What is Cryptography?
Cryptography is the art of keeping information safe by changing it so that people who aren't supposed to see it can't figure it out. In cryptography, a message that can be read by humans, called plain text, is changed by an algorithm, which is a set of mathematical operations, into something that looks like gibberish to someone who doesn't know what's going on. This gibberish is called cipher text.
In order for the person who is supposed to get the encrypted message to be able to use it, cryptographic systems need a way to turn the cipher text back into plain text.
Cryptography vs. cryptology vs. encryption
Before we get to the main part of this article, let's define a few cryptography-related terms. You may think of tombs when you hear the word "crypt," but it comes from a Greek word that means "hidden" or "secret." Cryptography means "secret writing" in Latin. Cryptology, on the other hand, means something like "knowledge of secrecy." If cryptography is the practice of writing secret messages, then cryptology is the theory, though the two words are often used interchangeably. Encryption, which means "making secret," is the process of changing plain text into cipher text. Encryption is a key part of cryptography, but it doesn't cover the whole field. Decryption is the opposite.
The fact that an algorithm and a key are almost always needed to encrypt something is a very important part of the process. A key is just another piece of information, usually a number, that tells the algorithm how to apply itself to the plain text in order to encrypt it. Even if you know how a message is encrypted, it should be hard or impossible to decrypt it without the key in a safe cryptographic system. Keep in mind that algorithms and keys will be important as we go along.
History of cryptography
This is all very abstract, and a good way to understand what we're talking about is to look at one of the earliest known forms of cryptography. It is called the Caesar cipher because Julius Caesar used it to send secret letters. His biographer Suetonius wrote, "If he wanted to say something privately, he wrote it in cipher, which means he switched the order of the letters of the alphabet. If you want to figure out what they mean, you have to switch the fourth letter of the alphabet, D, for the first letter, A, and so on."
Suetonius's description can be broken down into the algorithm and the key, which we've already talked about. Here, the algorithm is easy: each letter is changed to a letter from further down the alphabet. The key is how many letters further you need to go in the alphabet to make your cipher text. Suetonius talks about a version of the cipher with a key of three, but other versions are possible. For example, with a key of four, A would become E.
This case should make a few things clear. With this kind of encryption, it's pretty easy to send any message in secret. Unlike a system of code words, where, for example, "Let's order pizza" means "I'm going to invade Gaul," this is not a secret language. People on both ends of the communication chain would need a book of code phrases to figure out what was being said, and there would be no way to code new phrases that you hadn't thought of ahead of time. You can encrypt any message you can think of with the Caesar cipher. The tricky part is that everyone who wants to communicate needs to know the algorithm and the key ahead of time. However, it's much easier to safely pass on and keep this information than it would be with a complicated codebook.
The Caesar cipher is a substitution cipher because each letter is changed to something else. Other versions of this would change letter blocks or whole words. For most of history, cryptography meant using different substitution ciphers to keep government and military communications safe. Arab mathematicians in the Middle Ages helped advance science, especially the art of decryption. For example, once researchers realized that some letters in a given language are more common than others, it was easier to spot patterns. But by today's standards, most encryption from the past is very simple. This is because, before computers, it was hard to do mathematical transformations quickly enough to make encryption or decryption worthwhile.
In fact, the growth of computers and progress in cryptography happened at the same time. Charles Babbage was interested in both computers and cryptography. He came up with the idea for the Difference Engine, which was the first computer. During World War II, the Germans used the electromechanical Enigma machine to encrypt messages. Alan Turing famously led a team in Britain that made a similar machine to break the code, laying some of the groundwork for the first modern computers. As computers became more common, cryptography got a lot harder, but for several more decades, only spies and generals used it.
Principles of cryptography
Before we talk about modern cryptography, let's take a moment to talk about two important ideas that make it work. The first is called Kerckhoffs's principle, after the Dutch cryptographer Auguste Kerckhoffs, who worked in the 1800s. Don't forget, as we've already said, that every cryptographic system has both an algorithm and a key. Kerckhoffs thought that a cryptographic system should be safe even if everyone knew everything about it except the key.
Now, back in those days, cryptography was almost always used by the military. The idea here is that it would be nice to keep your cryptographic system a secret, but your opponent will almost certainly figure it out eventually. "The enemy knows the system," said Claude Shannon, a cryptographer during World War II who went on to be a leader in the field of information theory. Kerckhoffs and Shannon are talking about how you want to make an algorithm that can hide information without needing to be a secret.
But in the world we live in now, the fact that cryptographic algorithms are public is seen as a good thing, not as something that can't be helped. Standard cryptographic algorithms have been studied and stressed tested a lot, and trying to come up with your own private algorithms is doomed to fail, as security through obscurity usually is.
Your cryptographic key is what you need to keep a secret. We'll talk about how that works mathematically in a moment. For now, let's talk about another cryptographic principle that makes that math possible: the use of one-way functions, which are mathematical operations that are very hard to reverse. Multiplying two very large prime numbers together is a classic example of a one-way function. Even though that calculation is easy to do, if you only had the answer, it would be very hard, if not impossible, to figure out the two prime numbers that went into it. Mathematicians argue about whether or not any function can be truly one-way, but in practice, many functions are irreversible at the limits of our computing power, so we'll set that question aside and move on.
Cryptography in network security
When the first computer networks were set up, people started to think about how important cryptography is. Computers could talk to each other over the open network, not just through direct connections. This kind of networking was very useful in many ways, but it also made it very easy to look at data moving across the network. Since financial services were one of the first things to use computers for, it was important to find a way to keep information private.
In the late 1960s, IBM was the first to use a method of encryption called "Lucifer." This method was later written down by the US National Bureau of Standards as the first Data Encryption Standard (DES). As the internet became more important, it needed more and better encryption. Today, a lot of the data flying around the world is encrypted using different methods that we'll talk about in more detail in a moment.
What is cryptography used for?
We've already talked about some of the specific ways that cryptography can be used, like keeping military secrets secret and sending financial data over the internet safely. Gary Kessler, a cybersecurity consultant, says that, in the big picture, we use cryptography to help us reach some broad cybersecurity goals. With the help of cryptography, security experts can:
Some of these ideas may remind you of different versions of the CIA triad. The first use is pretty clear: you can keep information secret by encrypting it. The other ones need a little more explanation, which we'll do as we talk about the different kinds of cryptography.
Types of cryptography
There are many different kinds of cryptographic algorithms, but they can mostly be put into three groups: symmetric cryptography, asymmetric cryptography, and hash functions. Each one has its own place in the world of cryptography.
The Caesar cipher is a great example of symmetric cryptography, which is what we talked about above. In the example we used, if Caesar and one of his centurions were sending each other encrypted messages, both of them would need to know the key. In this case, the key is how many letters forward or backward you need to move in the alphabet to change plaintext to cipher text or vice versa. It's symmetrical because of this. But the key has to stay a secret between them, which is why this is sometimes also called "secret-key cryptography". In symmetric cryptography, the sender and receiver of a message share a single common key. For example, you couldn't send the key along with the message, because if both fell into the hands of the enemy, the message would be easy to decipher, which would defeat the whole point of encrypting it. Caesar and his centurion would probably have to talk about the key when they saw each other in person. However, when wars are fought over long distances, this is not the best solution.
Many people use symmetric cryptography to keep information secret. It can be very helpful for keeping a local hard drive private, for example. Since the same user usually encrypts and decrypts the protected data, sharing the secret key is not a problem. Symmetric cryptography can also be used to keep the privacy of messages sent over the internet. However, to do this successfully, you need to use the next type of cryptography as well.
Caesar may have been able to talk to his centurions in person, but you don't want to go to your bank and talk to the teller just to find out what the private key is for encrypting your electronic communication with the bank. That would defeat the purpose of online banking. In general, for the internet to work securely, it needs a way for people to set up a secure communication channel even though they are talking over a network that is not inherently secure. Asymmetric cryptography, which is also called "public key cryptography," is what makes this work.
Each person in asymmetric cryptography has two keys. One is open to everyone and is sent to anyone the party wants to talk to. That is the key that is used to make messages secure. But the other key is private and no one else has it, and it is needed to read the encrypted messages. To use a metaphor, the public key is like opening a mailbox slot just wide enough for a letter to fit. You give that key to anyone you think might send you a letter so they can open the slot and get the letter. With the private key, you can open the mailbox and take out the letters.
The idea of one-way functions that we talked about earlier comes into play when figuring out how to use one key to encrypt a message and another key to decrypt it. The two keys should be mathematically related in a way that makes it easy to get the public key from the private key but not the other way around. For example, the private key could be those two very large prime numbers, and the public key would be the product of those two numbers.
Asymmetric cryptography requires much more complicated and resource-intensive calculations than symmetric infrastructure. You don't have to use it to protect every message you send online, which is good news. Instead, symmetric cryptography is usually used by one party to encrypt a message that contains another cryptographic key. After this key has been sent safely across the insecure internet, it will become the private key that is used to encrypt a much longer communication session using symmetric encryption.