LESSON ID=>0019

Don’t worry, this first encryption lesson will be short and easy. We’re mostly just going to learn the lingo today. We need this to talk about the next lesson, Secure Browsers, and there will be a deeper encryption discussion in a later lesson.

Why is this important? Remember from the Privacy and Anonymity lesson that we need both Privacy and Anonymity. Privacy is driven by encryption. You will learn to secure your browser sessions, encrypt your email, and ensure your chats are secure. It is critical you understand the fundamentals.

**Key Terms:** Symmetric, Asymmetric, Certificate Authorities, PKI.

Remember, there is nothing magical about the concepts of encryption. It happens all the time when soldiers use One Time Pads. The only difference is that in the digital world, we can leverage complex mathematics (ciphers) to create the encrypted text.

We will discuss two types of encryption – **Symmetric** and **Asymmetric**. A minimum encryption system requires plain text, a key, and a process.

#### Symmetric Encryption

Check out the diagram below. Plain text is what you start with, your message. Encryption is the process of applying a scrambling process (a math formula) to the plain text, and creating encrypted text (also called cipher text). The Key is a code you have that you combine with the message as you send it through the encryption process.

Think Old School for a minute. Your One Time Pad is basically a key. You apply the OTP to your message to create a scrambled, or encrypted message. Someone on the other end, with the same OTP, can use their key to decrypt your message.

What you see above is called Symmetric Encryption. The key to Encrypt and Decrypt is the same, or symmetric. It is what happens with One Time Pads and it is how you secure your browser sessions. We sometimes refer to this as a Shared Secret.

Symmetric Encryption is fast and strong. The big weakness is that you both need to have the same key. That can become a huge problem if you are trying to communicate with someone you’ve never met. There is no universally easy way to ensure you both have the right key.

#### Asymmetric Encryption

In Asymmetric Encryption, there are 2 different keys, a public key and a private key. They are one-way functions. The public key is used to encrypt but cannot be used to decrypt. The private key is used to decrypt and must be kept safe.

Since the public key can’t be used to decrypt your message (only encrypt) it doesn’t need to be kept secret. In fact, you want to give your Public Key to anyone you need to communicate with. It will allow them to encrypt a message that only you can decrypt with your Private Key. People (and organizations) publish their Public Keys in many places like public key servers and Certificate Authorities.

You can, on your own, generate public and private keys. If you know someone, you can trade public keys and begin encrypted communication. This is the basis for PGP or GPG encrypted email.

Asymmetric encryption is slower than symmetric encryption, but has the huge advantage of being able to distribute public one-way encryption keys with no risk of someone else being able to decrypt your message unless they have your private key.

#### Certificate Authorities – the Trust Factor

When you want to connect to your bank, how do you get their key? Or how do you know that a rogue group isn’t impersonating your bank? Without going into a lot of detail right now, there are organizations we trust to provide us with the proper public keys for parties with whom we want to communicate. These organizations are the Certificate Authorities, or CAs. Some examples are Comodo, GoDaddy, Thawte, and Verisign.

CAs act as a trusted intermediary, and serve up the public keys of other companies to us as “signed” documents. These are called Certificates. When we go to the next lesson on HTTPS, these are called SSL Certificates, but they are the same thing.

They contain the public key we need (plus some other info), and are electronically signed by the CA (signed with the CA’s key, think “wax seal”) indicating the key we asked for is legitimate. Clearly it is bad if we encrypt our private data with a key that doesn’t really belong to our bank, but to Russian hackers impersonating a bank.

Certificate Authorities must operate in such a way that we can trust them. They are responsible for ensuring the public keys they send to us are legitimate keys for other organizations, so they are effectively vouching for the keys we need.

This entire system of Asymmetric encryption (public and private keys) along with CAs, is called the Public Key Infrastructure, or PKI.

#### Final Details

The strength of encryption is governed by 2 things:

- the length of the key (bigger key is stronger encryption)
- the mathematical algorithm used for a particular encryption method.

Key lengths are expressed in bits. Bigger is better. Symmetric Encryption has key sizes of 40 – 256 bits, Asymmetric key lengths range from 512 – 4096 bits.

Ideally we want Symmetric keys of at least 128 bits, and Asymmetric keys of at least 2048 bits.

Symmetric algorithm examples are: 3DES, AES, IDEA, RC4, RC5, and Blowfish.

Asymmetric algorithm examples are: RSA, Diffie-Helman, ElGamal, ECC.

That’s it for now. You should understand Encryption, Decryption, symmetric encryption (shared keys, just like One Time Pads) and asymmetric encryption (public / private keys, CA’s and PKI).

This is LESSON ID=> 0019

You are using the term “one time pad” improperly here. A one time pad is a series of random characters the same length as the plaintext to be encrypted, and is applied to the plaintext using a very simple “math formula”, typically XOR each character of the plain text with the corresponding character, in sequence, of the one time pad. Decryption (if XOR character by character was used) is merely doing the same, running the encrypted text against the one time pad. This is, provided that the one time pad is truly random and kept secure (ideally, it is destroyed after being used only once, hence “one time”) in principle unbreakable. However, managing the one time pad material is difficult, since there must be enough of it to cover the length of all the plaintext to be encrypted, and its random nature precludes memorization. A symmetric code key is much shorter than the plaintext, and can be something much easier to remember than a string of random characters, but unless the “scrambling process” is very robust (proving this is distinctly non-trivial, complexity by itself is not sufficent) the encrypted text is vulnerable to cryptanalysis.

Also, while asymmetric encryption schemes are slower than symmetric, in practical public/private key systems, the asymmetric encryption is used only to transfer what is called a ‘session key’ between the communicating parties – this is a symmetric code key which is used for further data transfer with a symmetric code, but since the session key can be, and is, long, random, and discarded after being used for one ‘session’, the security of any given symmetric code scheme is much greater than if ‘human readable’ symmetric code keys are used.

trying2be-amused, Thanks for reading and commenting. Of course you are correct on OTP, it is a one for one substitution, while symmetric encryption is a fixed key. At the risk of taking a little liberty here, we’re trying to keep the concepts simple, short and resembling something people already know. We want to orient it such that non-IT types and non-crypto types can get enough of a basic understanding to effectively employ privacy and anonymity. As an analogy to OTP, both use a shared secret, and is something that many can relate to. It illustrates the concept that there is clear text, a shared secret, and a “process”. The process is different for OTP, but by the same token it is different between different encryption algorithms as well.

Your point is well taken, and we struggle with this balance. We decided to design lessons with less technical content so that folks can easily increase their security posture, rather than deep technical content that would leave many folks choosing to not follow the lessons. As the lessons progress, we’ll clear up and refine the concepts that are needed and hopefully not stray to far from the path as we publish lessons.

You’ll see in the next lesson on HTTPS we do indeed discuss the PKI exchange of symmetric session keys as you pointed out. Now we just need more service providers to start implementing ephemeral keys / Perfect Forward Secrecy for significantly more secure sessions. https://www.eff.org/encrypt-the-web-report.

Thanks again for reading and providing deeper technical insights on what is behind a seemingly simple idea.

~ffio

It looks like you’ve edited the material to just use “one time pad” as a way to illustrate the idea of a “shared secret”, which is perfectly valid, so anyone else reading this should disregard the objection in my prior comment.

I appreciate what you’re doing here, and I’m glad I was able to help improve it. I also especially like your ‘tagline’ – sound procedures with adequate technology will trump careless use of even the best technology every time, and this is by far the most important lesson to be learned in infosec.

This will go up as a banner line soon – “Sound procedures with adequate technology will trump careless use of even the best technology every time, and this is by far the most important lesson to be learned in infosec”.

If you haven’t seen this before, you might find this guy’s site technically and historically interesting – http://users.telenet.be/d.rijmenants/en/onetimepad.htm