What Is Encryption?

Encryption is the process of performing some function on a set of data that attempts to render it in a format that makes it unreadable or unusable by anyone but the intended recipient. A key is required to read something that has been encrypted. This might be a secret key, as is the case with single-key encryption, or it might be a key that can be known by many different people, as is the case with public-key encryption. Some cryptographic methods use the same key for encrypting and decrypting information, whereas others use a separate key for these functions.

Digital signatures and certificates are part of another interesting concept that has become increasingly important in networks today. You'll learn more about that later. First, take a quick look at basic encryption techniques.

Single-Key Encryption ”Symmetric Encryption

As its name implies, single-key encryption uses the same key to encrypt and decrypt information. The Data Encryption Standard (DES) is a technology developed by IBM in the 1970s and adopted as a federal government standard in the United States in 1976. DES was thought for many years to be extremely secure. It is still in use in many networks and businesses today. You'll find it in various forms, typically using more than one pass at encryption to secure the data. For example, a technique called triple-DES uses three different keys successively to encrypt and then re-encrypt the data. A 56-bit key is used, which results in a little over 72 quadrillion possible key values. You would think with such a large number of possible keys, and using multiple passes , that the data secured by DES would truly be secure.

That might have been true a few years ago. However, when you consider that the typical desktop PC today is a lot more powerful than the computers available back in the 1970s when DES was first developed, it's obvious that even this strong form of encryption is vulnerable to being broken, if only by a brute-force method in which every possible key value is tried. The National Institute of Standards and Technology (NIST) has decided not to recertify DES as a standard.

The main advantage that single-key encryption has over public-key encryption is that it's computationally fast to implement. The major disadvantage is that you need to protect the secret key.

The New Standard: AES

AES is the name given to the encryption algorithm that was selected by NIST as the new standard for encryption. NIST set the requirements necessary for this new standard, and many candidates submitted algorithms hoping to qualify. The selection that was made is called Rijndael, a block cipher developed by Joan Daemen and Vincent Rijmen from Belgium. This encryption algorithm makes use of variable-length blocks of data and key lengths to encrypt the data. Currently, key lengths of 128, 192, and 256 bits can be used to encrypt blocks of data, also of variable lengths, of 128, 192, or 256 bits. However, the algorithm is extensible, allowing for larger key sizes in multiples of 32 bits. How long this new AES standard will be considered " unbreakable " remains to be seen. However, the longer the key length, the more computational time it will take to break the code because each additional bit adds tremendously to the possible permutations of numbers that can be created using the key.

In December 2001, AES was adopted by the U.S. government as the encryption standard to be used for unclassified documents. The U.S. military uses other, secret encryption technologies for classified documents and communications.

If you want to learn more about Rijndael, you can visit the Web site for these cryptographers at www.esat.kuleuven.ac.be/~rijmen/rijndael/, which includes code examples and documentation. It's freely available to anyone who cares to use it. You can also visit the Web site http://csrc.nist.gov/CryptoToolkit/aes/ for more information about AES.

The Problem with Single-Key Encryption

No matter how strong the encryption algorithm used with a single-key encryption method, one thorny problem remains. You still have to find a way to transfer the single known key to the recipient of the message, or establish some method for using an alternating set of seemingly random key selections. If someone trying to intercept your data can determine the single key, it's a simple matter to decrypt the data. However, because most people don't expect their communications to be intercepted and decrypted, sometimes perfection isn't necessary. It's enough to use the best available method and hope that you don't have a hacker (or the government) trying to look into your affairs.

The problem with key transfer, however, exists with AES, DES, or any single-key encryption algorithm. For a large corporation, the exchange of a secret key might involve sending a courier from one location to another to deliver the key. This can be expensive. Of course, if your company is a large financial institution, the cost is miniscule when compared to the value of the data that is encrypted using the secret key. For smaller entities, and for individual users on the Internet, exchanging secret keys in this manner is not a consideration.

To overcome this limitation, another solution was developed, called public-key encryption. Public-key encryption is subject to the same brute-force attack method of trying every possible key that a single-key encryption method is; however, it makes distributing keys much simpler. The difference between single-key encryption, also called symmetric encryption, and public-key encryption is very subtle.

Public-Key Encryption

Whitfield Diffie and Martin Hellman invented public-key cryptography in 1975. Public-key cryptography uses two keys, called a key pair , that are mathematically related . One key is used to encrypt the data, and the other to decrypt the data. At first glance, this might seem rather innocuous . In fact, instead of protecting the encryption key and keeping it a secret, the opposite is true. The key used to encrypt the data is the public key that can be shared with many people. You can post your public key on certain places on the Internet so that it's available to anyone who wants to send you a message in encrypted format. It also is common now for users to attach a copy of their public key to emails they send out so that the recipient of the message can use it to encrypt a response to the email. The term key ring is used to describe a file that you use to store a set of public keys for others with whom you communicate. Products such as Pretty Good Privacy (PGP) use key rings for just this purpose.

This form of encryption usually is referred to as asymmetric encryption, because more than one key is used. To put it simply, if you want someone to send you a message in encrypted format, you just give her (or anyone else) your public key. Anyone who wants to send you a message encrypts the message using this public key. The difference between symmetric encryption and asymmetric encryption is that the public key that encrypts the data cannot be used to perform the reverse process of decrypting the data that it was used to encode. Instead, a pair of keys is used: the public key that you can distribute freely and a secret key that only you possess. Both keys are mathematically related so that only the secret key can be used to decrypt the message that was encrypted using your public key.

This solves the problem of having to distribute a secret key, because you don't have to. Instead, you can freely publish your public key so that anyone in the world (or on the Internet) can use it. Because this key can be used only to encrypt a message, and can't be used to unlock the message, you don't have to worry about keeping the public key a secret. Instead, you only need to keep secret the other half of this key pair, and because it is under your control, that should be much easier to do.

Yet, this brings up another question. How can you be sure that the person who has sent you a message is the person he or she claims to be? Because anyone can potentially gain access to your public key ”remember, there are places on the Internet where you can publish your public key ”how can you be sure, when you receive an encrypted message, that it comes from the person whom the message claims it is from?

Enter, stage left, the digital signature . The person who sends you the message can use her own secret key to digitally sign the message. You then can use her public key to verify that the message most likely did originate from that person. Unless the sender's secret key has become compromised, you can be fairly sure that you've received a message from the person the message claims to be from in encrypted format that can be decrypted only by your own secret key. Throughout this entire process, it's never necessary to exchange either party's secret key. The public keys can be known by anyone; as long as the secret keys remain a secret, it's possible to be reasonably sure that you've received an encrypted message from the person you think it's from.

One drawback to public-key encryption is that, due to the mathematical relationship between the key pair, the size of the keys is a lot larger than one traditionally used in secret key, or symmetric, encryption. However, the flexibility that public-key encryption provides, and the uses to which it has been put (such as digital signatures), more than makes up for the larger key size. Does it really matter if it takes a few seconds longer to decrypt a message using public-key cryptography when you consider the problems associated with trying to distribute a secret key, and keep it a secret?

Because public-key encryption techniques eliminate the need to share a secret key, a public-key encryption system also could be combined with a secret-key encryption system. That is, a public key could be used to encrypt a secret key for transmission across a network, where it is recovered using the private key at the end of the communication path . From then on, the secret key itself could be used for further encrypted communications. Because secret-key encryption typically uses shorter key lengths than public keys, it's much faster to encrypt or decrypt text using a secret key. Thus, public-key encryption can be used both as a method of encrypted communication and as a method for exchanging secret keys for even faster encrypted communications. To make things even more secure, it's common to change the secret key frequently during the transmission of data, making it even more difficult for anyone who intercepts the data to discover any of the keys. As a general rule, the more data that the interceptor has to work with, the easier it is to use a computer to look for patterns and try to decrypt the data. If the secret key changes frequently (transmitted using public-key technology), the interceptor has less data encrypted with the same key to work with, and the job becomes much more difficult.

RSA Public Key Cryptography

Several algorithms are used today for public-key asymmetric encryption. The most widely known is called the RSA algorithm, named after its inventors, Ronald Rivest, Adi Shamir, and Len Adleman. This method is based on multiplying two prime numbers to come up with the key pair. Further mathematical functions are performed after the multiplication to create the actual key pair, but that is beyond the scope of this book. It's a simple matter to use a computer to come up with a rather large prime number, but it's a difficult computation task to take the result of this multiplication and the subsequent operations performed and determine which two prime numbers were used to generate it.

If you want to learn more about RSA, visit the Web site for the company founded to market this technology: www.rsasecurity.com. The RSA Security Web site is an excellent resource for encryption techniques overall, but also has a lot of information pertaining to the RSA algorithm, which has been licensed to a large number of software and hardware security providers.

Because of the difficulty in cracking RSA-encrypted data, it has been adopted by a large number of vendors , including Sun, Microsoft, and Novell, and is the most widely used cryptosystem today.