Cryptography consultancy basics

This overview is not designed to be exhaustive. Instead, it is an overview in plain English designed to give the lay reader a 'flavour' of what is meant by 'cryptography'.

Cryptography is the art and science of transforming messages into seemingly unintelligible forms (encryption) so they can only be viewed by intended recipients. Conversely, cryptanalysis is the art and science of breaking encoded data. The branch of mathematics encompassing both cryptography and cryptanalysis is cryptology.

Cryptography enables us

1. To preserve the integrity of data - (i.e. to make sure that it hasn't been changed or tampered with);
2. To authenticate specific parties (i.e. to make sure that the purported originator of the information - the person who created, wrote, or sent it - is actually the originator);
3. To ensure that information is kept private/confidential; and
4. To facilitate non-repudiation (i.e. once the originator has been established he/she cannot - in theory at least - deny the fact).

It needs to be made clear however, that cryptography is not a panacea for information security. Poorly implemented cryptosystems are weak and susceptible to attack. Similarly, generally poor IT security weakens a cryptosystem's effectiveness. Cryptography therefore needs to be seen in the overall context of IT security.

Symmetric key cryptography

With symmetric key cryptography (also known as secret-key cryptography) the same key is used to encrypt and decrypt information (e.g. a piece of text). So, both the originator and the intended recipient must have an identical copy of the encryption key. One problem raised with symmetric key cryptography is, how can the 'secret key' be sent to the intended recipient securely (i.e. without it being compromised)?

Asymmetric key cryptography

With asymmetric key cryptography (also known as public key cryptography) a 'key pair' is created. This means there are two different keys, one called a public key (which can be made freely available) and one called a private key (which is kept secret by its owner). Messages encrypted with the public key can only be decrypted with the private key. This form of encryption goes some way to overcome the problem that arises with symmetrical key encryption.

Digital signatures

Partly because of asymmetric key cryptography we now have digital signatures. There is more than one way to create a digital signature. However, broadly speaking we can define digital signatures as follows. "...Alice knows a secret, called a private key. When she wants to sign a document ... she performs a mathematical calculation using the document and her private key; then she appends the results of that calculation -- called the signature -- to the document. Anyone can verify the signature by performing a different calculation with the message and Alice's public key, which is publicly available. If the verification calculation checks out then Alice must have signed the document, because only she knows her own private key..." (Schneier, 2000).

Digital certificates

Digital signatures prove that a message was sent by the originator and was not altered after the signature was applied. However, the originator might not be the person he or she claims to be. To verify that the message was indeed sent by the originator requires a digital certificate. Digital certificates are issued by a certification authority (e.g. Thawte, VeriSign). To receive a digital certificate a person or organisation will first need to prove their identity to the certification authority.

To find out whether Skygate can help your organisation please email us at info@skygate.co.uk