashes would differ. Here's a simplistic hashing example: Substitute numbers for letters, and add all the letters, then convert back to letters ("ABC" hashes to "F" because 1+2+3 = 6). If hashing goes past "Z" (26) you wrap back to "A".

Example: As before you want to send "NOW" which encrypts to "TUC" using recipient's public key 6. You calculate the hash of "TUC" which is "R" (20+21+3 = 44 = 18) and send both "TUC" and "R". Recipient calculates hash of "TUC" and gets the same hash "R". No corruption. Recipient decrypts "TUC" using recipient's private key 20 and gets "NOW". Everybody's happy.

Problem Number 4: How can recipient be sure the data and corresponding hash didn't come from someone else pretending to be you?

Tip: Digitally sign what you are sending. That means you send data encrypted with the recipient's public key followed by the hash encrypted with your private key.

Example: Your private/public key pair is 8 and 18. As before you want to send "NOW" which encrypts to "TUC". The hash of "TUC" is "R". This time you also encrypt "R" using your private key 8 and get "Z". Send both the encrypted data "TUC" and the encrypted hash "Z". Recipient uses your public key 18 to decrypt the "Z" and gets "R". Recipient calculates hash of "TUC" and gets the same hash "R". Recipient knows data was not corrupted and that you must have sent it since your private key was used. Since you have digitally signed the transmission you cannot later repudiate that fact. Recipient decrypts "TUC" using own private key 20 to get "NOW".

In reality cryptography is far more complex. Symmetric keys are usually 40, 56, 80, 168, or more bits. Public keys are 512, 1024, 2048, or more bits. The mathematical relationship in a key pair is far more difficult to discern than the "they add up to 26" rule above for key pairs 6/20 and 8/18. Hash values are usually at least 4 or 8 bytes. There are brute-force and sophisticated attacks that can defeat secrecy but not in a computationally feasible amount of time. That means it may take legions of supercomputers many, many months or even years to decode a message encrypted with large key sizes. The encrypted data is cryptographically secure.

As complex as cryptography is, there are numerous programming API's, tool boxes, libraries, source code, etc. from IBM and many other Internet sources that make a developer's life much easier. These tools will let you incorporate these security methods into your application programs. For example, IBM has many procedures available under OS/390, such as:

CALL 'ENCRYPT' USING MY-DATA, DATA-LEN, RECIPIENT-PUBLIC-KEY. CALL 'SEND' USING MY-DATA, DATA-LEN. CALL 'HASH' USING MY-DATA, DATA-LEN, HASH-VALUE. CALL 'ENCRYPT' USING HASH-VALUE, HASH-LEN, MY-PRIVATE-KEY. CALL 'SEND' USING HASH-VALUE, HASH-LEN.

Public key cryptography has one disadvantage. It is drastically more computationally intensive than private key cryptography. It's simple to get around this drawback during a transmission between computers over the Internet. Both ends use public key cryptography initially to communicate and agree on a temporary shared key. That key is used with private key cryptography for the rest of the transmission.

Jim Keohane (jimkeo@multi-platforms.com) is president of New York consulting company Multi-Platforms, Inc. His company specializes in commercial software development/consulting with emphasis on cross-platform and performance issues.

Related book

Personal Encryption Clearly Explained
Author : Peter Loshin
Publisher : AP Professional
ISBN/CODE : 0124558372
Cover Type : Soft Cover
Published : Oct. 1998
Summary:
This book is a hands-on guide for effectively using cryptography and encryption. It opens with an introduction to the concepts of modern encryption: secret-key encryption, public key encryption, digital signatures and user authentication mechanisms. The book then moves into why encryption is necessary, how it can be used to protect information at the individual level, and how the new cryptographic technologies are implemented in both software and hardware. Key to the book is how to efficiently set-up a personal encryption system, and how to use it to protect yourself while browsing the Web, sending and receiving e-mail, or using any Internet application.

This was last published in August 2000

## Content

Find more PRO+ content and other member only offers, here.

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### SQL injection attacks: How to defend your enterprise

SQL injection attacks threaten enterprise database security, but the use of cloud services can reduce the risk. Here's a look at ...

• ### Cloud security lessons to learn from the Uber data breach

Any organization that uses cloud services can learn something from the 2016 Uber data breach. Expert Ed Moyle explains the main ...

• ### Challenges in cloud data security lead to a lack of confidence

A new study on cloud data security provides insights into the shaken confidence in the cloud. Despite its increased use, payment ...

## SearchNetworking

• ### DNS challenges have changed, but its vital role hasn't

Developments like IPv6 and the internet of things are throwing obstacles into DNS operations. But this 'directory assistance of ...

• ### DNS functions remain vital, but must adapt as demands shift

The domain name system's tasks are simple, but essential, and the service faces challenges with the proliferation of devices that...

• ### Why IPv6 networks create DNS configuration problems

DNS data is among the most basic and crucial information required for network connectivity, but configuring DNS recursive servers...

## SearchCIO

• ### Software robot tech arrives: Are CIOs ready?

RPA technology is coming of age and becoming a strategic play in the public and private sectors. The task for CIOs is to make ...

• ### IBM Watson CTO: A range of conversational technologies can coexist

IBM Watson VP and CTO Rob High explains why there's space for both conversational agents and chatbots in the enterprise, each ...

• ### IT priorities 2018: Regs, big data, cloud loom large for GRC pros

Regulatory initiatives remain at the top of GRC pros' lists of tech projects, according to TechTarget's annual IT Priorities 2018...

## SearchEnterpriseDesktop

• ### How to establish Windows 10 security baselines

IT should consider following Microsoft's Windows 10 security recommendations in the Security Compliance Toolkit to better protect...

• ### VMware Workspace One helps Western Digital organize 3,000 apps

The application portal in VMware Workspace One allowed IT to streamline app delivery, and the product's cloud-based model proved ...

• ### Three PC lifecycle management options IT should consider

IT pros can use PCs and laptops until they stop working, or they can set up a lifecycle management plan that retires them after a...

## SearchCloudComputing

The latest Google Cloud acquisition points to a doubling down on IoT, as the company tries to keep pace with AWS and Microsoft ...

• ### How to blend the advantages of cloud computing with containers

Containers and cloud sound like a perfect match. But how well does containerization help boost application portability? And will ...

• ### Prepare for hybrid cloud implementation with these key steps

As enterprises mix public and private IT resources, they grapple with app workflows, network connections and more. Here are four ...

## ComputerWeekly.com

• ### AI a threat to cyber security, warns report

Artificial intelligence is being incorporated into a range of cyber security products, but the technology may also introduce new ...

• ### Infosys opens delivery and innovation centre in Finland

Infosys is stepping up its Nordic presence with a new operation in Finland, with a design and innovation centre in Helsinki in ...

• ### Demand for cyber security skills outstrips internal supply, research finds

Businesses are increasingly looking for cyber security skills, but the gap between demand and supply is still prominent

Close