56 HomeYamamoto and the Secret Admirers
Neal Stephenson

Misc

Cryptography
Cryptography (from Greek kryptós, "hidden", and gráphein, "to write") is generally understood to be the study of the principles and techniques by which information can be translated into a "garbled" version that is difficult for an unauthorized person to read, while still allowing the intended reader to convert the resulting gobbledygook back into the original information. In fact, cryptography covers rather more than merely encryption and decryption. It is, in practice, a specialized branch of information theory with substantial additions from other branches of mathematics, and from such sources as Machiavelli, Sun Tzu, and Karl von Clausewitz.

Unsurprisingly, the study of hiding messages from others by encrypting them has been accompanied by the study of how to read such messages when one is not the intended receiver; this area of study is called cryptanalysis. People involved in such work, and with cryptography in general, are known as cryptographers.

The original information being sent from one person (or organization) to another is usually called the plaintext. Encryption is the plaintext-to-garble conversion, and decryption is the garble-to-plaintext conversion. A major class of encryption technique is called encoding (yielding codetext), after which the receiver decodes the codetext. The other major class is called enciphering (yielding, naturally, ciphertext), after which the receiver decyphers the ciphertext. The exact operation of the encryption and decryption, for all schemes with any pretense to security, is controlled by one or more keys.

Overview: goals
Cryptography has four main goals, though they are nearly always concealed beneath a blanket of confusing 'marketing speak' in commercial products. And behind a fog of rumor and myth as well. Examining any proposed crypto system with these basic functions in mind, and ignoring the marketing blather, will be a very useful exercise for those interested in cryptography in the real world. They are:

  1. message confidentiality: Only the authorised recipient should be able to extract the contents of the message from its encrypted form. In addition, it should not be possible to obtain information about the message contents (such as a statistical distribution of certain characters) as this makes cryptanalysis easier.
  2. message integrity: The recipient should be able to determine if the message has been altered during transmission.
  3. sender authentication: The recipient should be able to identify the sender, and verify that the purported sender actually did send the message.
  4. sender non-repudiation: The sender should not be able to deny sending the message.

Not all cryptographic systems or algorithms achieve all of the above goals, or are even intended to. Poorly designed, or poorly implemented, crypto systems achieve them only by accident or bluff or lack of interest on the part of the opposition, and users can and regularly do reduce even well designed and implemented crypto systems to the security equivalent of Swiss cheese. But even with well designed, well implemented, and properly used crypto systems, some goals aren't practical (or desirable) in some contexts. For example, the sender of the message may want to be anonymous, or the system may be intended for an environment with limited computing resources, or confidentiality might not matter.

In addition, some confusion may arise in a crypto system design regarding whom we are referring to when speaking of the "sender" or "recipient"; some examples for real crypto systems in the modern world include:

  1. a computer program on a local system,
  2. a computer program on a 'nearby' system which 'provides security services' for users on other nearby systems,
  3. or -- what most people assume is "obviously" meant -- a human being (usually understood as one 'at a keyboard' to actively send or receive). Even in such cases, the human does not actually encrypt or sign or decrypt or authenticate anything in modern cryptographic systems. At most, when all is right in the world, the user instructs a computer program to encrypt or sign or decrypt and authenticate, or ... and it does so, properly and securely. This buffering of human action from actions which are presumed (without much consideration) to have 'been done by a human' is a source of problems in crypto system design, implementation, and use. Such problems are often quite subtle and correspondingly obscure. Generally, even to practicing cryptographers with knowledge, skill, and good engineering sense.

When confusion on these points is present (at the design stage, during implementation, or by a user after installation), unintended failures in reaching each of the stated goals can occur quite easily, often without notice to any human involved, and even given perfect algorithms, superb and provably secure system design, and error free implementation. Such failures are most often due to extra-cryptographic issues; each such failure demonstrates that good algorithms, good protocols, good system design, and good implementation do not alone, nor in combination, provide 'security'. Instead, careful thought is required regarding the entire system design and its use in actual production -- too often, this is absent or insufficient in practice with real-world crypto systems.

Although cryptography has a long and complex history, it wasn't until the 19th century that it developed anything more than ad hoc approaches to either cryptanalysis (eg, Charles Babbage's Crimean War era work on mathematical cryptanalysis of polyalphabetic cyphers, repeated publicly rather later by the Prussian Kasiski) or encryption (eg, Auguste Kerckhoffs' writings in the later 19th century). An increasingly mathematical trend accelerated up to World War II (notably in William F. Friedman's application of statistical techniques to cryptography and in Marian Rejewski's initial break into the German Army's version of the Enigma system). Both cryptography and cryptanalysis have become far more mathematical since WWII. Even then, it has taken widely available computers, and the Internet, to bring effective cryptography into common use by anyone other than national governments or similarly sized enterprises.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Cryptography".

© Copyright 2002  ElectricInca. All rights reserved. | About us