What Is Encryption?

WHAT IS ENCRYPTION?

Mark Swearingen
mark@ephesus.com

Created Monday 2000 January 24

Definition of Encryption

The term "encryption" refers broadly to a set of complex mathematical operations by which a text message can be rendered unreadable to all but the intended recipient, or by which the authenticity of a message may be confirmed.

Simple encoding schemes have existed for thousands of years, but often a simple code or cipher can easily be "cracked" by someone who intercepts such a message. Until recently, more secure methods of protecting information were available only to military or commercial interests able to invest large sums of money in developing or obtaining the necessary technology. However, faster computer hardware and software, as well as better encryption algorithms, have now made advanced encryption technology readily available to the general public.

Here is an example of a short message encrypted with the widely-used encryption program PGP:



-----BEGIN PGP MESSAGE-----

Version: PGPfreeware 5.5.5 for non-commercial use <http://www.nai.com>



pLSJ1P0mYpiTbF3b3BYTbLAKe0l3nW3K4VOIAymdfZxCjXI/cMAWnoOQxNkSVVQz

O5v64Xf0d0oTgDtZAxPEaHuoQabxKiEeunDhI1uju/MWHrw2AjTHxcATXf3llDb1

Ml2jLZurotqgjPbhiUEz2MdI7FqU/oi7OwvcB4ZFPSKDBweHCyPKUtz8uklnAYF1

3/BAoOoOkqx0tItCDCqtsHmGVGGp/0FQgDkqHDZP+/37JqjklkQ=

=ITF1

-----END PGP MESSAGE-----

Two Types of Encryption

There are two general types of encryption: symmetric key encryption and public key encryption.

Conceptually, symmetric key encryption is easier to understand, but it is also less secure.

With symmetric key encryption, the same "key" is used to encrypt and decrypt a message. An encryption "key" is simply a string of letters, digits or symbols which are used to encode or decode a message.

Imagine a very simple encryption algorithm, in which you change each letter of your message by substituting the letter that is two positions later in the English alphabet. Using this algorithm, the word "hello" would become "jgnnq." To decrypt the message, simply subtract two from each letter to get the original word, "hello." If the original word contains the letters 'y' or 'z', then you would "rotate" back around the alphabet to 'a' or 'b,' respectively. So, for example, the word "zebra" would become "bgdtc." This is called a "rotation" algorithm.

In this example, we could say that the encryption algorithm is to rotate each letter in the message according to its position in the alphabet, and the encryption key in our example was the number 2, since we added 2 in order to encode the message, and we subtracted 2 in order to decode it. Note, however, that we could use the same algorithm (rotating positions in the alphabet) using a different key, such as 1, 3, or -5.

As you can see, the security of your message does not depend on keeping the method (rotation) secure so much as it does on keeping the numeric key (how many positions) a secret -- except, of course, that this method is so simple that the key itself could be guessed quite easily for any given message, simply by trying all 25 possible "keys" until you found one that produced a sensible message when decoded.

With symmetric key encryption you and your correspondent must agree in advance on the key that you will use to encode and decode your messages. This is a major disadvantage of symmetric key encryption, because it introduces a point of potential vulnerability into the communication system, particularly as it relates to e-mail. Imagine, for example, that you sent your correspondent a plain-text e-mail message stating that from now on you would be rotating all the letters in your e-mail messages by 4. If someone intercepted that original message, then he could easily decode all the subsequent messages you sent using that "key."

This vulnerability can be overcome by using public key encryption.

With public key encryption, one key is used to encrypt the message, and a different key is used to decrypt the message. This is really quite remarkable when you think about it, and it depends upon complex mathematical operations (such as the factoring of very large integers) which are beyond the scope of this short essay to explain.

To use public key encryption, you must first generate a key pair, which are two very large numbers that are mathematically related to each other. (This is done for you by your encryption program, so that you need not understand the complex mathematics involved. These large numbers are often represented on your computer by long strings of characters.)

One of these keys is your private key and one is your public key. When someone wants to send you a secret message, they use your public key to encrypt it. You are then able to use your private key to decrypt it.

As you can see, it is important that you keep your private key secure and give it to no one else, since anyone who has your private key can read any encrypted messages that are sent to you.

By contrast, your public key can and should be freely distributed to anyone who might wish to send you an encrypted message.

Because it is more mathematically complex, public key encryption is also slower than the more simple symmetric key encryption. Therefore, many applications with encryption capability (such as PGP and Netscape) make use of a combination of public key and symmetric key encryption, in order to gain the security of public key encryption along with the speed of symmetric key encryption.

Misconceptions Regarding Encryption

Many people now regularly use encryption to protect their e-mail messages from being intercepted and read as they are transmitted over the Internet. For example, as of the time of this writing (2000 Jan 24), I have 19 personal correspondents with whom I am able to exchange encrypted e-mail, and I would advise everyone to consider using encryption to protect their e-mail and other sensitive computer files. In order to encourage you in that direction, let me now address certain misconceptions that some people may have about encryption:

Myth #1: It's illegal for me as an ordinary citizen to use encryption. That's top-secret stuff that only the government is allowed to use. I'll get in trouble if I use it.

Wrong! If you are a U.S. citizen living in the United States, there are no restrictions on your use of encryption software. You may encrypt your messages with any encryption program you like and send such messages to anyone you like. There are no laws regulating this activity.

The only legal restriction is that you may not export a computer program with "strong encryption" capability (such as PGP) to someone outside the U.S. or Canada. This restriction applies only to the computer software used to encrypt your messages, not to the message itself! It is perfectly legal for you to send an encrypted message to someone overseas, as long as you do not send them the program required to decrypt it. (They can legally obtain the program from another source.)

Myth #2: Encryption can't really be secure. Somebody will eventually figure out the program, and then they'll be able to read everyone's secret messages.

Wrong! The security of your encrypted message does not depend on keeping the encryption program or the encryption method secret! Rather, it depends only on your keeping your private key secret, as explained in the section above. In fact, your encrypted messages are probably more secure if the encryption algorithm is widely known, so that people who are knowledgeable about cryptography and complex mathematics can inspect the algorithms and attempt to defeat them. If a well-known encryption algorithm has been widely used for a period of time and no one has figured out how to "crack" it, then you can have a reasonably high level of confidence in the security of your messages.

For this reason, the source code for PGP has been published, and the encryption algorithms which it uses are widely known. All you have to do to protect your encrypted messages is to keep your private key secure by choosing a good passphrase to protect it.

Myth #3: Encryption is really complicated, and I could never figure out how to use it.

Wrong! Although public key encryption does indeed rely upon complex mathematical operations, all of these are performed "behind the scenes" by your encryption program, and it is not essential for you to understand the math in order to use encryption. If you understand the concept of private keys and public keys, as explained above, you can easily use encryption to protect your e-mail or other sensitive files.

PGP (Pretty Good Privacy) is a widely-used encryption program which includes "plug-ins" for most major e-mail software, such as Eudora and Outlook. These plug-ins allow PGP to integrate seamlessly with your existing e-mail program so that sending and receiving encrypted e-mail messages is easy and intuitive.

Myth #4: I'm a law-abiding citizen, not a tax cheat, drug dealer or terrorist, so I don't need encryption.

Privacy of communication is not something that is desired only by criminals. PGP has often been described as "an envelope for your e-mail." Just as you wouldn't write all of your personal letters on postcards for everyone to read, so PGP -- like a paper envelope -- enables you to protect your e-mail from prying eyes.

Here are two good reasons to consider using encryption to protect your e-mail:

(1) When your e-mail travels across the Internet, it goes through several intermediate "mail servers," and then it sits on the mail server at your Internet service provider until the next time you check it. An unscrupulous system administrator at your ISP -- or at any of those intermediate mail servers -- has the ability to read your e-mail if he wants to.

(2) There is a worldwide satellite spy network which intercepts most of the world's electronic communications -- phone, fax and e-mail -- and scans them for "keywords" that are of interest to their governments. For more information, read about Echelon.

Myth #5: It's gonna cost me something.

Wrong! You can download a freeware version of PGP (Pretty Good Privacy), whether you live in the U.S. or overseas. It costs nothing for you to use it for your personal e-mail. If you wish to use PGP for commercial purposes, or if you want certain additional features, you can pay for a registered version.

Common terms

Encrypt: To scramble a message so that it can be read only by the intended recipient. This is done with a public key.

Decrypt: To translate an encrypted message back to its original, plain-text version. This is done with a private key.

Public key: Used to encrypt a message. You may distribute your public key freely, and anyone who has your public key can send you an encrypted message. However, you are the only person who can decrypt the message. Someone else who has your public key will not be able to decrypt the message -- not even the person who wrote it! (Assuming, of course, you have kept your private key secure.)

Private key: Used to decrypt a message. It is important to keep your private key secret so that no one else can decrypt messages that are sent to you, and so that no one else can forge your digital signature.

Digital signature: A unique string of characters appended to the end of a message which is based upon the text of the message, the date/time when the message is signed, and your private key. The digital signature can be used to authenticate or verify the authorship of a message. If a message is altered in any way -- even by one letter -- then the signature cannot be verified, thus revealing that the message was tampered with. A digital signature on an electronic communication can be legally binding. Just as you would not sign the bottom of a blank sheet of paper or a blank check, so likewise you should never permit anyone else to have access to your private key or your passphrase lest they forge a legally binding message which claims to be from you.

Signature verification: Proving mathematically that a message was created by someone who has access to the signing key and was not altered thereafter. This verification or authentication can be performed by anyone with the corresponding public key.