The Chronicler's Web (TCW)

by Dan Calloway
Published August 31, 2009 at 3:20pm EST; The Chronicler’s Web

Data that can be read without any special measures is called plaintext or cleartext.  The process of hiding or disguising plaintext so that it cannot be read by humans is called encryption.  Encrypting plaintext into an illegible format is called ciphertext.  Encryption is used to hide information from those for whom the information is not intended, and that includes those who can see the encrypted data.  The process of reverting the ciphertext to plaintext so that it can be read by humans is called decryption or deciphering.  Thus the steps in the process are taking plaintext and encrypting it into ciphertext, and then decrypting the ciphertext back into plaintext.

public key cryptosystems

Cryptography is the science of using mathematics to encrypt and decipher data.  Cryptography allows one to encrypt data that travels across the Internet (an insecure means of transmission) to the intended recipient so that it cannot be read by anyone for whom the data is not intended.  Although cryptography is the science of securing data, its companion, cryptanalysis, is the science of analyzing encrypted data and breaking the secure communication.  Cryptanalysis involves a combination of analytical reasoning, the application of mathematical tools, finding data patterns, almost infinite patience and determination, and serendipity. The study of both cryptography and cryptanalysis together is known as cryptology.

Cryptography can be either strong or weak depending on two factors:  time and resources, needed to reveal the plaintext from the ciphertext.  The result of strong cryptography is ciphertext that is extremely difficult to unravel and revert back to the plaintext from which it originated without special tools or a back door, which allows one to bypass the cryptographic security of the encryption.  But, just how strong is strong cryptography?  Strong cryptographic strength is loosely defined as the measure of cipher strength that even employing all the known computers in the world today making over a billion checks per second would not result in the deciphering of the ciphertext created by the encryption process into plaintext before the end of the known Universe.  One would think that strong cryptography would hold up to even the wittiest and smartest cryptanalyst.  However, we cannot predict the computing power of tomorrow, and, thus, we must assume that no encryption, regardless of its strength, is impenetrable.  What we can say is that the cryptographic strength employed by applications such as PGP (Pretty Good Privacy) is among the strongest known to man.

Just exactly how does cryptography work?  A cryptographic algorithm, or cipher, is a mathematical function that is used in the encryption and decryption process.  The cryptographic algorithm works in combination with a key, which can be a number, word, or phrase to encrypt plaintext into the ciphertext.  A given sample of plaintext can be encrypted to different ciphertext through the use of different keys.  Thus, the security of the ciphertext is dependent upon two factors:  the strength of the cryptographic algorithm and the secrecy of the key.

A cryptosystem is a combination of the cryptographic algorithm, and all possible keys and protocols that are used to comprise it and make it function properly.  PGP is referred to as a cryptosystem.

There are two forms of cryptography:  conventional and public-key.  Conventional cryptography is also known as secret-key or symmetric-key cryptography whereas public-key cryptography, as the name implies, uses a public-key and is also referred to as asymmetric-key cryptography.  In conventional cryptography, the secret key is used to both encrypt and decrypt the data.  An example of a conventional cryptosystem is the Data Encryption Standard (DES) that is widely used by the Federal government.

One of the benefits of conventional cryptography is that it is a very fast means of encryption, and is extremely useful in encrypting data that does not have to be transmitted over secure lines.  However, one of the disadvantages of conventional cryptography is the cost of securing the key distribution.  Thus, the security of conventional cryptography is a function of the secrecy of the one and only key, the secret key.  If the secret key winds up in the wrong hands, the ciphertext can be decrypted back into plaintext with 100% certainty and quite easily.  If two people, using conventional cryptography, wish to communicate securely across a distance, they must trust a courier to keep the secret key secret in order to prevent the disclosure of the secret key during transmission.  Therefore, the basic problem with conventional cryptography is the key distribution: how to get the key to the recipient without someone intercepting it and using it to decipher the ciphertext back to plaintext.

The problems associated with symmetric cryptosystems were solved when, in 1975, Whitfield Diffie and Martin Hellman introduced public-key cryptography. There is evidence that the British Secret Service knew about asymmetric cryptosystems a few years prior to Diffie and Hellman, but it appears, if they did, they did nothing with it.  Public key cryptography, then, uses a key pair, a public key to encrypt the data and a private or secret key to decrypt the data.  The public key can be published or distributed to the entire world while the secret key is known only to the person who transmits the ciphertext.  Anyone possessing the public key can encrypt the data that only the sender of that information is able to read—even if you’ve never met that person–because that person has the secret key that will decipher the ciphertext back to its original plaintext format.   In an asymmetric cryptosystem, it is mathematically infeasible for the private key to be deduced from the public key.  Anyone possessing the public key can encrypt data, but they cannot decipher it; only the person with the corresponding private or secret key can do that.  The primary benefit of public key cryptography is that it allows two people who have never met and, therefore, who have never made any a priori security arrangements to exchange communications in a secure manner, and the need for these two individuals to share the secret key is eliminated.  All communications involve only the public key and no private key is ever shared or transmitted.  Some examples of public-key cryptography in use today are:  Elgamal (named for its inventor, Taher Elgamal), RSA (named for its inventors, Ron Rivest, Adi Shamir, and Leonard Adelman), Diffie-Hellman (named for the co-inventors, Whitfield Diffie and Martin Hellman), and DSA (named for its inventor, David Kravitz).  Because conventional cryptography was once the only means of securing communications that required the expense of securing the means of transmission and key distribution, it was only available to those who could afford it such as governments and banking institutions.  The advent of public key cryptography opened the doors that made securing communications available to the masses, putting the courier with the briefcase handcuffed to his wrist out of business.

PGP or Pretty Good Privacy data encryption uses a combination of conventional cryptography and asymmetric cryptography to form what is referred to as a hybrid cryptosystem.

When data is encrypted using PGP, the data is first compressed, which affords faster transmission time and less disk space.  The compression of the plaintext also strengthens the cryptographic security as it removes the potential exploit that cryptanalysts often use in finding patterns in the plaintext to crack the cipher.  The compression reduces the patterns in the plaintext, thus enhancing the resistance to cryptanalysis.  Next, PGP then creates a session key, which is a one-time-only secret key consisting of a random number generated from the random movements of the user’s mouse and the keystrokes that are typed on the keyboard.  The session key works with an extremely secure, fast conventional encryption algorithm to encrypt the plaintext; the result being ciphertext.  Once the data has been encrypted, the session key is then encrypted using the recipient’s public key, and the public-key encrypted session key is transmitted along with the ciphertext to the recipient.  On the other end, decryption works in the reverse manner.  The recipient’s PGP application uses the recipient’s private key to recover the temporary session key, which PGP then uses to decipher the conventionally-encrypted ciphertext.

The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption.  Conventional key encryption is about 1000 times faster than public key encryption, but the latter, in turn, provides a solution to the problem of key distribution and data transmission issues.  Used together, performance and key distribution are improved without any sacrifice in security.

To learn more about PGP, please visit their website at www.pgp.com.