Cryptography can be defined as the process of concealing the contents of a message from all except those who know the key. Although protecting information has always been important, the electronic communication and the Internet has made this more so, as systems are needed to protect email, corporate data, personal information, and electronic transactions. Cryptography can be used for many purposes; however, this Chapter focuses primarily on encryption. Encryption is the process used in cryptography to convert plaintext into cipher text to prevent any person or entity except the intended recipient from reading that data. Symmetric and asymmetric are the two primary types of encryptions. Symmetric uses a single key, whereas asymmetric uses two keys.
What else is required to have a good understanding of cryptography? It is important to start with an understanding of how cryptography relates to the basic foundations of security that were first introduced in Chapter 1, "The Business Aspects of Penetration Testing": authentication, integrity, confidentiality, and non-repudiation.
Authentication has several roles. First, authentication can also be associated with message encryption. Authentication is something you use to prove your identity such as something you have, you know, or you are.
It is part of the identification and authentication process. The most common form of authentication is username and password. Most passwords are encrypted; they do not have to be, but without encryption, the authentication process would be weak. FTP and Telnet are two examples of this, as usernames and passwords are passed in cleartext and anyone with access to the wire can intercept and capture these passwords. Virtual private networks (VPNs) also use authentication, but instead of a cleartext username and password, they use digital certificates and digital signatures to more accurately identify the user and protect the authentication process from spoofing.
Integrity is another important piece of the cryptographic puzzle. Integrity is a means to ensure that information has remained unaltered from the point it was produced, while it was in transmission, and during storage. If you're selling widgets on the Internet for $10.00 each, you will likely go broke if a hacker can change the price to $1.00 at checkout. Integrity is important for many individuals, including those who exchange information, perform e-commerce, are in charge of trade secrets, and are depending on accurate military communications.
Confidentiality simply means that what is private should stay private. Cryptography can provide confidentiality through the use of encryption. Encryption can protect the confidentiality of information in storage or in transit. Just think about the CEO's laptop. If it is lost or stolen, what is really worth more, the laptop or information about next year's hot new product line? Informational assets can be worth much more than the equipment that contains them. Encryption offers an easy way to protect that information should the equipment be lost, stolen, or accessed by unauthorized individuals.
Non-repudiation is used to ensure that a sender of data is provided with proof of delivery and the recipient is assured of the sender's identity. Neither party should be able to deny having sent or received the data at a later date. In the days of face-to-face transactions, non-repudiation was not as hard to prove. Today, the Internet makes many transactions faceless. You might never see the people you deal with; therefore, non-repudiation became even more critical. Non-repudiation is achieved through digital signatures, digital certificates, and message authentication codes (MACs).
History of Cryptography