Problem solve Get help with specific problems with your technologies, process and projects.

Tales From The Crypto - Part I

Think of this series of tips as a very simplified explanation of current encryption technologies, with some suggestions for specific situations thrown in.

Problem Number 1: Your host application needs to exchange "private" data with another application somewhere out there on the Internet.

Tip: Consider symmetric or private key cryptography where both sender and receiver share a hopefully secret key. The algorithm to encrypt (scramble) and the algorithm to decrypt (unscramble) are both publicly known. The secrecy is strictly in the key and not in the algorithms.

Example: You want to send data "CAT". You and recipient share a secret key

3. A rudimentary form of encryption might be to promote every letter in the data by the key amount (if necessary, letters wrap at "Z" back to "A"). Demoting does decryption. You promote "CAT" by 3 and send "FDW". The recipient decrypts "FDW" by demoting each letter by 3 to get back "CAT". Voila!

Note: This is the actual encryption technique that Julius Caesar used!

Problem Number 2: Your host application needs to exchange data with more and more applications or users on the web. The exchanging of secret keys is getting quite cumbersome and even losing the security it once had.

Tip: Consider a newer form of cryptography, called asymmetric or public key cryptography. It eliminates the need to exchange or share a secret key between every two parties wishing to communicate privately. In public key cryptography every participant has a pair of keys: a public key anyone can know and a private key that should be, err, private There is a complex mathematical relationship between the two keys such that data encrypted using one of the keys can only be decrypted by using the other key. The same publicly known algorithm is used to both encrypt and decrypt. Again the secrecy is solely in the private key and not the algorithm.

Example: You want to send "NOW" to a user who has public key 6 and private key 20. The algorithm is to simply promote each letter by the key amount. You promote the letters in "NOW" by 6 and sends "TUC". Recipient promotes "TUC" by 20 to get "NOW" as you intended.

Note: A hundred users wishing to hold secure two-party conversations need one key pair each for a total of 100 key pairs, or 200 keys. With private key the hundred users need to share a secret key with each of the other ninety-nine for a total of almost 5000 keys. Key management becomes a nightmare, and security can go out the window.

Problem Number 3: How can you or some user on the web be sure of incoming data's integrity? Has it been corrupted or modified in transit?

Tip: Use a checksum or hash of the data. The receiver can calculate the hash of the data using a publicly known hashing algorithm and verify the hashes match. If even a single bit of data or hash has been altered, inserted or deleted the hashes would differ. Here's a simplistic hashing example: Substitute numbers for letters, and add all the letters, then convert back to letters ("ABC" hashes to "F" because 1+2+3 = 6). If hashing goes past "Z" (26) you wrap back to "A".

Example: As before you want to send "NOW" which encrypts to "TUC" using recipient's public key 6. You calculate the hash of "TUC" which is "R" (20+21+3 = 44 = 18) and send both "TUC" and "R". Recipient calculates hash of "TUC" and gets the same hash "R". No corruption. Recipient decrypts "TUC" using recipient's private key 20 and gets "NOW". Everybody's happy.

Problem Number 4: How can recipient be sure the data and corresponding hash didn't come from someone else pretending to be you?

Tip: Digitally sign what you are sending. That means you send data encrypted with the recipient's public key followed by the hash encrypted with your private key.

Example: Your private/public key pair is 8 and 18. As before you want to send "NOW" which encrypts to "TUC". The hash of "TUC" is "R". This time you also encrypt "R" using your private key 8 and get "Z". Send both the encrypted data "TUC" and the encrypted hash "Z". Recipient uses your public key 18 to decrypt the "Z" and gets "R". Recipient calculates hash of "TUC" and gets the same hash "R". Recipient knows data was not corrupted and that you must have sent it since your private key was used. Since you have digitally signed the transmission you cannot later repudiate that fact. Recipient decrypts "TUC" using own private key 20 to get "NOW".

In reality cryptography is far more complex. Symmetric keys are usually 40, 56, 80, 168, or more bits. Public keys are 512, 1024, 2048, or more bits. The mathematical relationship in a key pair is far more difficult to discern than the "they add up to 26" rule above for key pairs 6/20 and 8/18. Hash values are usually at least 4 or 8 bytes. There are brute-force and sophisticated attacks that can defeat secrecy but not in a computationally feasible amount of time. That means it may take legions of supercomputers many, many months or even years to decode a message encrypted with large key sizes. The encrypted data is cryptographically secure.

As complex as cryptography is, there are numerous programming API's, tool boxes, libraries, source code, etc. from IBM and many other Internet sources that make a developer's life much easier. These tools will let you incorporate these security methods into your application programs. For example, IBM has many procedures available under OS/390, such as:

CALL 'ENCRYPT' USING MY-DATA, DATA-LEN, RECIPIENT-PUBLIC-KEY. CALL 'SEND' USING MY-DATA, DATA-LEN. CALL 'HASH' USING MY-DATA, DATA-LEN, HASH-VALUE. CALL 'ENCRYPT' USING HASH-VALUE, HASH-LEN, MY-PRIVATE-KEY. CALL 'SEND' USING HASH-VALUE, HASH-LEN.

Public key cryptography has one disadvantage. It is drastically more computationally intensive than private key cryptography. It's simple to get around this drawback during a transmission between computers over the Internet. Both ends use public key cryptography initially to communicate and agree on a temporary shared key. That key is used with private key cryptography for the rest of the transmission.

Jim Keohane ([email protected]) is president of New York consulting company Multi-Platforms, Inc. His company specializes in commercial software development/consulting with emphasis on cross-platform and performance issues.

Related book

Personal Encryption Clearly Explained
Author : Peter Loshin
Publisher : AP Professional
ISBN/CODE : 0124558372
Cover Type : Soft Cover
Published : Oct. 1998
Summary:
This book is a hands-on guide for effectively using cryptography and encryption. It opens with an introduction to the concepts of modern encryption: secret-key encryption, public key encryption, digital signatures and user authentication mechanisms. The book then moves into why encryption is necessary, how it can be used to protect information at the individual level, and how the new cryptographic technologies are implemented in both software and hardware. Key to the book is how to efficiently set-up a personal encryption system, and how to use it to protect yourself while browsing the Web, sending and receiving e-mail, or using any Internet application.

This was last published in August 2000

SearchCloudSecurity

• Unify on-premises and cloud access control with SDP

One security framework available to organizations struggling with on-premises and cloud access control issues is a ...

• 6 AIOps security use cases to safeguard the cloud

Explore six AIOps security use cases in cloud environments, such as threat intelligence analysis and malware detection, as well ...

SearchNetworking

As workers grow comfortable enough to return to the office, network teams will need to plan in advance to make sure the network ...

• Aruba product integrations advance its SASE strategy

Aruba's latest SASE-related integrations involve the Silver Peak-based SD-WAN, Threat Defense and the ClearPass Policy Manager. ...

• Wi-Fi 6 rollout requires careful review of network devices

Wi-Fi 6 is just one part of the overall enterprise network. Organizations need to evaluate several network components to ensure a...

SearchCIO

• CIO role post-pandemic is 'opportunity of a lifetime'

What is the CIO's role in 2021? Genpact's Sanjay Srivastava, a speaker at this year's MIT Sloan CIO Symposium, says CIOs are ...

• Hybrid care is healthcare's future

Hybrid care is neither digital nor physical, neither in-office nor at home. Instead, it's a little of everything, and one health ...

• Replacing vs. maintaining legacy systems

As CIOs embrace more digital technologies, it's important that they determine the current status of their legacy systems and ...

SearchEnterpriseDesktop

• Apple takes its M1 chip to the iMac, iPad Pro

The proprietary Apple silicon allows for an iPad Pro and an ultra-thin iMac with faster processing and graphics than previous ...

• VMware launches Anywhere Workspace to secure remote workers

Anywhere Workspace is an integrated product bundle that includes Workspace ONE, the VMware secure access service edge ...

• Incorporating zero trust into endpoint security

Zero trust is a complex term, but organizations that take security seriously must know what it is and how it can support existing...

SearchCloudComputing

• Elastic vs. AWS highlights open source monetization dilemma

The fight between AWS and Elastic over the commercial usage of Elasticsearch highlights how open source software vendors need to ...

• How to calculate cloud migration costs before you move

Here's a primer on how to calculate the total cost of a cloud migration and compare your on-premises expenses to what you'll ...

• Evaluate Azure CLI vs. PowerShell for resource management

Compare two popular resource management tools for Azure -- Azure CLI and PowerShell -- to determine if one, or a combination of ...

ComputerWeekly.com

• Vodafone unveils first dedicated Open RAN test and integration lab

UK operator adds momentum to digital transformation programme and its transition to a software-orientated technology company with...

• Security Think Tank: Security culture must underpin vaccine passports

What are the security challenges presented by vaccine passports, and how should they be designed and used with ethics and privacy...

• Australia and India team up on critical technology

The first three projects under a joint research grant programme will focus on developing ethical and regulatory frameworks for ...

Close