Sidenote: How encryption works

If you really want to dive into the VERY technical mathematics behind cryptography and ciphers, check out this very entertaining but detailed website. The website contains many links, but the main presentation is attached at the bottom of this page in a PDF. This page contains a summary of how AES (AKA Rijndael) works as well as an article published from How Stuff Works, describing how encryption works in a simplistic way. URL links have been left in place to enable lead-off enquiries.

A Summary of AES (Advanced Encryption Standard)

How does the encryption algorithm Rijndael (also called AES) work?

It can be dangerous to try and transport highly confidential information to a secure place without unauthorized persons having access to it. For centuries people have always tried to create cryptographic languages that couldn't be decoded easily. From the ancient Rome to the Second World War and until today, heads of state and other powerful persons sent orders and important information encoded to mislead enemies or to keep information safe from unauthorized persons.

Unfortunately most of the time these encryption methods could be decoded easily. For example, cryptographic languages created by moving letters (e.g. today is a nice day = tod ayi sani ced ay) could be decoded easily. The problem with all, even the most elaborate cryptographic languages, is that, once the cipher has been found out, every text can be ’translated’. At the latest with the use of computers it became impossible to keep a cipher based on moving letters secret.

Nowadays other encryption methods are required to hide confidential information. These methods also use some sort of key which is only known to the sender and the recipient. So-called encryption algorithms are used for encrypting and decrypting. An encryption algorithm is a mathematical procedure which indicates how the data is converted.

Rijndael

The U.S. National Bureau of Standards created a complicated encryption standard called DES (Data Encryption Standard) which offered unlimited ways to encrypt data. This encryption standard was replaced by Rijndael encryption. The name Rijndael is composed of the names John Daemon and Vincent Rijmen, two Belgian cryptology experts and authors of this method. Rijndael uses a key for encryption that has a size of 128, 192 or 256 bits, which provides high protection against brute force attacks. In additon, this encryption method also works three times faster in software than DES. This method can be used for securely exchanging keys as well as transferring data with a size of 128 or 256 bits.

AES-256 is certified in the USA for government documents that are marked as top secret.

This is how the encryption algorithm Rijndael works

The Rijndael encryption method is based on replacing, changing and performing xor operations on bytes.

The method looks like this:

From the 128-bit key, Rijndael generates 10 keys of 128 bits each.
These keys are placed into 4x4 arrays.
The plain text is also divided into 4x4 arrays (128 bits each).
Each of the 128-bit plain-text items is processed in 10 rounds (10 rounds for 128-bit-keys, 12 for 192, 14 for 256).
After the 10th round the code is generated.
Each single byte is substituted in an S box and replaced by the reciprocal on GF (2 8).
Then a bit-wise modulo-2 matrix is applied, followed by an XOR operation with 63.
The lines of the matrices are sorted cyclically.
The columns of the matrix multiplication are interchanged on GF (2 8).
The subkeys of each round are subjected to an XOR operation.
The security level of this encryption method increases if Rijndael is performed several times with different subkeys.

The official specifications can be found on the following page: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Brute Force Attack

Brute Force Attacks are very dangerous, as all possible keys are used to attack an encryption method. The attacker can spread a virus over the Internet that tries out keys in the background undetected and exchanges its results through a server. With this kind of attacks it is nowadays possible to crack DES within a short amount of time. Modern methods like BlowFish and Rijndael are protected against Brute Force Attacks, as their key sizes can be higher than 128 bit.

And one thing is certain: As the key size for Rijndael can be varied randomly, these modern security algorithms are considered to remain uncrackable for a very long time!

How Stuff Works Article

E-commerce relies on the ability to send information securely -- encryption tries to make that possible.

An encrypted document is surrounded by an array of commercially available encryption products at the FBI office in Washington, D.C.

Scott J. Ferrell/Congressional Quarterly/Getty Images

Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes.

The Greek historian Plutarch wrote, for example, about Spartan generals who sent and received sensitive messages using a scytale, a thin cylinder made out of wood. The general would wrap a piece of parchment around the scytale and write his message along its length. When someone removed the paper from the cylinder, the writing appeared to be a jumble of nonsense. But if the other general receiving the parchment had a scytale of similar size, he could wrap the paper around it and easily read the intended message.

The Greeks were also the first to use ciphers, specific codes that involve substitutions or transpositions of letters and numbers.

As long as both generals had the correct cipher, they could decode any message the other sent. To make the message more difficult to decipher, they could arrange the letters inside the grid in any combination.

Most forms of cryptography in use these days rely on computers, simply because a human-based code is too easy for a computer to crack. Ciphers are also better known today as algorithms, which are the guides for encryption -- they provide a way in which to craft a message and give a certain range of possible combinations. A key, on the other hand, helps a person or computer figure out the one possibility on a given occasion.

Computer encryption systems generally belong in one of two categories:

- Symmetric-key encryption
- Public-key encryption

In the following sections, you'll learn about each of these systems.

Symmetric Key

Just like two Spartan generals sending messages to each other, computers using symmetric-key encryption to send information between each other must have the same key.

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.

Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.

The same goes for computers, but, of course, the keys are usually much longer. The first major symmetric algorithm developed for computers in the United States was the Data Encryption Standard (DES), approved for use in the 1970s. The DES uses a 56-bit key.

Because computers have become increasingly faster since the '70s, security experts no longer consider DES secure -- although a 56-bit key offers more than 70 quadrillion possible combinations (70,000,000,000,000,000), an attack of brute force (simply trying every possible combination in order to find the right key) could easily decipher encrypted data in a short while. DES has since been replaced by the Advanced Encryption Standard (AES), which uses 128-, 192- or 256-bit keys. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128-bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations [source: CES Communications].

Caesar's Cipher

Julius Caesar also used a similar substitution technique, shifting three letters up. If he wanted to say "CROSSING THE RUBICON," for instance, he'd write down "FURVV LQJWK HUXEL FRQ" instead. As you can see, the text is also broken up into even groups in order to make the size of each word less obvious.

Public Key Encryption

One of the weaknesses some point out about symmetric key encryption is that two users attempting to communicate with each other need a secure way to do so; otherwise, an attacker can easily pluck the necessary data from the stream. In November 1976, a paper published in the journal IEEE Transactions on Information Theory, titled "New Directions in Cryptography," addressed this problem and offered up a solution: public-key encryption.

Also known as asymmetric-key encryption, public-key encryption uses two different keys at once -- a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. Although a message sent from one computer to another won't be secure since the public key used for encryption is published and available to anyone, anyone who picks it up can't read it without the private key. The key pair is based on prime numbers (numbers that only have divisors of itself and one, such as 2, 3, 5, 7, 11 and so on) of long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are nearly infinite possibilities for keys. One very popular public-key encryption program is Pretty Good Privacy (PGP), which allows you to encrypt almost anything.

The sending computer encrypts the document with a symmetric key, then encrypts the symmetric key with the public key of the receiving computer. The receiving computer uses its private key to decode the symmetric key. It then uses the symmetric key to decode the document.

To implement public-key encryption on a large scale, such as a secure Web server might need, requires a different approach. This is where digital certificates come in. A digital certificate is basically a unique piece of code or a large number that says that the Web server is trusted by an independent source known as a certificate authority. The certificate authority acts as a middleman that both computers trust. It confirms that each computer is in fact who it says it is, and then provides the public keys of each computer to the other.

SSL and TLS

A popular implementation of public-key encryption is the Secure Sockets Layer (SSL). Originally developed by Netscape, SSL is an Internet security protocol used by Internet browsers and Web servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS).

In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of different ways. You will notice that the "http" in the address line is replaced with "https," and you should see a small padlock in the status bar at the bottom of the browser window. When you're accessing sensitive information, such as an online bank account or a payment transfer service like PayPal or Google Checkout, chances are you'll see this type of format change and know your information will most likely pass along securely.

TLS and its predecessor SSL make significant use of certificate authorities. Once your browser requests a secure page and adds the "s" onto "http," the browser sends out the public key and the certificate, checking three things: 1) that the certificate comes from a trusted party; 2) that the certificate is currently valid; and 3) that the certificate has a relationship with the site from which it's coming.

The browser then uses the public key to encrypt a randomly selected symmetric key. Public-key encryption takes a lot of computing, so most systems use a combination of public-key and symmetric key encryption. When two computers initiate a secure session, one computer creates a symmetric key and sends it to the other computer using public-key encryption. The two computers can then communicate using symmetric-key encryption. Once the session is finished, each computer discards the symmetric key used for that session. Any additional sessions require that a new symmetric key be created, and the process is repeated.

Hashing Algorithm

The key in public-key encryption is based on a hash value. This is a value that is computed from a base input number using a hashing algorithm. Essentially, the hash value is a summary of the original value. The important thing about a hash value is that it is nearly impossible to derive the original input number without knowing the data used to create the hash value. Here's a simple example:

Input Number

10,667

Hashing Algorithm

Input# x 143

Hash Value

1,525,381

You can see how hard it would be to determine that the value 1,525,381 came from the multiplication of 10,667 and 143. But if you knew that the multiplier was 143, then it would be very easy to calculate the value 10,667. Public-key encryption is actually much more complex than this example, but that's the basic idea.

Public keys generally use complex algorithms and very large hash values for encrypting, including 40-bit or even 128-bit numbers. A 128-bit number has a possible 2¹²⁸, or 3,402,823,669,209,384,634,633,746,074,300,000,000,000,000,000,000,000,000,000,000,000,000 different combinations -- this would be like trying to find one particular grain of sand in the Sahara Desert.

Authentication

As stated earlier, encryption is the process of taking all of the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Another process, authentication, is used to verify that the information comes from a trusted source. Basically, if information is "authentic," you know who created it and you know that it has not been altered in any way since that person created it. These two processes, encryption and authentication, work hand-in-hand to create a secure environment.

There are several ways to authenticate a person or information on a computer:

How CAPTCHA Works
How Internet Cookies Work
How Digital Fingerprinting Works
- Password - The use of a user name and password provides the most common form of authentication. You enter your name and password when prompted by the computer. It checks the pair against a secure file to confirm. If either the name or the password does not match, then you are not allowed further access.
- Pass cards - These cards can range from a simple card with a magnetic strip, similar to a credit card, to sophisticated smart cards that have an embedded computer chip.
- Digital signatures - A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file) is authentic. The Digital Signature Standard (DSS) is based on a type of public-key encryption method that uses the Digital Signature Algorithm (DSA). DSS is the format for digital signatures that has been endorsed by the U.S. government. The DSA algorithm consists of a private key, known only by the originator of the document (the signer), and a public key. The public key has four parts, which you can learn more about at this page. If anything at all is changed in the document after the digital signature is attached to it, it changes the value that the digital signature compares to, rendering the signature invalid.

Recently, more sophisticated forms of authentication have begun to show up on home and office computer systems. Most of these new systems use some form of biometrics for authentication. Biometrics uses biological information to verify identity. Biometric authentication methods include:

Fingerprint scan
- Retina scan
Face scan
- Voice identification

Checksum and CRC

Another secure-computing need is to ensure that the data has not been corrupted during transmission or encryption. There are a couple of popular ways to do this:

Checksum - Probably one of the oldest methods of ensuring that data is correct, checksums also provide a form of authentication because an invalid checksum suggests that the data has been compromised in some fashion. A checksum is determined in one of two ways. Let's say the checksum of a packet is 1 byte long. A byte is made up of 8 bits, and each bit can be in one of two states, leading to a total of 256 (2⁸ ) possible combinations. Since the first combination equals zero, a byte can have a maximum value of 255.

How CAPTCHA Works
How Internet Cookies Work
How Digital Fingerprinting Works
- If the sum of the other bytes in the packet is 255 or less, then the checksum contains that exact value.
- If the sum of the other bytes is more than 255, then the checksum is the remainder of the total value after it has been divided by 256.

Let's look at a checksum example:

Bytes total 1,151
1,151 / 256 = 4.496 (round to 4)
4 x 256 = 1,024
1,151 - 1,024 = 127 checksum

Cyclic Redundancy Check (CRC) - CRCs are similar in concept to checksums, but they use polynomial division to determine the value of the CRC, which is usually 16 or 32 bits in length. The good thing about CRC is that it is very accurate. If a single bit is incorrect, the CRC value will not match up. Both checksum and CRC are good for preventing random errors in transmission but provide little protection from an intentional attack on your data. Symmetric- and public-key encryption techniques are much more secure.

All of these various processes combine to provide you with the tools you need to ensure that the information you send or receive over the Internet is secure. In fact, sending information over a computer network is often much more secure than sending it any other way. Phones, especially cordless phones, are susceptible to eavesdropping, particularly by unscrupulous people with radio scanners. Traditional mail and other physical mediums often pass through numerous hands on the way to their destination, increasing the possibility of corruption. Understanding encryption, and simply making sure that any sensitive information you send over the Internet is secure (remember the "https" and padlock symbol), can provide you with greater peace of mind.