2020-01-12-securing-communications.md (6350B) - raw
1 <!-- title: Securing communications --> 2 <!-- slug: securing-communications --> 3 <!-- categories: Cryptography --> 4 <!-- date: 2020-01-12T00:00:00Z --> 5 <!-- lastmod: 2020-08-10T00:00:00Z --> 6 7 We use cryptographic techniques daily without really knowing how they work, so 8 I'm going to try and explain some basic concepts. Let's start with Wikipedia's 9 current definition: 10 11 > Cryptography or cryptology is the practice and study of techniques for secure 12 > communication in the presence of third parties called adversaries. 13 > 14 > — *[Wikipedia's cryptography entry][cry]* 15 16 One cryptographic process we are all familiar with is encryption, that allows us 17 to change the contents of a message so only certain people with a "key" can 18 decipher and read it. A simple—and well known—example of encryption is the 19 [Caesar cipher][cc] (if you haven't heard of it, check out how it works!). 20 21 Let's consider the following scenario with three people (or parties): Alice, Bob 22 and Craig. Alice wants to contact Bob privately, while Craig is trying to 23 eavesdrop. This is all happening through a network, in this particular scenario, 24 they are communicating through the mail. Craig works at the postal office, so he 25 could get Alice's letter, open it, read it, put it back in a new envelope that 26 looks exactly the same as Alice's and then send it to Bob. 27 28 Craig's attack is known as a man-in-the-middle attack, happening when the 29 attacker is able to secretly relay information between two parties (and with the 30 ability to change the contents of the communication). This attack isn't 31 particularly hard to carry out on the Internet, but we are normally protected by 32 cryptographic methods (that ensure the privacy and authenticity of our 33 communications). 34 35 ## Encrypting a message 36 37 Alice knows about the flaws of the mail system, so she decides to encrypt her 38 message. She could use the Caesar cipher. If Bob knows how much Alice "shifted" 39 the alphabet, he will be able to read her message, while Craig won't. Or will 40 he? Couldn't Craig just try all the numbers from 1 to 25 and just see which one 41 gives a message that makes sense? And how did Alice tell Bob how much she 42 "shifted" the alphabet without Craig reading it? 43 44 Those are good points. We currently use better encryption methods than the 45 Caesar cipher that tackle these issues. The first concern is talking about a 46 brute-force attack (when the attacker tries many keys in order 47 to—eventually—find the correct one). We can protect our messages against 48 brute-force attacks by using an encryption method that admits a huge number of 49 different possible keys. How big? If you create a key with GPG, the minimum key 50 size is 1024 bits (which gives us 2<sup>1024</sup> different possible keys). How 51 hard would it be to crack it? [This video][yt] explains it pretty well for a key 52 that is 256 bits long (2<sup>256</sup> possible keys). First problem solved! Bob 53 isn't deciphering our letter anytime soon! 54 55 About the second issue... How can Alice tell Bob her secret password before they 56 can encrypt anything? It turns out she doesn't need to do that at all! She can 57 use asymmetric cryptography to solve this problem. In asymmetric encryption, 58 everyone has two keys[^nodetail]: a public key and a private key. Our public key 59 will be *public*! Everyone can know it (and that won't put our encrypted 60 messages in danger), while our private key will only be known to us. When using 61 asymmetric encryption, we encrypt messages using someone else's **public** key, 62 but only someone with the **private** key will be able to decipher it. 63 64 [^nodetail]: These pair of keys are created in a particular way (that "links" 65 them). I won't get into detail on how it works (it is beyond the scope of this 66 post), but there is a lot of information on the Internet if you are 67 interested. 68 69 So now Bob can simply send Alice his public key, which she will use to encrypt 70 the message. Only Bob with his private key will be able to decipher the message. 71 A system of communication that is resistant to Craig's attacks, so far... 72 73 ## Signing a message 74 75 Craig can't decipher the message, so he might try another strategy: change it! 76 He will get Alice's letter, destroy it, and send a different one to Bob (making 77 it look like it came from Alice). The communication is private, but not secure 78 yet! 79 80 Once again, cryptographic techniques come to the rescue with the ability to 81 digitally sign messages (also using asymmetric cryptography). What signing a 82 message does is kind of the opposite of encryption: Alice can use her 83 **private** key to sign her message, which will output a new file (the 84 signature). Now, anybody with the message, the signature made by Alice, and her 85 **public** key can check that the message was signed using Alice's private key, 86 therefore ensuring nobody changed it (signatures are different for different 87 messages). 88 89 Now, Craig can still destroy the message and send a different one. However, Bob 90 will realize there isn't a signature (or the one given doesn't match the 91 message). This will alert Bob that the contents of the message might indeed not 92 come from Alice. Bob might not be able to get Alice's message, but Craig will 93 never be able to impersonate her. 94 95 ## Final notes 96 97 The problem with the digital signature is that there has to be an initial 98 contact that both parties know has not been compromised[^sharingpk]. This could 99 be achieved by meeting in person and exchanging keys, although that could be 100 hard for two parties that live in different parts of the world trying to talk 101 over the Internet. There are methods to work around this problem, although none 102 is perfect. 103 104 [^sharingpk]: If not, the first time Alice sends her public key, Craig could 105 change it a different one and therefore being able to successfully sign 106 messages with what Bob trusts is Alice's private key. 107 108 Hopefully, this post gave you a basic overview of some things that can be done 109 using cryptographic techniques and how they are necessary when securing our 110 online communications. 111 112 *Edit*: Invidious link has been changed to YouTube as Invidious instance is 113 shutting down. 114 115 116 [cry]: <https://en.wikipedia.org/wiki/Cryptography> "Cryptography — Wikipedia" 117 [cc]: <https://en.wikipedia.org/wiki/Caesar_cipher> "Caesar cipher — Wikipedia" 118 [yt]: <https://www.youtube.com/watch?v=S9JGmA5_unY> "How secure is 256 bit security? — YouTube"