Encryption

Within cryptography encryption stands for encoding data  (using keys) based on a specific algorithm. This encrypted data can be decoded, so that one is able to retrieve the original information. This process is called de-encryption. One of the main goals of cryptography is to ensure the safe exchange of data between two people through an unsafe communication channel. Meaning it is a form of communication to which other parties are able to gain access, such as the internet. Encryption ensures third parties are unable to read the information. This is usually carried out through the use of keys. What such a key consists of depends on the algorithm, but usually it is a really large number of several dozens of decimals. Their goal is to ensure that just the person(s) in possession of the correct keys will be able to decrypt their data. With most cryptographic algorithms it is possible to decode encrypted data without having access to the right keys, but de-encryption is practically impossible due to the large amount of calculation that goes into it. Decoding data without the right key could take billions of years on even the most advanced computers. What happens is that the computer tries to crack a key through checking every possible key there is, until it finds one that works. If the key is a large enough number, even the most advanced computer will not be up to the job of trying them out at short notice. Computers have become much quicker over time, so that means larger numbers are needed when selecting what can be used as keys. There are roughly two types of cryptography: symmetrical and asymmetrical.

Symmetrical

In symmetrical cryptography the sender and receiver use the same key. It should be exchanged beforehand, through a safe channel (where both can check each other’s identity and it is impossible for third parties to extract the key). Using the same key does not always mean that coding and decoding are identical. When it comes to Key Rot13, which is often used for email, this is the case however. When someone decodes an encrypted message with ROT13, they get to see the original message. Through codes A→B, B→C etc that is not the case, but the key to decode it can be found easily when looking at the encryption key. Both are examples of symmetrical cryptography.

Asymmetrical

A more modern type of cryptography is the asymmetrical variety, which is also called public key encryption. Both sender and receiver have a set of two keys, of which one is public and the other is not. It is possible in theory to detract the secret key from the public one, but it is practically impossible. Messages which are encrypted through a public key can only be decoded by using a secret private key. In other words: it is impossible for third parties to read the messages. The other way around this is also the case: information which has been encrypted with someone’s private key can only be de-encrypted  through its accompanying public key. The latter is used when messages are digitally signed: one can be sure the message is sent by the sender. The public key can be made public, and therefore it fine to exchange it through an unsafe channel, such as the internet. In order to encrypt a message and sign it digitally, the sender needs their own private key ánd the receiver’s public key. In order to de-encrypt a received message and to verify whether the signature is indeed from the actual sender, the recipient needs their own private key ánd the sender’s public key.   The big advantage to asymmetrical cryptography is that exchange of keys can be carried out through an unsafe channel. Interception of exchanged information-including public keys- is no problem whatsoever. There is some risk; when sender and receiver refrain from checking whether the public key is indeed a match to the other key, then it becomes possible for third parties to pretend to be one of the parties involved. Everyone can claim to be ‘Ms so and so’ and say ‘here is my public key, please send me your information’. Sender and receiver need to confirm each other’s’ identity and public keys through a safe channel. A downside to asymmetrical cryptography is that large numbered keys are needed (for example of 4096 bytes), which entails large sums need to be carried out for encryption and de- encryption. A computer is mandatory in such cases. These keys need to consist of large numbers, because otherwise a very advanced computer would be able to decipher it. Often a combination of asymmetrical and symmetrical cryptography is used: first the secret key is exchanged between sender and receiver through asymmetrical cryptography, which forms the basis for quicker symmetrical cryptography of large bulks of data. For the encryption of email asymmetrical cryptography is being used, by PGP, GPG or S/MIME.

Hashing

Strictly speaking crypto-graphical hashing is not encryption, because the original data cannot be retrieved through a hash code. It does however employ the same techniques as encryption and it is also part of encryption protocols. The difference between hashing and encryption is that hashing can only be used one way, whereas encryption works both ways (encryption and de-encryption). When it comes to hashing a hash algorithm is used to calculate a hash code from a bulk of data. From this hash code it is impossible to retrieve the original data, but someone who has this information can use it to calculate its hash code and check whether this corresponds to a prior version of the hash code. Because this hash code is often much smaller than the original bulk of data, it becomes possible to check whether a specific document has been looked at before, without having to save the entire document. It is also possible to prove one’s possession of a certain document, by publically publishing its hash code, without exposing the document itself publically. If at any point in time he then decides to publish it, everyone can check that the person publishing the hash code must have been the owner of the document, because there would have been no other way to calculate the same hash code.   For it to be a safe hash code it needs to be impossible to retrieve the original bulk of data that resulted into the code. Furthermore, it needs to be impossible for two different blocks of data to have the same hash code. This means a hash code needs the same characteristics as a digital fingerprint.

Hashing passwords

To log on to a computer it is often needed to have a name and password. These passwords are often stored through encoding, so that they will not become known when the file with passwords is read by a third party. This is carried out through a hashing algorithm, which makes it impossible to decode data. That is unnecessary too, because it is sufficient to check whether the user has supplied the correct password.   For passwords it is unsafe to use ordinary hash algorithms. Special hash algorithms for passwords need to be employed, such as bcrypt, scrypt or PBKDF. The reason being that regular hash-algorithms are designed to be calculated as quickly as possible. But when hashing passwords that is undesirable, because it enables someone who has the codes to find out which one belongs to which password. The length and complexity of passwords which people use are limited, while at the same time computers are becoming more and more advanced. Which means it is becoming increasingly simple for someone trying to crack hash codes for passwords to have the computer come up with all sorts of possibilities. Hash algorithms for passwords block this method, because in order to select them it is possible to choose how long it will take to calculate them. The algorithms are set in such a way that it takes one millisecond to calculate them, whereas, calculating a hash code with a regular algorithm can take less than a microsecond. It is usually not a problem when checking a password costs you a millisecond rather than a microsecond, but for someone who tries to crack hash codes this could result in a thousand times more calculations, which of course will mean they need a lot more time.