The word “cryptography” may evoke dramatic images of Russell Crowe in A Beautiful Mind, trying to find Russian spies lurking in the classified ads, or perhaps you think of little Ralphie Parker in A Christmas Story who diligently decrypted Little Orphan Annie’s impassioned plea to “drink more Ovaltine”.
In today’s information systems, cryptography plays a role in keeping your data secure and private, and you probably use it every day without thinking much about it.
Most encryption used today uses a ‘public key architecture’ which is a pretentious way of saying that there is a public key and a private key in use.
The public key is only able to encrypt or encode information, and the private key is required in order to decrypt or decode information.
So if Jane wants to send Spot a message, and she doesn’t want Dick to read it, she can encrypt the message with Spot’s public key and then only Spot’s private key will be able to make sense of it. In fact, Jane could ask Dick to deliver the message to Spot, and Dick would not be able to read it because only Spot’s private key will be able to decode messages encrypted with his public key.
I can post my public key in a public forum, like an internet message board, and then if anyone wants to tell me a secret, they can use that public key to encrypt data that only my private key will be able to decode.
The internet is a public network. Data travels across routers, gateways, switches, and servers that are not necessarily secure, so if you want to maintain privacy, you will want to use encryption so that your data can’t be read in transit – so that anyone can have your data, but only the intended recipient can read it.
If you connect wirelessly to your network, you will want to encrypt that connection. If you are shopping online, you will want to encrypt your credit card information. Even if you are sending a password, you usually want to encrypt that too – anything sent without encryption can be intercepted. In fact, anything sent with encryption can be intercepted, it just can’t be read without the private key. Encrypted data looks like gibberish.
Encryption was in the news a while back when Google alleged that agents of the Chinese government were spying on the gmail accounts of human rights workers. As part of their response, they made encryption enabled by default for users of Google Apps and Gmail. Many websites now turn on encryption by default, or at least make it available.
There’s another problem though. Encryption makes sure your data can’t be read in transit, but how do you know that you’re actually communicating with who you intend to? What if Dick puts on a furry dog costume and pretends that he’s Spot? This is what information security professionals call a “man in the middle” attack, which you might also hear about from time to time. In this scenario, someone nefarious pretends to be the intended recipient, usually to get passwords or other sensitive information. This is often used in conjunction with a Phishing scam.
The way information security professionals addressed this is by requiring that the encryption is “signed” by a certifying authority. You can self-sign, but then visitors to your site will see a message like the one on the right. The CA’s job is to make sure that the entity you are exchanging keys with is actually what it says it is.
So in practice, when browsing the web, when your connection is encrypted, you will see the address preceded by https:// instead of http:// and if you click on the site icon or lock icon, it will give you information about the type of encryption in use as well as the CA or Certifying Authority. CA’s like Thawte and Verisign work in the niche market of making sure that the encryption key actually belongs to who it says it does. It’s the CA’s job to make sure that the secured connection is with who you think it is. Only well known CA’s will be accepted by your browser without question.
In other words, Dr. Evil could make a certificate and tell you it’s from Wells Fargo Bank, but he wouldn’t be able to get it verified by a reputable CA, and if you browsed to a page that was certified by his bogus certificate, your browser would warn you that you might not want to continue.
The use of certificates along with Public Key Architecture gives the end user a reasonable expectation that they are securely exchanging information with who they think they are, and that their data will not be read in transit, which is important if you intend to bank or file taxes online.
So when you go to https://www.mybank.com to check your statement, your browser automatically trades public keys with the server at mybank.com, and then it automatically downloads a certificate. It checks that the certificate is signed by a reputable CA, that the date is valid, and that the name on the security certificate matches the one on the site you are connecting to. If everything looks good, the page is presented to you as “secure”. If it doesn’t, you get a warning.
There are lots of other uses for encryption. You might choose to encrypt sensitive files on your computer, sensitive email messages, or even your entire connection to the internet. In the United States and most western nations, you may encrypt anything you like. In other places, Iran, for example, you need a license from the government to encrypt data, and you must provide their Supreme Council for Cultural Revolution with your public and private keys. Iran treats encryption basically the same way America treats guns, which should give you some idea how powerful it is. For information about your country’s laws, you might want to check out the Crypto Law Survey.
Don’t forget to encrypt your sensitive data, and remember to drink more Ovaltine.