Page125
Cornerstone Cryptographic Concepts
Cryptography is secret writing: secure communication that may be understood by the intended recipient only. While the fact that data is being transmitted may be known, the content of that data should remain unknown to third parties. Data in motion (moving on a network) and at rest (stored on a device such as a disk) may be encrypted.
The use of cryptography dates back thousands of years, but is very much a part of our modern world. Mathematics and computers play a critical role in modern cryptography. Fundamental cryptographic concepts are embodied by strong encryption, and must be understood before learning about specific implementations.
Key Terms
Cryptology is the science of secure communications. Cryptography creates messages whose meaning is hidden; cryptanalysis is the science of breaking encrypted messages (recovering their meaning). Many use the term cryptography in place of cryptology: it is important to remember that cryptology encompasses both cryptography and cryptanalysis.
A cipher is a cryptographic algorithm. A plaintext is an unencrypted message. Encryption converts a plaintext to a ciphertext. Decryption turns a ciphertext back into a plaintext.
Confidentiality, Integrity, Authentication, and Non-repudiation
Cryptography can provide confidentiality (secrets remain secret) and integrity (data is not altered in an unauthorized manner): it is important to note that it does not directly provide availability. Cryptography can also provide authentication (proving an identity claim).
Additionally, cryptography can provide non-repudiation, which is an assurance that a specific user performed a specific transaction and that the transaction did not change. The two must be tied together. Proving that you signed a contract to buy a car is not useful if the car dealer can increase the cost after you signed the contract. Non-repudiation means the individual who performed a transaction, such as authenticating to a system and viewing personally identifiable information (PII), cannot repudiate (or deny) having done so afterward.
Confusion, Diffusion, Substitution, and Permutation
Diffusion means the order of the plaintext should be “diffused” (or dispersed) in the ciphertext. Confusion means that the relationship between the plaintext and ciphertext should be as confused (or random) as possible. Claude Shannon, the father of information security, in his paper Communication Theory of Secrecy Systems, first defined these terms in 1949 [32].
Cryptographic substitution replaces one character for another; this provides confusion. Permutation (also called transposition) provides diffusion by rearranging the characters of the plaintext, anagram-style. “ATTACKATDAWN” can be rearranged to “CAAKDTANTATW,” for example. Substitution and permutation are often combined. While these techniques were used historically (the Caesar Cipher is a substitution cipher), they are still used in combination in modern ciphers such as the Advanced Encryption Standard (AES).
Strong encryption destroys patterns. If a single bit of plaintext changes, the odds of every bit of resulting ciphertext changing should be 50/50. Any signs of non-randomness may be used as clues to a cryptanalyst, hinting at the underlying order of the original plaintext or key.
Note:
The dates and names (such as Claude Shannon) associated with cryptographic breakthroughs are generally not testable, unless the inventor’s name appears in the name of the device or cipher. This information is given to flesh out the cryptographic concepts (which are very testable).
Cryptographic Strength
Good encryption is strong: for key-based encryption, it should be very difficult (and ideally impossible) to convert a ciphertext back to a plaintext without the key. The work factor describes how long it will take to break a cryptosystem (decrypt a ciphertext without the key).
Secrecy of the cryptographic algorithm does not provide strength: secret algorithms are often proven quite weak. Strong crypto relies on math, not secrecy, to provide strength. Ciphers that have stood the test of time are public algorithms, such as the Triple Data Encryption Standard (TDES) and the Advanced Encryption Standard (AES).