Basic Modern Cryptography
When people talk about cryptography, it’s easy to assume the discussion is over your head, but the basic dynamics at play are actually pretty simple!
In this article, I’m going to describe a method that is used everywhere, and is really cool, that you don’t need any math to really understand the implications of.
Public key cryptography is pure mathemagic.
There is a type of magic, I mean math, where you generate two different numbers together.
They seem very random, but these numbers are actually connected in a remarkable way.
When used to encode information in a particular way, whatever is encoded with one number is decoded with the other number.
Since they lock and unlock things, we call these numbers keys.
text => (first key) => fa8e8432fabc => (second key) => text
text <= (first key) <= a82b820fba2 <= (second key) <= text
This creates a situation where if you and a friend each have one of the keys, you have a bit of a cryptographic can and string. (Younglings catch up here).
Also, if you only have one key, you can’t decrypt what you encrypt with it.
text => (first key) => fa8e8432fabc => (first key) => 28aa01843f7813
The most common way to use this key pair is to make one key public, and keep the other one private. Now anyone in public can encrypt messages to you with your public key, and if someone gives you their public key, you can encrypt messages to them!
All while trading information in the open! No one could understand what you were saying if you yelled it through the open air!
This is known as public key cryptography.
Aside from sending secrets, you can also encode messages using your private key. Anyone with your public key (anyone) can decode that message, but since the message can only be read by decoding with your public key, it is mathematically proven that you wrote the message.
Encoding a message with your private key is known as signing it. By verifying that something decodes with someone’s public key, you verify that they signed it, and you know you can trust that it is from them.
If you want to get a little fancier, you can sign a message with your private key, and then encrypt it to me with my public key, too! That way you know that only I can read it, and when I read it, I can know that only you could have sent it.
Pretty cool, huh?
This stuff is all over the place. When you visit a website that has the little lock next to the address bar, that means the website was sent to you encrypted, and signed with that website’s private key.
It gets a little bit more complicated when you start to ask questions like
How do I know this public key really belongs to this website?
And the answer is that their public key (sometimes called a certificate) was itself signed by the private key of a Certificate Authority (CA) that your web browser trusted by default (by being installed with their public key).
You may have heard of Bitcoin, the all-digital currency. Well, your account in Bitcoin is just a key-pair where you own the private key. The way the Bitcoin protocol knows you meant to send some money, is that you sign the transaction, and then everyone knows you meant it.
You may have also heard of people jailbreaking their iPhones or Xboxes to run unsigned code. That’s because by default, many consumer electronics are designed to only run code signed by their manufacturer, to reduce piracy and even a hacker’s ability to run a virus on the machine.
In the recent case where the FBI got a court order for Apple to hack an iPhone, the specific order demands that Apple write software that tries different passcodes as quickly as possible, and then sign that code, so the iPhone will trust it.
That’s it! Those are the basics of public key cryptography! Combine it with a hashing algorithm and you have yourself a blockchain! But that’s a tale for another time.
For now, just know that all the secrets you trade on electronics rely on these same basic principles. If you don’t have a green lock, then anyone on your network can read your traffic.
You can also now look out for certificate warnings on websites! This is when your browser is warning you that the public key you received was not signed by a certificate authority, so it can’t promise you that it is who they say it is!
There’s a lot of security talk going around these days, and a lot of it comes down to key management. Who is keeping the security keys? What certificate authorities do you trust? Do they ever make mistakes?
Have you ever managed a private key? If not, you’ve trusted your secrets to someone else! If you’re ever serious about protecting your identity online, you might want to learn how to manage private keys, and there are a lot of projects right now working to make that easier for you.
But would you trust everyone to manage their own keys? What if they lost them? What if they were stolen? What if a federal court ordered you to sign something with your private key, that would put all of your customers at risk?