Cryptography:
Securing the Internet
06
The fundamental problem that cryptography is trying to solve is how to get a message to your friend that can't be intercepted by your enemies. Symmetric encryption has a fundamental weakness: the encryption key is itself a message that needs to be send to your friend but not intercepted by your enemy.
This lesson focuses on the modern cryptographic systems that are used to secure the Internet. For all of the ciphers discussed in the Cryptography Basics lesson, the same key was used both for encrypting and decrypting messages. Systems that use the same key for both encryption and decryption are called symmetric ciphers.
Symmetric ciphers have a serious flaw, known as the key exchange problem: How can Alice and Bob securely exchange the shared key needed to encrypt and decrypt their messages. Hopefully, you can see that sending the shared key across the Internet in an email message would not be a very secure system -- Eve could easily intercept the key, without Alice and Bob knowing, and would then be able to read all their messages.
What's needed in order for cryptography to work on the Internet is an asymmetric system, in which the key can be broken into parts so that one key can be used for encrypting and another for decrypting without ever having to share a key. Such systems are examples of public key cryptography and we will look at two important algorithms, the Diffie-Hellman key exchange algorithm and the Rivest-Shamir-Adelman (RSA) public key cryptography algorithm. The discovery of a solution to the key exchange problem was one of the biggest breakthroughs in modern cryptography, and without this discovery it would simply be impossible to have an Internet today that we could use for banking, buying goods on Amazon, and so on.
Public key cryptography is a mathematical technique to avoid the need to communicate a secret key from one person to another. Public key cryptography is a very technical topic, the mathematical details of which go beyond the scope of this course. However, it's important that you understand the basic ideas around how it works and are able to see that current cryptographic systems can be trusted to secure our private transactions on the Internet. Each person has two keys: a private key known only to that person and a public key that everyone in the world is allowed to know. If Bob wants to send Alice a secret message, he encrypts it with Alice's public key. Then no one but Alice can decrypt it. Only her private key can undo the encryption, and no one can figure out the private key from the public key.
This video shows one helpful model for public key encryption, a doubly-locked box, in which Alice and Bob each have their own keys, both of which are used to securely transmit information.
Technical Terminology
symmetric cipher - A symmetric cipher is one in which a single key is used for both encryption and decryption
asymmetric cipher - An asymmetric cipher is one in which separate but related keys are used for encryption and decryption
key exchange problem - The key exchange problem is the problem of sharing a secret cryptographic key between Alice and Bob without Eve being able to intercept it
public key cryptography - A cryptographic system that uses two keys: a public key known to everyone and a private or secret key known only to the recipient of the message. When Bob wants to send a secure message to Alice, he uses Alice's public key to encrypt the message. Alice then uses her private key to decrypt it
diffie-hellman- Diffie Hellman is an algorithm used to establish a shared secret between two parties. It is primarily used to exchange a symmetric cryptographic key among two parties, Alice and Bob, who wish to communicate securely
rsa - Rivest-Shamir-Adleman (RSA) is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet
intractable - A computational problem is intractable if the only known way to solve the problem depends on an exponential algorithm
https - HTTPS is a protocol for secure (trusted, encrypted) communication over the Internet
ssl - SSL (Secure Socket Layer) is a protocol for establishing an encrypted link between a web server and a browser
certificate authority - In cryptography, a certificate authority (CA) is an entity that issues digital certificates
digital certificate- A digital certificate is a data packet that certifies the holder of a public key
trust model - The use of a trusted third party to verify the trustworthiness of a digital certificate
Videos from the slideshow:
Activity: Diffie-Hellman Exchange Secret Color Demo
This Web app provides an implementation of the color-mixing analogy presented in the Brit Cruise video. You can select a shared public color and then your own private (secret) color. When you click "Show Shared Secret!" the app will display the secret color that it shares with you.
In the RGB system colors are represented by 6-digit hexadecimal numbers, where the first two digits represent the amount of red, the next two represent amount of green, and the last two represent amount blue. Pure-red is FF0000, where FF is the maximum amount of red (equal to 255 in decimal). Pure-green would be 00FF00. If you mix lots of blue and green, 00FFFF, you should get aqua. If you mix lots of red with some green, FF8500, you should get orange.
Give it a try. (Open widget in a separate window)
RSA Public Key Encryption
The Rivest-Shamir-Adleman (RSA) algorithm is the most widely used public key encryption algorithm for securing the Internet. Like Diffie-Hellman, it is an asymmetric cipher, in which the key is broken into two related parts using mathematical techniques. And also, like Diffie-Hellman, it depends on the use of a one-way function: i.e., a mathematical function that is easy to compute in one direction, but intractable to compute in the other.
The following video provides a high-level description of RSA without out going too deeply into the mathematical details.
Securing the Internet
Now that we have some understanding of the algorithms used to encrypt data, we can take a look at how these algorithms work together in the system that secures the Internet. The following video describes the type of communication that takes place behind the scenes when the browser on your phone or tablet or laptop computer makes a secure connection to Amazon or Google or some other Internet service.
Secure HTTP: Secure HTTP connections (those that use https:// instead of http://) use a protocol called Transport Layer Security (TLS) or maybe an older version called Secure Sockets Layer (SSL). Both are based on public key cryptography. With SSL/TLS, the site you are visiting sends its public key, and your browser uses it to encrypt the information you send.
Certificate Authorities: Public key cryptography doesn't solve all the problems, because an eavesdropper (say, Eve) might publish a fake public key pretending to be Alice. Then Bob might accidentally encrypt his message to Alice using Eve's fake key, and then only Eve can read the message meant for Alice. In practice, this is partly fixed by relying on trusted third parties, called Certificate Authorities, to certify public keys. In your browser's security options you can see all of the Certificate Authorities that it trusts.
Still Curious?
Brit Cruise has made an entire series of videos explaining encryption. If you're curious about some of the mathematics involved, see his full videos on Diffie-Hellman and RSA.
The Khan Academy has incorporated the Cruise videos into an excellent interactive course on Cryptography, from the Caesar cipher to public key encryption.
The history of cryptography is very interesting story of the battle between cryptographers, those who create ciphers, and cryptanalysts, those who try to break ciphers. Until the 1990s cryptographic algorithms were the considered armaments by the U.S. government and it was widely believed that the National Security Agency (NSA) could break all existing ciphers. That's no longer believed to be true. Today, strong cryptography is available to us on our smart phones. But we still see the battle playing out between the government and private individuals and corporations over whether the government should have access to the keys that protect the data on our phones. If you're curious about this, see this article on the dispute between Apple and the FBI.