Encryption and Public-Key Cryptography Basics

 

Brian Mellenthin

For

E-Commerce Fall 1999

Encryption and Public-Key Cryptography Basics

 

The outline of this paper will be as follows:

 

o        Key Based Encryption (symmetric encryption)

·         Conclusion

 

Problems with internet transactions

As discussed in class there are several problems with internet communication.  The major three are:

 

Eavesdropping is the risk of having private information viewed as it travels from sender to recipient by a third party.  The most popular fear is having your credit card number and information stolen while purchasing something online, but this would apply to any private information delivered over the internet.

 

Tampering is the risk of a third party intercepting a private transaction of information and changing it.  An example of this would be altering the recipient fields on a purchase order.

 

Impersonation is the risk of someone impersonating a trusted recipient in order to receive private information.  This 

 

Encryption

Cryptograms in the newspaper are probably one of the most basic forms of encryption.  A simple system of swapping letters for other letters is used to disguise the message making it indistinguishable to anyone who does not know the rules of the system.  Even though the cryptogram system is so simplistic it is actually considered sporting to crack, the basic logic of encoding is the same for more sophisticated methods.

 

Key Based Encryption (symmetric encryption)

 

In this example of Key based encryption we first create a number conversion table so that we can apply mathematical rules to our message after converting it.

 

Number Conversion Table:

 

a

b

C

d

e

f

g

h

i

j

k

l

m

 

1

2

3

4

5

6

7

8

9

10

11

12

13

 

n

o

P

q

r

s

T

u

v

w

x

y

z

Space

14

15

16

17

18

19

20

21

22

23

24

25

26

0

 

Then we decide upon a key.  In order to decipher this code the recipient will also be required to posses this key.  It will become obvious by the end of our example that the shorter the key the easier the code will be to crack. 

 

Key:

Encrypted

 

We then take the message and the key convert them using the conversion table and add them together.  Then in order to reassign them to a letter value we take the mod base 27 in order to restrict the letter assignment to numbers within the 0 to 27 table. 

 

Message:

on the internet nobody knows you are a dog

 

Message

o

n

 

t

h

e

 

i

n

t

e

r

n

e

t

 

Key

e

n

c

r

y

p

t

e

d

e

n

c

r

y

p

t

Message converted

15

14

0

20

8

16

0

9

14

20

5

18

14

5

20

0

Key Converted

5

14

3

18

25

16

20

5

4

5

14

3

18

25

16

20

Encrypted Message

20

28

30

38

33

32

47

14

18

25

19

21

32

30

36

47

Mod 27

20

1

3

11

16

5

20

14

18

25

19

21

5

3

9

20

Encryption

t

a

c

k

p

e

t

n

r

y

s

u

e

c

i

t

 

Message

n

o

b

o

d

y

 

k

n

o

w

s

 

y

o

u

Key

e

d

e

n

c

r

y

p

t

e

d

e

n

c

r

y

Message converted

14

15

2

15

4

25

0

11

14

15

23

19

0

25

18

25

Key Converted

5

4

5

14

3

18

25

16

20

5

4

5

14

3

18

25

Encrypted Message

19

19

7

29

7

43

52

27

34

20

27

24

41

28

36

50

Mod 27

19

19

7

2

7

16

25

0

7

20

0

24

14

1

9

23

Encryption

s

s

g

b

g

p

y

 

g

t

 

x

n

a

i

w

 

Message

a

r

e

 

a

 

d

o

g

Key

p

t

e

d

e

n

c

r

y

Message converted

1

18

5

0

1

0

4

15

7

Key Converted

16

20

5

4

5

14

3

18

25

Encrypted Message

17

38

10

4

6

14

7

33

32

Mod 27

17

11

10

4

6

14

7

6

5

Encryption

g

k

j

d

f

n

g

f

e

 

Encrypted Message:

tackpetnrysuecitssgbgpy gt xnaiwgkjdfngfe

 

Our original message is now undistinguishable, and the encryption method is sophisticated enough that it would be near impossible to crack without a computer.

 

There are two things you should notice about our example.  First, is that there is no reason for the encrypted code to be displayed in letters.  It was used to make it more understandable for the example.  Also, a single letter key would simply change the letters by a fixed number of digits, and a key that is as long as the message would have no reoccurring pattern.

 

8 bit encryption refers to the length of the key.  The government for national security reasons sets a legal limit to encryption especially that used in messages across country borders, or encryption technology for export.

 

Encryption solves the problem of eavesdropping, tampering, and impersonation, but only if both parties have established a basis of trust and a mode of communication before hand.

 

A message intercepted or viewed cannot be interpreted and changing it without decrypting and re-encrypting would render the received message unreadable.  Also impersonation would be impossible because if the predetermined key was not known to the impersonator, sent messages would not be encrypted correctly, and received messages would not be readable.

 

The un-addressed problems then become: how to securely exchange the key, and how can we be sure of whom we are dealing with without the lengthy process of creating a basis of trust.  Public Key cryptography solves these problems.

 

Public-Key Cryptography (asymmetric encryption)

 

Public key cryptography or asymmetric encryption is basically the same as symmetric encryption except for instead of a single predetermined key used for encryption and decryption, a dual key system is used.  It is extremely difficult mathematically to give an easy to understand example, so I will only discuss the concepts of public key cryptography.

 

When the encryption software is installed on the users computer (usually the software is built into a users browser) two keys are created using random number generators.  The algorithm that creates these keys must have a random component or the keys would have commonality that would be a weak point for crackers to exploit.

 

The private key remains on the users computer and is never shown or passed to anyone else.  The public key is freely distributed.  These two keys are compliments of each other.  They are actually complicated hash expressions (mathematical conversions), but the concept is the same.  If one is used for encryption, only the other can be used for decryption.

 

Now if I want to send a message to Danny Elfmann (X-lead singer of Oingo Boingo) and I want it to be strictly private I obtain his public key (which is distributed freely) and use it to encrypt the message, knowing that the only key that can decrypt that message is the private key that only resides on his computer.

 

How does Danny Elfmann know that I am really Brian Mellenthin?  If I were to encrypt the message with my private key he could decrypt it with my public key and know for sure the message was from me.  However anyone could decrypt this message using my public key so I have essentially authenticated the message, but made its contents public.  Also because the method of encryption is still unknown a third party who intercepts this message could read the message, but could not change it and resend it because he would need the private key to re-encrypt it.

 

Using my private key to authenticate and Danny Elfmanfs public key for encryption purposes, he knows several things:

 

 

The other factors of security (not knowing who Brian Mellenthin is) must be addressed by registration with a third party who is trusted.  This could be the topic of another paper.

 

Conclusion

 

For this paper I used a message as the information being passed, but this technology does not only apply to E-mail.  Receiving information from a server in the form of a web page (or an order form) is encrypted using the same technology.  This makes public transactions like online shopping secure.  Secure Socket Layer Servers serve web pages that your computer can:

 

The problem of telling if the company I am purchasing from is legitimate is another remaining security issue that must be handled through trusted third party registration and is confirmed primarily by reputation.