As a child, you may recall using symbols to write coded messages to your classmates that no one else could understand. More seriously, codes and ciphers are used for information security in computer systems and networks to protect sensitive and commercial information from unauthorized access when it is at rest or in transit. Uses include anything from keeping military secrets to transmitting financial data safely across the Internet.
Cryptography is an important computer security tool that deals with techniques to store and transmit information in ways that prevent unauthorized access or interference.
How cryptography keeps communication secret and safe
The cryptographic process of scrambling text from a readable form to an unintelligible form – known as cipher text – is called encryption. Sending secret or private messages as cipher text is a typical use of cryptography. Once the cipher text is received, it is descrambled by the authorized recipient back to its readable form. The descrambling (or decryption) is performed with the use of an encryption key, which serves to prevent third parties from reading these messages.
Encryption methods have been used by many civilizations throughout history to prevent non-authorized people from understanding messages. Julius Caesar is credited for one of the earliest forms of cipher – the “Caesar Cipher” – to convey messages to his generals. With increasing sophistication, cryptography now plays a vital role in ensuring the privacy, data confidentiality, data integrity and authentication in computer systems and networks. In today’s world, where the majority of our personal and professional communications and transactions are conducted online, cryptography is more important than ever.
Types of cryptography systems
Cryptography refers to the techniques and algorithms that are used today for secure communication and data in storage. It incorporates mathematics, computer science, electronics and digital signal processing. Broadly speaking, there are four types of cryptography systems:
Symmetric-key cryptography (or “secret key”): In this type of system, both the sender and the receiver share the same key, which is used to encrypt and decrypt the message.
Asymmetric-key cryptography (or “public key”): In this type of cryptography system, there are two keys – one public and one private; these form a pair and are related mathematically. To apply asymmetric cryptography, the sender uses the public key of the intended recipient to encode the message, and then sends it on its way. When the message arrives, only the recipient’s private key can be used to decode it, meaning that a stolen message is of no use to the thief without the corresponding private key. Encryption mechanisms are the focus of ISO/IEC 18033, a suite of International Standards that specifies a number of asymmetric ciphers. The multipart series includes identity-based ciphers, block ciphers, stream ciphers, and homomorphic encryption.
Cryptographic key management: This type of system is crucial for protecting the keys used in both symmetric and asymmetric cryptography. It includes a set of processes covering the entire “life cycle” of a key, including its generation, exchange and distribution, storage, use, safe destruction and replacement. If the key management is weak, then the protection of encrypted data is weak. There are a number of International Standards relating to key management (e.g. ISO/IEC 11770) and key generation (e.g. ISO/IEC 18031 and ISO/IEC 18032).
Cryptographic hash function: This is a technique that converts a string of data of any length into a hashed output (a digest of the input) of fixed length. Hash functions have many applications such as in digital signatures, MACs (message authentication codes), and checksums (to check data corruption). International Standards that specify hash functions include ISO/IEC 9797-2, ISO/IEC 9797-3 and ISO/IEC 10118.
Information security principles and uses of cryptography
The key principles of information security are confidentiality, integrity and availability. Cryptography is an important tool that helps to preserve two of these principles:
Data confidentiality ensures that data is not disclosed to unauthorized parties. Cryptographic techniques such as encryption can be used to protect the confidentiality of data by making it unreadable to those who don’t have the proper decryption key.
Data integrity ensures that data has not been modified or corrupted. One example for International Standards on data integrity is ISO/IEC 9797, which specifies algorithms for calculating message authentication codes.
In addition to these key information security objectives, cryptography is used to achieve:
Entity authentication
By checking knowledge of a secret, entity authentication verifies the identity of the sender. Various crypto-based mechanisms and protocols can be used to achieve this, such as symmetric systems, digital signatures, zero-knowledge techniques and checksums. ISO/IEC 9798 is a series of standards that specifies entity authentication protocols and techniques.
Digital signatures
Used to verify the authenticity of data, digital signatures confirm that the data originated from the signer and has not been changed. They are used, for example, in email messages, electronic documents and online payments. International Standards that specify digital signature schemes include ISO/IEC 9796, ISO/IEC 14888, ISO/IEC 18370 and ISO/IEC 20008.
Non-repudiation
Cryptographic techniques such as digital signatures can be used to provide non-repudiation by ensuring that the sender and receiver of a message cannot deny that they, respectively, sent or received the message. The standard ISO/IEC 13888 describes techniques (symmetric and asymmetric) for the provision of non-repudiation services.
Lightweight cryptography
Lightweight cryptography is used in applications and technologies that are constrained in computational complexity: limiting factors can be memory, power and computing resources. The need for lightweight cryptography is expanding in our modern digital world. Constrained devices – for example IoT (Internet of Things) sensors or actuators like the ones switching on appliances in a so-called smart home – use lightweight symmetric cryptography. ISO/IEC 29192 is an eight-part standard that specifies various cryptographic techniques for lightweight applications.
Digital rights management
Digital rights management (DRM) protects the copyright of your digital content. DRM uses cryptographic software to ensure that only authorized users can have access to the material, modify or distribute it.
Electronic commerce and online shopping
Secure e-commerce is made possible by the use of asymmetric-key encryption. Cryptography plays an important role in online shopping as it protects credit card information and related personal details, as well as customers’ purchasing history and transactions.
Cryptocurrencies and blockchain
A cryptocurrency is a digital currency that uses cryptographic techniques to secure transactions. Each cryptocurrency coin is validated via distributed ledger technologies (e.g. blockchain). A ledger, in this case, is a continuously growing list of records – known as blocks – that are linked together using cryptography.
What are cryptographic algorithms?
A cryptographic algorithm is a math-based process for encoding text and making it unreadable. Cryptographic algorithms are used to provide data confidentiality, data integrity and authentication, as well as for digital signatures and other security purposes.
Both DES (Data Encryption Standard) and AES (Advanced Encryption Standard) are popular examples of symmetric-key algorithms, while prominent asymmetric-key algorithms include RSA (Rivest-Shamir-Adleman) and ECC (elliptic curve cryptography).
Elliptic curve cryptography (ECC)
ECC is an asymmetric-key technique based on the use of elliptic curves, which has applications in encryption and digital signatures, for example. ECC technology can be used to create faster, smaller and more efficient cryptographic keys. Elliptic curve techniques are covered in the multipart standard ISO/IEC 15946.
Standards for cryptography
Cryptography has been the subject of intense standardization efforts resulting in a range of International Standards that encapsulate the knowledge and best practice of leading experts in the field. Internationally agreed ways of working make technology more secure and interoperable. By using cryptography standards, developers can rely on common definitions, as well as proven methods and techniques.
Future-proofing cryptography
Today, we are on the edge of a quantum revolution. The advent of quantum computing in the coming years will provide mankind with processing powers on a scale that traditional computers can never hope to match. While this offers countless possibilities for complex problem-solving, it also comes with corresponding security threats. That very same power could undermine much of today’s cybersecurity – including established cryptographic practices.
Quantum cryptography is a method of encryption that applies the principles of quantum mechanics to provide secure communication. It uses quantum entanglement to generate a secret key to encrypt a message in two separate places, making it (almost) impossible for an eavesdropper to intercept without altering its contents. Hailed as the next big revolution in secure communication systems, quantum cryptography has the potential to be a real breakthrough for data that needs to stay private far into the future.
The new dawn of encryption is looking bright!
Disclaimer: PECB has obtained permission to publish the articles written by ISO.