8.6 Overview of Encryption

8.6 Overview of Encryption

Encryption is a process by which a readable digital object (plaintext) is converted into an unreadable digital object (ciphertext) using a mathematical function. Strong encryption schemes use the equivalent of a password, called a key. However, there are simple, keyless encoding systems. For instance, ROT13 is a simple code that substitutes each letter in the plaintext message with the letter that is 13 letters further along in the alphabet (A is followed by Z). So, a becomes n, b becomes o, and so on.

ROT13 is sometimes used in public discussion forums on the Internet to obfuscate potentially objectionable messages, allowing the reader to decide whether to decrypt the message. The following Usenet message demonstrates this application of ROT13.

    From: AndrewB (andrewbee@my_deja.com)    Subject: Sexual differences [view thread]    Newsgroups: soc.religion.christian    Date: 2000-10-02 20:58:37 PST    [This posting asks advice on a sexually explicit topic. My first reaction is that it's    a troll, but perhaps I'm just narrow-minded. To avoid offending people, the    body of the posting has been translated using rot13.]    Uv,    Sbetvir zr sbe orvat irel senax urer. Zl jvsr naq V unir n ceboyrz. V nz cerggl    "bhg gurer" jura vg pbzrf gb zl frkhny cersreraprf. Zl jvsr, ubjrire, vf n irel    pbafreingvir fznyy-gbja tvey jura vg pbzrf gb gung. Fcrpvsvpnyyl, V nz irel    ghearq ba zl fcnaxvat, jurernf zl jvsr frrf ab cynpr sbe vg ng nyy va gur orqebbz.    V xabj gung gurer ner thlf nebhaq jub tvir cevingr fcnaxvatf. Ab frkhny    pbagnpg; whfg gur tengvsvpngvba vaurerag gurerva. Vs V pbhyq qb guvf,    vg jbhyq zrrg zl arrq, naq rnfr zl sehfgengvba. Bayl ceboyrzf ner: zl jvsr rdhngrf    vg gb purngvat, ba gur tebhaqf gung vg vaibyirf obqvyl pbagnpg sbe frkhny    tengvsvpngvba, naq V unir qbhogf nobhg jurgure vg'f ernyyl BX sbe n    Tbq-srnevat Puevfgvna gb qb gung. V jnag gb yvir va chevgl orsber Tbq,    ohg V nyfb unir guvf fgebat hetr naq qrfver. Nalbar unq nal fvzvyne    rkcrevraprf be pna bssre nal uryc?    Gunaxf    N.O.    Frag ivn Qrwn.pbz uggc://jjj.qrwn.pbz/    Orsber Ibh ohl. 

Many newsreaders have the ability to decrypt ROT13, saving individuals from the tedious, manual process. Windows 2000/XP use similar encoding schemes to obfuscate values in some Registry keys as discussed in Chapter 10.

8.6.1 Private Key Encryption

Private key encryption (a.k.a. symmetric key encryption) is conceptually straightforward - the key that is used to encrypt a message is also used to decrypt it. This encryption method is analogous to a lock in the physical world but, in actuality, the lock is a mathematical function. Since it is not safe to rely on the secrecy of the mathematical function used to encrypt the data, most popular encryption schemes utilize mathematical functions that are difficult to reverse. In this way, even if the mathematical function is known, it is difficult to decrypt data without knowing the key. Some commonly used symmetric key encryption algorithms are DES, IDEA, and Blowfish. For example, taking the text "This is a secret message" and encrypting it using the key "eoghan" and the DES algorithm gives the following ciphertext.

     ---ENCRYPTED---     BFADQGxwAwYABz2FQEz0E3C3QF3zB11BAz43VGBFE4Gxl8GADBoub8EWE0YF     +Wk9OpfbGxVgix+Hr6rnXKz5HRX54jDvtvQWNQ6VBv9JD/dMZqsYAHnHPa4XJ     pC4jnAF8VWgfSIPJnyGBIUVpuVWiUlmjO1Qfu3O+FE753JZxXFhXd5ivslVY     RsxEJFY/Nx1FRu/2r1+dYFrknA0m8ihJJHs+ARss+GjzjDtagw9emTyedOKb     mMwo1BQyKKsiiqzvoD4rNs2bSZsfQ6mJMxonlJnST9ruH/25XmK1uXpr2rK8     hJ1DT8UEKW1z4ylKkAWS3$$f5/v96t6sSOhDP+2mkAxdELL7PNb46g16Aeth     f3j/3GkYCz5jT793t3sO+aa+MQhlEPRA2/2QYpfO7boVViXJp3pRS6w1bdwL     o3sbeUvlQcEZnx5bgCK7CTI+aAS4x62jMliMQ6CXEfAAwjzE5XaibgK/NcP4     3cdsst/kvSzmVjsah671.     ------END------ 

Since the key is known, it is possible to decrypt this ciphertext using a program that implements the DES algorithm.

8.6.2 Public Key Encryption

One of the main difficulties with symmetric key encryption arises when people want to encrypt their communications. Both people must have the key that encodes and decodes the data. For instance, if two people want to exchange encrypted e-mail, how do they exchange the key to decrypt the message? Should they send the key in one message and then the encrypted data separately? If the concern is that the e-mail will be intercepted, then the key could just as easily be intercepted. Should they send the key on a disk by regular mail? This is slow and not very secure since a determined adversary could intercept the disk.

The answer to this apparent riddle is public key encryption. Continuing the lock analogy, imagine that an individual could make thousands of identical padlocks and distribute them to anyone who wanted to send him/her a private message. In the 1970s, clever mathematicians finally developed a mechanism to implement this idea, allowing an individual to disseminate a piece of information called a public key that anyone could use to encrypt a message and only the intended recipient who possessed the corresponding private key could decrypt the message. Two commonly used public key algorithms are RSA and DSA. For an excellent account of the history of cryptography and simplified descriptions of these algorithms see Singh (2000). More technical coverage of cryptography can be found in Schneier (1996).

8.6.3 Pretty Good Privacy

One program that uses both private and public key cryptography is Pretty Good Privacy (PGP).^[7] Although it is possible to just use a public key algorithm like RSA to encrypt messages, this would be slow when dealing with large messages. Private key encryption is significantly more efficient. Therefore, PGP took the best of both methods and combined them. PGP encrypts a message using a private key algorithm like DES using a randomly generated private key and encrypts that private key using a public key algorithm like RSA (this last step requires the intended recipient's public key). PGP then sends both the encrypted text and the encrypted private key to the recipient. Thus, when the recipient receives the encrypted message, he/she uses his/her personal private key to decrypt the randomly generated private key and uses the randomly generated private key to decrypt the message.

Criminals have not overlooked the power of encryption and are using it to protect data stored on their computer and conceal their activities on the Internet. For instance, in 2001, when the Earth Liberation Front (ELF^[8]) was placed at the top of the FBI's list of North American terrorist threats, their Web site instructed ELF members to maintain a high level of secrecy and security using PGP.

^[7]http://www.pgpi.com

^[8]http://www.earthliberationfront.com