How to communicate privately has fascinated mathematicians for millennia, possibly as far back as ancient Egypt. Greek strategists would often make use of simple cryptographic tools. Julius Caesar reportedly used ciphers to transmit orders to his generals to reduce the risk of them being intercepted by enemies or read by couriers.
Early cryptography relied on security through obscurity, by shifting and replacing letters in the alphabet. It wasn’t until modern math was developed in Arabia around the 9th to 12th century CE that advanced cryptography became possible.
The primitive systems were not so much the secret key that would protect the confidentiality of a message, but rather the technique used to encipher it. It took until the 19th century for Dutch cryptographer Kerckhoffs to form his principle that cryptographic systems need to remain secure even if the algorithms are known. Using the words of American mathematician Claude Shannon: “The enemy knows the system.”
Most cryptographic applications only became possible with the emerging computers of the 1940s. Until the 1990s, cryptography was seen as purely for governments and their military, e.g., the NSA. Making robust cryptography available to the masses became a risky campaign led by people like Phil Zimmermann, the creator of PGP.
In cryptography, several schemes have emerged, each with its advantages and disadvantages.
Public-key cryptography
Asymmetric cryptography uses a set of keys called public and private. The public key can be safely handed out and distributed, while the private key is kept securely.
A large number is generated using a random number generator or dice. This random number serves as the private key. From this private key the public key is derived using an algorithm. The core idea is to have a mathematical function that is easy to compute in one way, but difficult to compute the other. To illustrate that concept, you may attempt to calculate the cube of a large number (x3) using only pen and paper. This can be relatively easy, while doing the reverse, calculating the cube root (3√x) of a number, is not so easy.
Typically, asymmetric keys are 2048 to 4096 bits in length.
Encryption
The keys’ mathematical properties are such that any data can be manipulated using the public key in a way that cannot be reversed. For example, using the publicly available public key of ExpressVPN, anybody can “encrypt” a message or file. However, only the private key holder can reverse this calculation and retrieve the original message. This process is also possible with multiple keys, making it possible to share a message with numerous people securely.
Signatures
Public-key cryptography can also be used to attribute message and sign data. Using the private key of ExpressVPN, we can sign all software available for download, while making it easy for users to verify that it came from ExpressVPN. Only the private key holder can sign messages and data, but anyone in the possession of the public key can verify this signature.
In practice, data and messages are often both encrypted and signed to ensure that only the intended recipient can read the message and give the assurance that the key holder sent the data.
Public key infrastructure
The main issue around public-private key cryptography is the question of how to distribute the keys. For each individual or organization with whom you want to encrypt data or verify signatures, it is essential to first exchange and verify the keys. This can happen in person but otherwise requires the existence of an otherwise trusted and secure channel.
Symmetric key cryptography
Symmetric cryptography requires only a single key. This key is used both for encryption and decryption, and a signature is not necessary. Unlike a public key, the symmetric key cannot be securely transferred across the internet, meaning it does not leave the device and is handled similarly to a private key.
These keys are typically 128 or 256 bits long. Symmetric cryptography is much more efficient and, therefore, faster than public-key cryptography.
Transport Layer Security
In your browser’s address bar, you can see a lock icon indicating that the websites you visit are served securely over HTTPS. HTTPS is an encrypted connection between the server and your browser, through which all images, passwords, and other data is transferred. This protocol is also referred to as Transport Layer Security (TLS) and was previously known as SSL.
TLS uses something called Diffie-Hellman Key exchange, which allows the server and the browser to derive the same symmetric encryption key without requiring this key to be transferred over the internet.
However, similar to the exchange of private keys in public-key cryptography, Diffie-Hellman is still vulnerable to Man-in-the-middle attacks. A central trusted directory verifies that the rightful titleholder owns a specific cryptographic key to protect against attacks.
Virtual private networks
VPNs encrypt data using symmetric-key cryptography because of its speed advantages. VPNs use protocols that at their core and function very similarly to TLS. Instead of relying on a public-key infrastructure, VPNs pin a certificate from the VPN server in their software.
Hashing
While not technically cryptography, a hash is often considered a cryptographic function. A hash function takes any text or data as input and transforms it into a single short block of text with uniform length. Unlike other forms of cryptography, a hash function is not reversible, meaning there is no private key to transform the hash back into the original text.
A fundamental property of hashes is that they are unique, meaning that two different kinds of data will never be transformed into the same hash. While we know that theoretically, such data exists, a secure hashing algorithm depends on our inability to find such ‘collisions.’
Hashes are mostly used to identify long pieces of text or data and can be crucial for authentication. A public key, for example, can be uniquely identified by its hash.
Combinations of hashes, public-key and symmetric-key cryptography
Most cryptographic systems combine hashes, public-key, and symmetric-key cryptography for optimal results.
For example, when making a PGP signature, the algorithm will take the text and hash it. The signature is then applied only to the hash, not the entire document. This allows for signatures of predictable length and does not waste computational resources for large documents. When encrypting a file, the data is encrypted with a symmetric key, which is then encrypted with the public key of the recipient.
In TLS, the symmetric key is negotiated between the server and the user’s browser. All traffic between the two is encrypted and decrypted with this key. The key is also signed using public-key cryptography, and the user can verify this key using a certificate from a trusted provider, pre-installed on the system.
In VPNs, there is no public-key infrastructure. Instead, each VPN server has its private-public keypair, signed by the VPN provider. A certificate installed together with the VPN software allows the client to verify these signatures.
End-to-end encryption
In cryptography, end-to-end encryption refers to an encrypted channel that is made between two users, instead of only partially. TLS can be a good example of end-to-end encryption. However, the connection may only be encrypted between the user and a content delivery network (CDN) and remains unencrypted between the CDN and the server.
Private messengers recently have become more and more end-to-end encrypted, meaning all messages are encrypted directly for the recipient, rather than only between the central servers and the user. This makes it impossible for anyone between the two users, including the provider, to intercept or inject messages.
Encryption means security
Again and again, we are reminded that adequately implemented encryption protocols secure our data and conversations even against well-funded aggressors. Using the concepts described above it is possible to construct protocols that are very easy to use on a large scale while making it difficult for even the most competent hackers to break our connections.