Using an Encryption System

Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography enables you to store sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient. When Julius Caesar sent messages to his generals, he didn’t trust his messengers. Subsequently, he devised a method of disguising his messages so only the intended recipient could decipher it. Only someone who knew Caesar’s “shift” rule could decipher his messages (Network Associates, Inc., 1990-1999). The Caesar cipher is one of the earliest known and simplest forms of cryptography. It is a type of substitution cipher in which each letter in the plaintext is shifted a certain number of places down the alphabet. For example, with a shift of 1, A would be replaced by B, B would become C, and so on (Lyons, 2009 – 2012).

Caesar’s encryption method would be known as symmetric cryptography today. Cryptography is considered not only a part of the branch of mathematics, but also a branch of computer science. There are two forms of cryptosystems: symmetric and asymmetric. Symmetric cryptosystems involve the use of a single key known as the secret key to encrypt and decrypt data or messages. When a message is sent, the user encrypts the message with a key which is known only to the intended recipient. The receiver will then use the known key to decrypt the message back into plaintext. The problem that symmetric cryptosystems have always faced is the lack of a secure means for the sharing of the secret key by the individuals who wish to secure their data or communications (Calloway, 2012). Additionally, the amount of keys needed for a large corporation could range into the millions, making symmetric encryption a poor choice. For example, if John, Jan, Bob, Bill, Margery, Maud, Wayne, Amber, Shane, and Phil all work together, they all need copies of each others’ encryption keys. Mathematically speaking, each individual would need 45 keys to be able to decrypt messages from all coworkers.

Additionally, secret-key provides only limited key possibilities. In other words, a hacker could eventually gain access to said encrypted message/attachment through trial and error because there are only so many combination options, mathematically. Asymmetric cryptosystems, on the other hand, use one key (the public key) to encrypt messages or data, and a second key (the secret key) to decipher or decrypt those messages or data. For this reason, asymmetric cryptosystems are also known as Public Key Infrastructure (PKI) cryptosystems. PKI eliminates the “too many keys on the ring,” and weak security issues. However, asymmetric cryptography is not without its own set of pitfalls; the main one being reduced performance speed. PKI can take from 100 – 1000 times longer than a typical symmetric cryptosystem would. For this reason, the asymmetric encryption method is not the ideal choice for businesses or individuals. In monetary terms, time is money. A very popular public key cryptosystem is known as Pretty Good Privacy (PGP), developed by Phil Zimmerman beginning in early 1991 (Levy, 2001).

PGP is a hybrid cryptosystem which utilizes the advantages of symmetric and asymmetric encryption methods while downplaying the disadvantages of both. Zimmerman realized the strength of keys needed to be impenetrable; a weak key will lend greater ease to hackers. Basically, the strength of the keys that are created to encrypt and decrypt data or communications is a function of the length of those keys. Typically the longer the key, the stronger that key is. For example, a 56-bit key (consisting of 56 bits of data) would not be as strong as a 128-bit key. And, consequently, a 128-bit key would not be as strong as a 256- or 1024-bit key. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression, among other things, strengthens cryptographic security because it reduces the patterns found in languages. PGP then creates a session key; this key is a random number generated from the movements of the user’s mouse and the keystrokes typed. Then the random number is run through a symmetric encryption algorithm such as Triple DES, Twofish, CAST, or AES (Rijndael), which generates a one-time-only, secret key.

If there is not enough information gathered a window will pop up asking the user to move the mouse and type on the keyboard until sufficient random data have been gathered. The session key works with a very secure, fast, conventional (symmetric) encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient’s public key, using asymmetric encryption such as Diffie-Hellman or RSA. This public key-encrypted session key is transmitted along with the ciphertext to the recipient. While PGP is virtually perfect, it does have one proven flaw; inconvenience is probably a better way to describe it. Earlier versions of PGP did not allow individuals without decryption capabilities to read messages or attachments which is the fundamental point. However, what PGP did not take into consideration was maybe the intended recipients did not have PGP. Since the recipients had no key, they were unable to decipher the excryption. Since the discovery of this so-called flaw, self-decrypting archive (SDA) was created. SDA allows individuals without PGP to decrypt an encrypted message or attachment upon opening them.

The only real cons to PGP, for both individuals and businesses, is it is a rather complex system to use and it is expensive. PGP was not designed to be easy; if it was, it would not be the most secure cryptography method in existence. Alleviating the issue is simple: provide the necessary training for all users. In the way of cost, Symantec Corp. has a pseudo-monopoly. In July 2010, Phil Zimmerman sold PGP to Semantic for the impressive sum of $300M. Astonishingly, the cost of a one year license is hefty; $239.00. This would get you entire disk encryption for all files on your hard drive, and encryption for messages and attachment. On a personal not, I was concerned to learn of the sale regarding back door keys. It’s no secret that Zimmerman went through three years of litigation and barrages from the U.S. government because of exportation laws. However when the Feds couldn’t win that one, they argued that the government should have a back door key for legal purposes, but that it would only be used in warranted cases (Perkins, 1996). To my relief, a Symantec engineer assured me there was, and will never be, a loop hole in the program for anyone, under any circumstances.

Arguably, the pros of PGP far outweigh the cons. Moreover, I’m not real sure “con” is the correct term. I think inconvenience is better suited to describe difficulties faced when using PGP. While individuals can get by just fine with symmetric encryption, PGP is clearly a superior alternative. Businesses, on the other hand, would lose efficiency if any other encryption method was chosen, not to mention the security risks a business would face when using an inferior product. Conclusively, Pretty Good Privacy is the best cryptography product available for both individuals and businesses alike.

References

Calloway, D. (2012). Introduction to Cryptography and its role in Network Security Principles and Practice. Retrieved from The Chronichler’s Web Log: