Encryption is the process of converting data from one form (what would be considered to be readable either through plaintext or through some specific viewer like MS Word) into ciphertext. The actual process that takes place during this conversion widely varies, but the end result is the same: after conversion to ciphertext, the data is in a form that is not easily readable to prying eyes.

The process of encrypting and decrypting messages has been present since the beginning of primitive communications. Encryption has found many uses over the years, everything from decoder rings in cereal boxes to elaborate methods for governments and corporations to protect their secrets and intellectual property from prying eyes. However you look at it, in its lowest conceptual level, encryption helps provide a method to add a degree of security to communications.

There is no one single way to encrypt a file. Hundreds of ciphers exist today and many more are being developed every year. Some can be done with nothing more than a pencil and a piece of paper, while others require the number-crunching power of a computer to be effective and practical. Below are some basic examples to illustrate how encryption works.

###

The Alphabetic Shift

I fondly remember passing notes about in class as a child, and I also not-so-fondly remember getting caught by the teacher and having those notes read in front of the whole class. Not to be outdone by a mere elementary school math teacher, my compatriots and I devised what we considered to be a rather clever scheme for making our notes unreadable to any but ourselves. Here's the scheme that we developed:

First, we wrote down the entire alphabet on a sheet of paper. Below the first line of the alphabet we wrote the entire alphabet again, but this time starting with the letter B and ending with the letter A. The table looked something like this:

abcdefghijklmnopqrstuvwxyzbcdefghijklmnopqrstuvwxyza

Now, being the clever fellows that we were, we simply mapped the top row's letters onto the bottom. For example, the message "Loose Lips Sink Ships" would be "Mpptf Mjqt Tjol Tijqt" after translation. Unfortunately for us, our math teacher knew a thing or two about encryption, and he wrote himself a program on the sole computer (an Apple II) in school that simply tried reshifting the letters until the message was once again viewable. Imagine our surprise when one of our later notes was confiscated and he read the message aloud for the class. After the lesson we were pulled aside and complimented on our ingenuity, and then sent to detention.

###

Shifts with a Twist

*"Get your very own super-spy decoder ring! Free inside this box of" *

Remember statements like this on the sides of cereal boxes and in the back of comics? What could possibly be better to foil your teachers with than an honest-to-gosh spy encryption wheel (and you got sugary cereal too!)? Well, it turns out, quite a bit. Most of the decoder rings that were commonly available in cereal boxes were nothing more than alphabetic shifts with a twist. NOVA Online has an example of a decoder ring (printable for the kids) that should give you a good idea of what one of these things looked like.

Realizing that carrying around a 26x26 character table to do encryption/decryption was a little clunky, the alphabet was written on the outside of two circles (one larger than the other). When the circles were rotated, you could easily get the mappings between the two without all of the hassle associated with a translation table.

It was not long until someone started using this property to create increasingly complex ciphers. One alphabetic shift was difficult to decode, but what would happen if you shifted the ciphertext again? Using the example from the alphabetic shift, what would happen if we re-shifted the text again, using the letter C as a starting point? Well, obviously, the result was the same as if we had just encrypted using a two-place shift in the first place. Don't believe me? Try it for yourself.

But what if we used alternating shifts? For example, if we were to translate the first letter with a one-character shift, the second with a 10-character shift, and the third with a 21-character shift, and then repeated the pattern until the message was encrypted? Obviously the problem becomes harder as the possible combinations grow rapidly. Still, with the help of a computer, even this type of encryption is broken relatively easily.

###

Brute-force Attacks

As computing power has increased, so has the need for mathematically complex algorithms that provide a sufficient complexity of encryption so inaccessible to even the most powerful systems on earth. These algorithms must be sufficiently hardened so as to prevent both the brute-force and formulaic attack methods.

As RSA defines it, "Exhaustive key-search, or brute-force search, is the basic technique of trying every possible key in turn until the correct key is identified."

A brute-force attack is when someone attempts to generate every single possible encryption key until the data turns into an intelligible message. Up until recently, this form of attack was actually a viable option to those persons or corporations that had enough processing power at their disposal. The United States government once believed (in 1977) that a 56-bit Data Encryption Standard (DES) was sufficient to deter all brute-force attacks, a claim that was put to the test by several groups across the world.

Several challenges were posed by RSA labs between March 13, 1997 and July 13, 1998 to try and crack the DES. In the first two instances, the key-finding programs were distributed brute-force programs that ran on hundreds to thousands of computers whose spare CPU cycles were donated to the cause. Distributed.net won the DES-II Challenge in 39 days (meaning that within 39 days of receiving the encrypted message, they were able to read it). Even more impressively, the Electronic Frontier Foundation developed a single DES cracker that managed to perform the same feat as distributed.net in only 3 days. (This cracking machine cost in the hundreds of thousands of dollars to develop and produce - well within the range of even a fairly small technology company.)

Well, what the heck does 56-bit encryption mean, anyway? In practical terms, it means that you have a one-in-72 quadrillion chance of finding the correct key. To put this almost unfathomable number into perspective, RSA labs claims that if "72 quadrillion people could stand 4 per meter, and could stand on every square meter of the earth's surface (including the ocean floors), they would need 350,000 earths."

Since data is stored in computers using the binary system, a bit can be either one or zero - two possibilities. However, let's say you have 2 binary digits. You can now have 00, 01, 10, or 11. Four possibilities. 3 digits? Eight possibilities. Thus a 56-bit key means that there are 2^56 possibilities. By adding just one more bit, you *double* the key space that needs to be searched. So why don't we just add another 72 bits to the DES key and call it a day?

###

Formulaic Attacks

Formulaic/algorithmic attacks are in some ways much more difficult to perform because they generally require an extremely high degree of knowledge in mathematics. Rather than going after the entire keyspace, the codebreaker will try and find flaws in the algorithm that causes it to be reduced to a problem of decreased complexity. For example, if you can reduce a 64-bit problem to two or three 50-bit problems you're way ahead of the game (remember the growth curve here, folks: 3 x 2^50 = ~3.37e15, 2^64= ~1.84e19).

I was once told by an algebra professor of mine that you either have to be clinically insane or not of this planet to be able to comprehend what the hell "those cryptography guys" did. For those of you who feel up to the challenge, take a look at Simon Singh's "The Code Book" (Doubleday) for more information on cryptanalysis.

The old adage, "What doesn't kill you makes you stronger," holds true for encryption standards. Most modern encryption schemes are totally open for peer review, and as such, most new algorithms are open to whoever is interested in seeing them. This allows all of the closet cipher-crackers as well as the seasoned vets holed up at the NSA to try and find a flaw or vulnerability with an algorithm. Once a flaw has been found, the encryption scheme is either modified to compensate for it, or is discarded.

However, one should not assume, just because an algorithm has been carefully checked through peer review, that any implementation that you receive will be properly secure. Decisions made by implementers can have detrimental effects on the success of an algorithm. For example, if a coder was to implement their code using the rand() function rather than the random() function, the degree of randomness generated would be quite limited and the keyspace used by the program would be greatly reduced, opening it up to brute-force attacks.

### Links and Further Readings

CryptoArchive - A comprehensive (and huge) depository of cryptography software.

"A Cryptographic Compendium" - A good crypto primer by John Savard

"Elementary Cryptanalysis: A Mathematical Approach," by Abraham Sinkov

Counterpane Internet Security - Publishers of the *Crypto-Gram*, a monthly newsletter on computer security.

Cryptography Research - SecurityPortal's own Research Center.

*SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.*

http://www.SecurityPortal.com

The Focal Point for Security on the Net (tm)

http://www.SecurityPortal.com

The Focal Point for Security on the Net (tm)