In this month's code-stuff hangout we recapped some fundamental topics regarding information security. This means we had a presentation about the basics and then followed it up with a lively discussion about what this means for our daily lives. Yes, not just our daily work.

Encryption

Wikipedia defines encryption as "the process of encoding information.” This means some plaintext is turned into cyphertext. This definition is lacking one important aspect that most people might take for granted: Ideally, only authorized parties can decrypt the message content. Think of an encoding where everyone knows the key, e.g. base64. According to this definition, a base64-encoded string is encrypted. But, since everyone knows how to decode base64, the information is not secret.

How does encryption work? Usually, an algorithm generates a (pseudo-random) key. Decrypting an encrypted message only works with this key. The main idea is that brute-forcing all possible keys is unfeasible (or impossible in practice). This means that such encryption algorithms rely on the computational power being the limiting factor. What this implies, is that as hardware got more potent people had to use longer keys that exponentially increased the potential combinations to brute-force. There is another thing to note here, and it takes us to an excursion of complexity classes of computational problems. We currently don't know whether P equals NP, which means there could be an algorithm that decrypts encrypted messages within a reasonable timeframe without knowing the key.¹

In contrast to algorithms that rely on computational complexity, there are also information-theoretically secure encryption techniques like the one-time pad (OTP).

What's also often confused with encryption is hashing. Maybe because of the existence of cryptographic hash functions? The main difference is that there is no way to infer the input plaintext from the hash digest.

Two types

There are two types of encryption, namely symmetric and asymmetric. In the case of symmetric encryption the same key is used to encrypt and decrypt the message. The downside is that this key needs to be exchanged secretly between both parties in advance. In the case of asymmetric encryption the receiver of a message shares their public key openly as this can only be used to encrypt the message. Only the matching private key, which only the receiver knows, can then be used to decrypt the message.

Examples we discussed were TLS/SSL and SSH. In both cases, a TCP handshake initiates the connection between two hosts. Then asymmetric encryption using the server's public key is used to agree on encryption standards and session keys. The rest of the session then uses symmetric encryption using these session keys. In addition, Message Authentication Codes (MAC) are used to ensure that messages have not been tampered with.

Another example is PGP (Pretty Good Privacy). It is a program often used to send encrypted e-mails. It is based on asymmetric encryption, so you need to know the public key of the recipient before sending them a message. This is then used only to encrypt a randomly generated key which is in turn used to encrypt the message content itself. Both of these cyphertexts are sent to the recipient. Again, this uses a combination of symmetric and asymmetric encryption techniques.