Don’t worry, this first encryption lesson will be short and easy. We’re mostly just going to learn the lingo today. We need this to talk about the next lesson, Secure Browsers, and there will be a deeper encryption discussion in a later lesson.
Why is this important? Remember from the Privacy and Anonymity lesson that we need both Privacy and Anonymity. Privacy is driven by encryption. You will learn to secure your browser sessions, encrypt your email, and ensure your chats are secure. It is critical you understand the fundamentals.
Key Terms: Symmetric, Asymmetric, Certificate Authorities, PKI.
Remember, there is nothing magical about the concepts of encryption. It happens all the time when soldiers use One Time Pads. The only difference is that in the digital world, we can leverage complex mathematics (ciphers) to create the encrypted text.
We will discuss two types of encryption – Symmetric and Asymmetric. A minimum encryption system requires plain text, a key, and a process.
Check out the diagram below. Plain text is what you start with, your message. Encryption is the process of applying a scrambling process (a math formula) to the plain text, and creating encrypted text (also called cipher text). The Key is a code you have that you combine with the message as you send it through the encryption process.
Think Old School for a minute. Your One Time Pad is basically a key. You apply the OTP to your message to create a scrambled, or encrypted message. Someone on the other end, with the same OTP, can use their key to decrypt your message.
What you see above is called Symmetric Encryption. The key to Encrypt and Decrypt is the same, or symmetric. It is what happens with One Time Pads and it is how you secure your browser sessions. We sometimes refer to this as a Shared Secret.
Symmetric Encryption is fast and strong. The big weakness is that you both need to have the same key. That can become a huge problem if you are trying to communicate with someone you’ve never met. There is no universally easy way to ensure you both have the right key.
In Asymmetric Encryption, there are 2 different keys, a public key and a private key. They are one-way functions. The public key is used to encrypt but cannot be used to decrypt. The private key is used to decrypt and must be kept safe.
Since the public key can’t be used to decrypt your message (only encrypt) it doesn’t need to be kept secret. In fact, you want to give your Public Key to anyone you need to communicate with. It will allow them to encrypt a message that only you can decrypt with your Private Key. People (and organizations) publish their Public Keys in many places like public key servers and Certificate Authorities.
You can, on your own, generate public and private keys. If you know someone, you can trade public keys and begin encrypted communication. This is the basis for PGP or GPG encrypted email.
Asymmetric encryption is slower than symmetric encryption, but has the huge advantage of being able to distribute public one-way encryption keys with no risk of someone else being able to decrypt your message unless they have your private key.
Certificate Authorities – the Trust Factor
When you want to connect to your bank, how do you get their key? Or how do you know that a rogue group isn’t impersonating your bank? Without going into a lot of detail right now, there are organizations we trust to provide us with the proper public keys for parties with whom we want to communicate. These organizations are the Certificate Authorities, or CAs. Some examples are Comodo, GoDaddy, Thawte, and Verisign.
CAs act as a trusted intermediary, and serve up the public keys of other companies to us as “signed” documents. These are called Certificates. When we go to the next lesson on HTTPS, these are called SSL Certificates, but they are the same thing.
They contain the public key we need (plus some other info), and are electronically signed by the CA (signed with the CA’s key, think “wax seal”) indicating the key we asked for is legitimate. Clearly it is bad if we encrypt our private data with a key that doesn’t really belong to our bank, but to Russian hackers impersonating a bank.
Certificate Authorities must operate in such a way that we can trust them. They are responsible for ensuring the public keys they send to us are legitimate keys for other organizations, so they are effectively vouching for the keys we need.
This entire system of Asymmetric encryption (public and private keys) along with CAs, is called the Public Key Infrastructure, or PKI.
The strength of encryption is governed by 2 things:
- the length of the key (bigger key is stronger encryption)
- the mathematical algorithm used for a particular encryption method.
Key lengths are expressed in bits. Bigger is better. Symmetric Encryption has key sizes of 40 – 256 bits, Asymmetric key lengths range from 512 – 4096 bits.
Ideally we want Symmetric keys of at least 128 bits, and Asymmetric keys of at least 2048 bits.
Symmetric algorithm examples are: 3DES, AES, IDEA, RC4, RC5, and Blowfish.
Asymmetric algorithm examples are: RSA, Diffie-Helman, ElGamal, ECC.
That’s it for now. You should understand Encryption, Decryption, symmetric encryption (shared keys, just like One Time Pads) and asymmetric encryption (public / private keys, CA’s and PKI).
This is LESSON ID=> 0019