Practical Cryptography for Real People: Part 1
Caveat emptor: I know just enough about cryptography to be dangerous to my own security practices, so take this with a grain of salt and do your own research!
What is cryptography and how is it useful?
This article is intended for the layperson, the audience that is aware cryptography is a thing and that people wearing hoodies use and abuse it right before they stop feverishly typing and proclaim, “I'm in.” What is cryptography, though? How can it be meaningful to the average person who only interacts with their computers through touch screens and mouse clicks?
Cryptography is the practice and study of techniques for secure communication in the presence of third parties called adversaries. Source: Wikipedia.org
Cryptography has existed since Antiquity, with one of the earliest and most widely known techniques called the Caeser Cipher, and the importance of cryptography in our modern world cannot be overstated. Data privacy advocates regularly underscore how effective and easy encryption in all online communication is paramount to the digital rights of people, and the fight for it has made great strides. For instance, whereas before buying an SSL certificate to get that little padlock symbol in the browser bar for your website was costly, the advent of Let's Encrypt has made it trivial. The wide popularity of end-to-end encrypted messengers such as Signal, Telegram, and WhatsApp that smooth out the difficulties with multi-device e2ee has introduced people to secure everyday communication. It's been a hard fight for every inch, but wins have definitely been made.
Encryption vs Authentication
The definition above is what I think everyone is familiar with, and it's completely valid, even accurate. But let's look at cryptography another way.
Cryptography is the practice and study of techniques used to formally, in the mathematical sense, establish trust between two or more parties in the presence of untrustworthy actors.
This definition may look quite a bit different, but it's only another application for cryptography; the first definition covers encryption, and this second one describes authentication. How can you create secure communication unless there's some mechanism or token or key that signifies the trust between you and the party with whom you're trying to communicate?
The password is swordfish
A key to trust (see what I did there) can either by symmetric or asymmetric. A symmetric key is symmetric because the same key is used to lock and unlock whatever it is being protected, and it's the more intuitive of the two. How would an asymmetric key even work?
Asymmetric key pairs are, to my knowledge at the time of this writing, how much of the cryptography world just below the surface operates. (Although please note that it is quite a bit more complicated than that.) There are a plethora of algorithms that use how computers work to create what are called public/private key pairs. When information is encrypted using one of these keys, it can only be decrypted by the other, hence why they're asymmetric. What's the point of considering one of these keys to be public? For a metaphor, imagine you have a bunch of padlocks that all take the same key, of which you have the only copy. You can give another person a padlock and say, “If you want only me to be able to open something, lock it with this.” It's not a perfect metaphor for asymmetric keys, but it's workable.
In Keys We Trust
Pretty Good Privacy, or PGP, is an example of how useful it is to be able to give to the entire world your public key. If someone wants to communicate with only you, they can encrypt the communication using your public key, then the communication can only be decrypted using your private key. Moreover, what if you want to prove that you are the author of something? You can encrypt, or sign, it with your private key, then anyone can verify your authorship by decrypting it with your public key. Finally, you can combine these techniques to secure communication between yourself and another party who has a public/private key pair; first you sign your communication with your private key, then you encrypt it with their public key. Now they are the only one who can decrypt it, and they can verify your authorship by authenticating the signed text with your public key.
They who control the keys, control the communication
This brings us to how essential key management is. I can tell you I can only imagine the most paranoid of hackers manually manage their keys. GPG is a popular and time tested tool for managing PGP keys, and a growing number of people really enjoy Keybase.io, which integrates quite nicely with GPG. If you want to pursue a more secure online experience, whatever program you use to manage your keys, I strongly caution you always to choose an open source program. If the client you select is not open source, then it is a black box; I don't expect you to audit open source code for malicious usage personally, but I can tell you that there are people whose job and/or hobby it is to do so. Open source is not a panacea, but it is at least an antibiotic.
- We framed cryptography not just as a tool for securing communication but also for establishing trust in an untrustworthy world.
- We distinguished the difference between a symmetric key, kind of like a password, and asymmetric key pairs, like PGP.
- We learned how asymmetric key pairs can be used to authenticate trust in ways symmetric keys can't.
- We covered two favored tools for private key management, GPG and Keybase.io.
This is very much the tip of the iceberg when it comes to cryptography. Future articles may include:
- how blockchain works and how it can be used for a wide array of applications other than cryptocurrencies
- practical guides for how to integrate PGP into your email client of choice
- reviews of end-to-end encryption messengers