Safe online transactions (Part 1) - Shared keys & Public key cryptography

4/3/2012 5:43:34 PM
Safe online transactions (Part 1)

We rely on SSL and TLS every day, but what are they and how do they work, asks Julian Bucknall

Description: SSL/TLS

Let me introduce some people who will help me talk about cryptography and SSL/TLS. First we have Alice and Bob. They live far apart and love communicating with each other, hut because they want to keep their conversations secret, they encrypt all their messages. Eve is fascinated by these two and is continually eavesdropping on them, hut that’s all she does: listen in, trying to work out what they’re talking about. Then there’s Mallory. lie not only listens and tries to work out what they’re up to, hut he’s malevolent as well. He will alter their messages, delete them and substitute his messages for Alice’s or Bob’s, trying to fool them both that his messages originate from the partner. He is known as the man in the middle.

Back in the old days, Alice and Bob would use a shared key and an agreed-upon symmetric encryption algorithm. In 1981, the Data Encryption Standard (DES) was published publicly as a symmetric algorithm (that is, you encrypt and decrypt with the same key). Despite using what we might now think is a small key (only 56 bits), it took off and started the whole field of cryptanalysis.

Alice and Bob took to DES with abandon, but they ran into a problem: they needed a 56-bit key (preferably randomly generated) that they could share, but keep secret. Once the key was agreed on, all of their communications would be opaque to Eve and Mallory There was just one problem- how could they agree on a key? Alice couldn’t send a key to Bob, because both Eve and Mallory would see it as she’d have to send it unencrypted. Even worse. Mallory could substitute another key entirely and send that to Bob. After that, Mallory could intercept messages from Alice to Bob, decrypting them with the real key, reading them, then encrypting them with the fake key and sending them on. The same thing would happen on the return journey. Alice and Bob’s messages would he nowhere near secure.


Shared keys

There was nothing for it: Alice and Bob would have to meet in person and devise a shared key, making sure that they couldn’t be overheard by Eve or Mallory. Of course, if the shared key was ever disclosed or hacked, they’d have to go through the whole rigmarole of travelling to meet up and decide Ofl a key again.

The most important thing to realise here is that the secret between Alice and Bob is the key. If the shared key was ever discovered, the totality of the communications between them would no longer be secure.

Then, two things happened: computers became fast enough to apply brute force decryption to messages encrypted with DES, and public key cryptography was invented.

With brute force decryption, you use a computer that tries every single key until one is found that decrypts the message (it assumes that the plaintext message is recognisable in some sense). When DES was first devised, PCs had only just entered the market and brute force cracking of a DES-encrypted message was infeasible. Nowadays, using a specially built computer, a DES 56-bit key can be discovered within a week on average.

Standard DES has been supplanted with variations (triple-DES) and new algorithms files (AES) with longer keys, but for Alice and Bob, the same old problem is still present: how to agree on and exchange a key securely.

Public key cryptography

Description: Public key cryptography

With public key cryptography, things are different. Public key cryptosystems use two separate keys: a public key and a private key. The cryptosystem (the most famous one is RSA, named after its inventors Rivest, Shamir and Adleman) uses special mathematical algorithms so that the encryption of a plaintext message and the decryption of that encrypted message use different keys. The keys are related mathematically, hut knowing one doesn’t really help you discover the other (the process involves the factorisation of a very large number into two very large prime numbers - an algorithm that with current mathematical knowledge would take an inordinate amount of time to calculate). Because there are different keys for encrypting and decrypting, these cryptosystems are known as asymmetric algorithms.

This is how Alice would encrypt a message to send to Bob with a public key algorithm. Both she and Bob have private/public key pairs, properly generated according to the algorithm they’re using. Alice will encrypt the plaintext message with her private key (known only to her), and then encrypt the result of that with Bob’s public key. She knows Bob’s public key, because he publishes it (similarly she publishes her own public key). She then sends this twice-encrypted message to Bob.

Bob receives the encrypted message from Alice. He then decrypts the message with his private key (this key is a secret known only to him), and then decrypts the result of that with Alice’s public key. If the result is legible, he knows a couple of things with certainty: only he could read it (neither Eve nor Mallory could, since only his private key could decrypt it), and Mallory couldn’t have slipped in a fake message since the original message could only have been encrypted with Mice’s private key. So everything is well, and he and Alice can communicate with abandon.

In fact, since public key cryptosystems are much slower at encrypting and decrypting than symmetric algorithms, in general only one message is sent using a public key cryptosystem: Here’s a randomly generated key for a symmetric algorithm, let’s both use that from now on.’ All of a sudden, Alice and Bob’s original problem with a symmetric encrypt ion algorithm is removed: Alice just sends Bob a brand new 256-bit key encrypted using RSA in the manner I just described, and then they communicate using AES with that 256-bit key. They don’t have to meet at all. Sounds great, but what’s the flaw?


The flaw is this: how do Alice and Bob exchange their public keys securely? Alice can’t send an unencrypted message to Bob containing her public key because Mallory may intercept that message and substitute his own public key. (Ditto for Bob informing Alice of his public key.) If that did happen, Mallory would be in complete control of the message channel. Let’s call the two key pairs that Mallory generates, fakeAlice and fakeBob; Alice thinks fakeBob is actually Bob, and Bob thinks fakeAlice is Alice. Suppose Alice sends a message to Bob. She encrypts it with her private key and then with fakeBob’s public key and then sends it. Mallory gets it, decrypts it with the fakeBob’s private key and with Alice’s public key and reads the message. He then encrypts a new message with fakeAlice’s private key and Bob’s public key, and sends it to Bob. Bob can decrypt it with his private key and fakeAlice’s public key.

Suddenly it seems we’re right back to square one: Alice and Bob still have to meet in order to exchange their public keys. We’re no better off than we were before.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone
Visit movie_stars's profile on Pinterest.