Manage Learn to apply best practices and optimize your operations.

# Cryptography basics for infosecurity managers

## Mike Chapple explains the basics of cryptography.

Let's face it – cryptography is intimidating. The idea that cryptography is full of complicated mathematical algorithms causes IT managers to shy away from it and delegate responsibility without truly understanding what's going on behind the scenes. However, this shouldn't be the case. Every IT professional should have a basic understanding of how cryptography works and this comprehension doesn't require an advanced degree in mathematics.

The basic concept of cryptography is simple – you use mathematical algorithms in combination with cryptographic keys to provide users with confidentiality, integrity and/or non-repudiation. We'll take a look at each of these goals, but first we need to take a brief journey through the world of cryptographic algorithms.

Cryptographic algorithms all perform the same basic function: They take two inputs – a message and a key -- and transform them into a single output. There are two ways to perform this function. Encryption, as shown in Figure 1, uses the cryptographic key to transform the original message into an encrypted form. Decryption, as shown in Figure 2, does the reverse; it uses a cryptographic key to transform an encrypted message back into its original (a.k.a. plaintext) form.

There are two basic types of cryptographic algorithms that implement the functionality described above. They differ only in the number of cryptographic keys used in each communication. Private key algorithms (a.k.a. secret key algorithms) use a single key. Each participant in a communication must have access to this key prior to initiating the communication. Public key algorithms, on the other hand, use pairs of keys. Each participant has two keys: a public key (which is made freely available to anyone who wants it) and a private key (which is kept secret). The inner workings of these algorithms are beyond the scope of this article. Suffice it to say that a well-designed public key algorithm guarantees the security of communications as long as you keep your private key private. It doesn't matter if Osama bin Laden himself has access to your public key.

That's enough about algorithms. Let's move on to the nitty-gritty – how you can use these algorithms to achieve confidentiality, integrity and non-repudiation.

When most people think of cryptography, they think of confidentiality. Indeed, it's the most common use of cryptographic algorithms – protecting data from prying eyes while in transit over an insecure communications channel like the Internet. Confidentiality may be achieved through the use of either private or public key algorithms. When using a private key algorithm, the sender encrypts the message using the secret key (refer back to Figure 1) and then transmits the encrypted version to the recipient. When the recipient receives the encrypted message, he simply decrypts it using the same secret key (as in Figure 2) and may then read the original message. If someone intercepts the message along the way, he has no way of reading it without access to the secret key.

Public key cryptosystems may also be used to achieve confidentiality. The process works the same way it does for private key cryptosystems, but different keys are used. The sender encrypts the message using the recipient's public key. The recipient then decrypts the message with his own private key. Once the sender has encrypted the message with the recipient's public key no one (not even the sender) can decrypt it without access to the recipient's private key.

The second goal of cryptography is to ensure the integrity of messages transmitted between two parties. Integrity provides communicating parties with the assurance that a message was not modified while in transit. Even if you've already taken steps to ensure confidentiality, it's possible that a third party could interfere with your communications by altering the encrypted version of the message while in transit. Most likely, this would result in a bunch of gobbledygook when you attempt to decrypt the message, but it's not a chance that's worth taking.

To ensure integrity, the sender of a message uses a hash function, a mathematical algorithm that creates a unique summary of a message known as a message digest and transmits it along with the message. When the recipient decrypts the message, he uses the same hash function (the details of hash functions are generally not secret) to create his own version of the message digest and then compares it to the digest transmitted with the message. If the two digests match, the recipient knows that the integrity of the message is preserved. If the digests differ, something altered the message along the way. (This alteration could be the result of intentional mischief or happenstance, such as electrical interference, faulty networking equipment or similar failures.)

The final goal of cryptography is to provide the recipient of a message with guarantees of non-repudiation. That is, the recipient should be able to prove that a message actually originated with the purported sender and is not a forgery. With private key algorithms, this is not possible. Remember, all parties in a communication share the same secret key. Therefore, it's possible that any given encrypted message was generated by anyone with access to the key. There's simply no way to prove who created the original message.

Public key cryptography, on the other hand, does provide a mechanism (known as digital signatures) to enforce non-repudiation. When the sender creates a message, he also uses a hash function to generate a message digest (which provides integrity). There's one additional step required to ensure non-repudiation – the sender must encrypt the digital signature using the sender's private key. When the recipient receives the message, he decrypts the digital signature using the sender's public key and then compares it to a self-generated message digest. If the two match, the recipient has irrefutable proof that the sender (or someone with access to the sender's private key) originated the message. There's no way that anyone could have created the correct digital signature for any given message without access to that key.

And that's it! You should now have a basic understanding of how cryptography works to ensure the confidentiality, integrity and non-repudiation of messages transmitted between two parties. Stay tuned to this space for future articles on specific applications of cryptography!

Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.

This was last published in November 2003

#### Start the conversation

Send me notifications when other members comment.

## SearchCloudSecurity

• ### Benefits of cloud data discovery tools and services multiply

With multi-cloud and privacy regulations becoming the new normal, infosec teams need data discovery tools and services to keep up...

• ### Google Cloud security gets boost with Secret Manager

Google Cloud's new Secret Manager service augments its cloud security capabilities with an eye toward the needs of DevOps teams.

• ### Microsoft misconfiguration exposed 250M customer service records

Microsoft exposed 250 million customer support records on five Elasticsearch servers that had misconfigured Azure security rules,...

## SearchNetworking

• ### An introduction to network automation with Ansible

Ansible is one of the most popular open source network automation tools. Network pros can use it to perform basic network ...

The Arista-Big Switch deal adds significant software-defined networking technology to Arista's EOS operating system. Also, Arista...

• ### Watch for these 6 wireless networking trends in 2020

No doubt you've heard about 5G and Wi-Fi 6. But don't forget other wireless trends emerging in 2020, such as CBRS, dynamic ...

## SearchCIO

• ### How to overcome the limitations of AI

AI may not become the super-intelligent tool people envisioned, at least not in the near term. But that doesn't mean enterprises ...

• ### 8 ways CIOs can use technology in meetings

Meetings can be frustrating, as they often lead to scheduling and technical complications -- but today, enterprises are utilizing...

• ### CIO succession planning: The transition of power

Succession planning for CIOs is a must. Why do organizations still fail to do an effective job with this task today?

## SearchEnterpriseDesktop

• ### Citrix Microapps benefits include improved security, UX

With the Citrix Microapp integrations, IT professionals can build templates that enable users to view and edit back-end systems, ...

• ### BlackBerry enters digital workspace market

BlackBerry's digital workspace offering is meant to strike a balance between connectivity, productivity and security, especially ...

• ### How to perform a Windows Subsystem for Linux install

Want to run Linux on a Windows desktop? Take these steps to perform a Windows Subsystem for Linux install, which includes ...

## SearchCloudComputing

Google Cloud has added more features to its single-tenant cloud deployment option, such as live migration for Windows BYOL ...

• ### Use these CloudWatch features to improve AWS app monitoring

Amazon CloudWatch ServiceLens, Synthetics and Contributor Insights give users more ways to monitor their AWS applications. Find ...

• ### Oracle-Microsoft partnership to connect clouds expands to EU

Oracle and Microsoft have added to their cloud interconnect strategy with the addition of a high-speed, private connection ...