In Part one, I covered some terminology and the different categories of ciphers. In Part two, I covered hashes (used in a large part of the modern Web, including blockchain technology and cryptocurrencies). In Part three, I covered the various ways that people attempt to crack encryption, a process known as cryptanalysis.
This part covers cryptographic systems (not just algorithms and keys, but sticking to a plan regarding using them consistently and safely), cryptography in everyday usage and the importance of cryptography in getting back to a free and open Internet. It is a long read, since there is a lot of information presented here.
This is also the last post I'll be making prior to putting these posts (and further content) on BMC and Patreon. It would be a shame to keep it from a large number of clearly interested people simply because they're too miserly to pay a mere $7 a month for a content subscription, but I'm not going to be earning ~$11.00 USD a day past December and have to find additional income somehow, before my savings run out. Alternately, I can make the MarkDown source files available for download from a for-pay link using Nanowall (XNO), if people prefer. (Hopefully, the freely-available posts I've published on this topic provide enough of a taste of what's to come to incentivise such a small investment.)
Cryptosystems
A cryptosystem consists of three things:
1. The encryption engine: algorithm(s) used for encryption and decryption
2. The keying information: Any keys that are generated and stored/managed
3. The operational procedures: A policy for how to use the first two components consistently and safely
Since an application/program can contain logic/routines for all of the above components, it can be a cryptosystem by itself. Some programs (such as VeraCrypt, which allows creating pre-allocated encrypted partitions) offer you a choice of algorithms to use.
Encryption/decryption algorithms can be categorised as one of two types:
1. Symmetric: A single key is used for both encryption and decryption. Anyone who has the key can both encrypt and decrypt the data. Ideally, no more than two people should know any one key. In reality, keys are often shared within an organisation, since having a unique key for everyone is inconvenient. This poses a security risk, should the key fall into the wrong hands.
2. Asymmetric: One of the keys (usually a public key) in a pair is used to encrypt data, while the other, a separate (usually private) key, is used to decrypt it. As stated in part three, asymmetric algorithms are more secure than symmetric ones, since knowing the encryption key doesn't allow you to decrypt data that someone else has encrypted with it. The exact details of how these keys are generated and correspond is complex, but it essentially involves performing arithmetic on very large prime numbers. (Fortunately, you don't need to know how to implement the internals of asymmetric algorithms in order to use them.)
Note: PGP (a way to encrypt/decrypt the content, but not the metadata, of emails) uses an asymmetric algorithm. Setting up PGP can be as easy as installing a few programs and/or a plugin for your email client. (I recommend GPG and Thunderbird if you're going to do this.) PGP does have some disadvantages/weaknesses, which is why there are alternatives (but I'm not going to cover them here).
Symmetric algorithms tend to be easier to use and work faster than asymmetric ones. Some cryptosystems use a combination of both, wherein the actual encryption/decryption is done by a symmetric algorithm, with an asymmetric one being used to perform key exchange. This arrangement is called a hybrid cryptosystem.
Everyday Cryptography
The use of cryptography is so prevalent in modern technology that you're likely using it without realising it. (As mentioned before, it's a big part of cryptocurrency and blockchain technology.)
Use in Networking
Every time you access a Website with a URL that starts with https://, you're using cryptography. (The s stands for "secure", meaning that the traffic between your computer and the Web server is likely/potentially encrypted. The "potentially" is there because the SSL technology allows for encryption, but doesn't guarantee it. However, if a site uses SSL, it's more than likely that it's providing encryption. Modern browsers will warn you if this is not the case and ask you if you want to accept the risk of continuing to access the site. Some even deny you that choice if something's awry.) Some browsers don't show the part before the domain (the www. portion), so it's best to check that a closed padlock (usually in green; red means that the provided credentials are invalid/untrusted) is shown next to the URL.
If you (or the organisation for which you work) use(s) a VPN, data traveling between computers on that network is encrypted. If you use onion routing (such as with Tor), data traveling on that network is encrypted (at least until such time as it reaches an exit node/endpoint).
Every time you enter login credentials that include a password or authentication code/token, that system is (hopefully) using encryption. (As mentioned previously, the strength of that encryption might not be as high as it should be.)
I'm not going to go over the details of insecure/weak encryption and hashing algorithms (or how they're cracked), since I've covered that in prior parts.
It should come as no surprise to anyone that versions of Microsoft Windows prior to Server 2003 and Vista are highly insecure. They have something called LAN Manager (lanman or lm), which is very bad at encryption. Here's why:
- LANMAN breaks the rule of using upper- and lowercase characters in your password by changing all the characters to uppercase.
- Password length is restricted to exactly fourteen (14) characters. Anything longer will be truncated. Anything shorter will be padded (but always with the same characters).
- The password is split into exactly two pieces, each seven characters in length. If your password is exactly seven characters in length (or shorter), the second piece is irrelevant.
- The algorithm used by LANMAN is very weak and can be cracked by any decent password cracker (including hashcat and John the Ripper, if you specify the right algorithm).
- LM is turned on by default in the aforementioned versions of Windows (which, fortunately, not many people or organisations still use).
Note: If you want an example of how not to do something, you often need look no further than a Microsoft implementation (not that MS is the only software company to blunder majorly when it comes to security, but it has done that a lot in the past).
ATMs
Your bank card has a magnetic strip, which contains your account number and PIN. That information needs to be encrypted. What you may not know is that, prior to 2001, the encryption algorithm being used was a permutation of DES (called 3DES, it used three iterations/rounds of DES). In 2001, two researchers at Cambridge University were able to crack the encryption key used and thus find up to seven thousand (7 000) PINs per hour!
Cellphones and IM Applications
If you use WhatsApp or Signal for communication, your messages are end-to-end encrypted (meaning only you and the intended recipients should be able to see the plaintext content, provided nobody shoulder-surfs or takes screenshots).
Unfortunately, cellphone calls themselves are only encrypted between the device and the nearest tower. After that, they're sent in the clear.
Land lines (other than those used by governments and military) still lack encryption. Anyone with the relevant know-how (not just the police and FBI) can listen to your calls if they are so inclined.
That's why I prefer my calls to use VoIP and go through Signal. I never give my name until I know to whom I am speaking. Fortunately, the parastatal phone company in my home country did away with landlines long ago. (The copper wire was regularly being stolen and sold for scrap, making the cost of replacing and protecting it ruinously expensive. We're on its LTE network, which is unreliable crap, just like the other parastatal services.)
CDs, DVDs and Streaming Services
I am convinced that the Digital Millennium Copyright Act (DMCA), while legal, is immoral. It is a bit of legal nonsense that permits film and music companies the use of cryptography (content scrambling) in order to prevent consumers from accessing the digital content on a CD or DVD that was made in a different country/region to that of the device used to play it. While most people will not encounter this problem, anyone who has bought a CD or DVD while on holiday overseas (or tried to copy one without the right tools) has found this out the hard way. Fortunately, there is free software you can use to get around this. However, in the age of high-speed Internet and streaming services, CDs and DVDs are largely defunct. Some services, such as Netflix and YouTube, employ something known as "geoblocking", which restricts the availability of certain content to specific regions. Fortunately, VPNs (which themselves use cryptography to hide data such as the user's actual location) can be utilised to circumvent this with some degree of success. Netflix is aware of this practice and detects some VPNs, so keeping ahead of it can be somewhat of an arms race/cold war. (Using cryptography to circumvent cryptography strikes me as somewhat ironic.)
Sometimes, the technology you use employs cryptography not to protect you, but to deny you access to content you've purchased, without you even knowing! It can get a bit tricky.
Why Encryption isn't More Commonplace
Until as recently as the 1990s, it was illegal for private citizens of the USA to own or use cryptographic technology. It was reserved for exclusive use by government and military agencies/organisations. (The source code for an algorithm or cryptosystem was considered a munition.) Fortunately, a group of activists (probably cypherpunks) persuaded the courts to rule in favour of allowing ordinary people the right to privacy regarding their communications and personal data. (Sadly, Big tech corporations such as Alphabet, Facebook, Google, LinkedIn, Microsoft, Yahoo! and Verizon don't respect these rights. They harvest, mine, sell and share such data as we provide to them through the use of their so-called "free" services, as they see fit and without restriction. They cannot be trusted to act in our best interests and safeguard our data. It is up to us to shoulder that responsibility, no matter how inconvenient.)
Given that this freedom/right is relatively new, it's not surprising that so few people know about cryptography. It is, however, very unfortunate, especially since that's not the only factor.
Difficulty in Understanding the Technology
Many people seem to have been scared away from cryptography for a number of reasons:
- They bought into the false notion that they have nothing to hide and thus didn't bother to.
- They were tricked into believing that cryptography is used primarily by criminals, terrorists and spies and that they could be falsely categorised as one by using it.
- Cryptography is a branch of advanced Mathematics. Since a lot of material on the subject is written by cryptographers (the mathematicians who write the algorithms), people are likely to develop the impression that being able to use it properly requires knowing the inner implementations/workings of algorithms, best left to engineers, geeks and Maths boffins. The cryptographers who've published material tend to perpetuate this perception. (Fortunately, just as one needn't be an automobile mechanic to drive a car, one needn't know much Mathematics to use cryptography.)
By and large, encryption programs have suffered from a lack of intuitive interfaces. (Hashcat, as useful as I find it, is a case in point. This is despite the fact that I'm used to using command-line utilities and shells. Somebody's actually created a GUI application that generates command-line instructions for invoking it correctly, although that doesn't always work!) If people don’t understand how to use software, they won’t use it, period. This is the fault of the developers, whom seem to have forgot that, to most users, cryptography is both new and complex. (Technically inclined people can have a hard time relating to end users and seeing things from their perspective. The more advanced and specialised the field, the worse the problem tends to get.)
Those issues are why this material exists (to help make cryptography more accessible and get you over the initial hump of learning about it).
You Can't do it Alone
For most cryptography to be effective, at least two people must be involved: One to encrypt and send the data and another to receive and decrypt it. Both people need to have the same (or at least compatible) cryptosystems. This can create a bit of a chicken-and-egg situation (especially if using a symmetric key both parties want to keep secret; finding a way to share it with only the people whom you want to have it is quite a poser, so much so that entire books have been writ about the problem).
The Importance of Cypherpunks and Digital Currency
Without cypherpunks and cryptography, there would be no open Internet. However, cryptography alone is not enough to ensure openness and freedom online. Without a decentralised form of digital currency (cryptocurrency), one of the goals of cypherpunks, and Web 3.0, we cannot be sure that any attempts to wrest the Internet back from the big tech companies (and keep it that way) will be successful. We cannot expect governments to begin to understand how these companies operate, get up to speed and pass legislation to regulate them and hold them to account. The time for slow-moving centralised governments and bureaucracy has passed. They of no practical use in a world that moves and changes (almost) at the speed of the Internet. It is time for the free and open source software (FOSS) movements to shine, for all capable and willing developers to come together and learn cryptography and blockchain development so that we may create the future of the Internet as we deem fit, not as governments, banksters and corporations want.
Cryptocurrency is not just "magic Internet money"; it is the currency and means of securing online digital freedom, the culmination of a vision put into words many decades ago (and set back greatly by megalomaniacs and unscrupulous individuals in fairly recent ones).
That is all for now, before I dive into the really fun/interesting stuff. I hope to see a few subscriptions to my BMC and/or Patreon accounts, which will let me know there's sufficient interest for me to continue posting about cryptography as I learn more about it. I hope to see some subscriptions soon!
Post thumbnail: Photo by Dan Nelson on Pexels
