How does encryption work? Examples and video walkthrough
Cryptography — the practice of taking a message or data and camouflaging its appearance in order to share it securely
What is cryptography used for?
It’s the stuff of spy stories, secret decoder rings and everyday business — taking data, converting it to another form for security, sharing it, and then converting it back so it’s usable. Infosec Skills author Mike Meyers provides an easy-to-understand walkthrough of cryptography.
Watch the complete walkthrough below.
[pkInsertVideo link="https://www.youtube.com/watch?v=3qrNL4e75S4" title="Cryptography basics: How does encryption work? | Free Cyber Work Applied series" align=""]
Cyber Work listeners get free cybersecurity training resources. Click below to see free courses and other free materials.
[pkButton link="https://www.infosecinstitute.com/cyberwork-resources/?utm_source=resources&utm_medium=infosec%20network&utm_campaign=podcast%20promo&utm_content=in%20line%20ad" title="Free Cybersecurity Training"]
Cryptography types and examples
Cryptography is the science of taking data and making it hidden in some way so that other people can't see it and then bringing the data back. It’s not confined to espionage but is really a part of everyday life in digital filesharing, business transactions, texts and phone calls.
What is cryptography?
Simply put, cryptography is taking some kind of information (encrypting) and providing confidentiality to it to share with intended partners and then returning it to its original form (decrypting) so that the intended audience can use that information. Cryptography is the process of making this happen.
What are obfuscation, diffusion and confusion?
(00:40) Obfuscation is taking something that looks like it makes sense and hiding it so that it does not make sense to the casual outside observer.
(00:56) One of the things we can do to obfuscate a message or image is diffusion, where we take an image and make it fuzzier, so the details are lost or blurred. Diffusion only allows us to make it less visible, less obvious.
(01:26) We can also use confusion, where we take that image, stir it up and make a mess out of it like a Picasso painting so that it would be difficult for somebody to simply observe the image and understand what it represents.
How a Caesar cipher works
(02:10) Cryptography has been around for a long, long time. In fact, probably one of the oldest types of cryptography that has ever been around is something called the Caesar cipher. If you’ve ever had or seen a “secret decoder ring” when you were young, you know how a Caesar cipher works.
Encrypting using a Caesar cipher
(02:40) I've made my own decoder ring right here. It’s basically a wheel with all the letters of the alphabet, A through Z and on the inside, and all of the letters of the alphabet A through Z on the outside, and to start, you line them up from A to A, B to B, C to C.
(02:59) To make a secret code, you can rotate the inside wheel to change the letters from our original, plain text on the outside wheel. We call this substitution. We’re taking one value and substituting it for another. (03:20) Rotating the wheel two times is called ROT two; turning it three times would be ROT three. (03:37) So we can take, like the word ACE, A-C-E, and I can change ACE to CEG. Get the idea? So that's the cornerstone of the Caesar cipher.
(04:00) As an example, our piece of plain text that we want to encrypt is, “We attack at dawn.” The first thing we're going to do is get rid of all the spaces, so now it just says “weattackatdawn.” We’ll rotate our wheel five times — it’s ROT five. And now the encrypted “weattackatdawn” is “bjfyyfhpfyifbs.” (04:44) So we now have generated a classic Caesar cipher.
(04:49) Now there's a problem with Caesar ciphers. Even though it is a substitution cipher, it's too easy to predict what the text is because we're used to looking at words.
How a Vigenere cipher works
(05:32) To make things more challenging, we can use a Vigenere cipher, which is really just a Caesar cipher with a little bit of extra confusion involved. For illustrative purposes, the Vigenere cipher is a table that shows all the possible Caesar ciphers there are. At the top, on Line 0 is the alphabet — from A to Z. On the far left-hand side, it says zero through 25. So these are all the possible ROT values you can have, from ROT zero, which means A equals A, B equals B, all the way down to ROT 25.
Encrypting using a Vigenere cipher and key
(6:17) Let's start with a piece of plain text. Let's use “we attack at dawn” one more time. This time, we're going to apply a key. The key is simply a word that's going to help us do this encryption. In this particular case, I'm going to use the word face, F-A-C-E.
(06:34) I'm going to put F-A-C-E above the first four letters of “we attack at dawn,” and then I'm going to just keep repeating that. And what we've done is we have applied a key to our plain text.
(06:58) Now we're going to use the key to change the Caesar cipher ROT value for every single letter. So the first letter of the plain text is the W in “wheat” up at the top, and the key value is F, so let's go down on the Y-axis until we get to an F. Now you see that F, you'll see the number five right next to it. So this is ROT five.
(07:31) So all I need to do is find the intersection of these, and we get the letter B.
(07:39) The second letter in our plain text is the letter E from “we,” and in this particular case, the key value is A, which is kind of interesting, because that's ROT zero, but that still works. So we start up at the top, find the letter E, then we find the A, and in this case, because it's ROT zero, E is going to stay as E.
(08:00) Now, this time, it's the A in attack. So we go up to the top. There's the letter A, and the key value is C, as in Charlie. So we go down to the C that's ROT two, and we then see that the letter A is now going to be C.
(08:19) Now, do the first T in attack. We come over to the Ts, and now the key value is E, as in FACE. So we go down here, that's ROT four, we do the intersection, and now we've got an X. So the first four letters of our encrypted code are B, E, C, X.
Understanding algorithms and keys
(08:52) The beauty of the Vigenere is that it actually gives us all the pieces we need to create a classic piece of cryptography. We have an algorithm. The algorithm is the different types of Caesar ciphers and the rotations. And second, we have a key that allows us to make any type of changes we want within ROT zero to ROT 25 to be able to encrypt our values.
Any algorithm out there will use a key in today's world. So when we're talking about cryptography today, we're always going to be talking about algorithms and keys.
(09:31) The problem with the Vigenere is that it's surprisingly crackable. It works great for letters of the alphabet, but it's terrible for encrypting pictures or Sequel databases or your credit card information.
(09:53) In the computer world, everything is binary. Everything is ones and zeros. We need to come up with algorithms that encrypt and decrypt long strings of just ones and zeros.
(10:11) While long strings of ones and zeros may look like nothing to a human being, computers recognize them. They could be a Microsoft Word document, or it could be a voiceover IP conversation, or it could be a database stored on a hard drive.
How to encrypt binary data
(10:37) We need to come up with algorithms which, unlike Caesars or Vigeneres, will work with binary data.
(10:45) There are a lot of different ways to do this. We can do this using a very interesting type of binary calculation called “exclusive OR.”
(11:08) For our first encryption, I'm going to encrypt my name, and we have to convert this to the binary equivalents of the text values that a computer would use. Anybody who's ever looked at ASCII code or Unicode should be aware that we can convert these into binary.
Exclusive OR (XOR) encryption example
(11:38) So here's M-I-K-E converted into binary. Now notice that each character takes eight binary digits. So we got 32 bits of data that we need to encrypt. So that's our clear text. Now, in order to do this, we're going to need two things.
(11:58) First, we need an algorithm and then we're going to need a key.
(12:09) Now our algorithm is extremely simple, using what we call an exclusive OR and what we call a truth table. This Mike algorithm chooses a five-bit key for this illustration. In the real world, keys can be thousands of bytes long.
(12:41) So, to make this work, let's start placing the key. I'm going to put the key over the first five bits, here at the letter M for Mike, and now we can look at this table, and we can start doing the conversion. So let's convert those first two values, then the next, then the next, then the next.
(12:58) Now, we've converted a whole key’s worth, but in order to keep going, all we have to do is schlep that key right back up there and extend the key all the way out and just keep repeating it to the end. It doesn’t quite line up, so we add whatever amount of key is needed to fill up the rest of this line.
(13:28) Using the Exclusive OR algorithm, we then create our cipher text.
(13:44) Notice that we have an algorithm that is extremely simplistic. We have a key, which is very, very simple and short, but we now have an absolutely perfect example of binary encryption.
(13:58) To decrypt this, we'd simply reverse the process. We would take the cipher text, place the key up to it, and then basically run the algorithm backward. And then we would have the decrypted data.
What is Kerckhoffs's principle?
Having the algorithm and a key makes cryptography successful. But which is more important, the algorithm or the key?
(14:30) In the 19th century, Dutch-born cryptographer Auguste Kerckhoffs said a system should be secure, even if everything about the system, except the key, is public knowledge. This is really important. Today's super-encryption tools that we use to protect you on the internet are all open standards. Everybody knows how the algorithms work.
(14:51) Now, you would think, if I know how the lock works in essence, wouldn't I be able to pick it easier? And the answer is no. In our society, by showing everybody the lock, everybody can check the lock to make sure it isn't pickable.
(15:18) Kerckhoffs’s principle is something we stand by today, and it simply says, everybody knows the algorithm, but if you don't know the key, it's not going to do you any good.
More cybersecurity training resources
Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders — plus other free cybersecurity videos.
Cyber Work listeners also get more free cybersecurity resources. See the latest free training courses and resources, and keep learning!
[pkButton link="https://www.infosecinstitute.com/cyberwork-resources/?utm_source=resources&utm_medium=infosec%20network&utm_campaign=podcast%20promo&utm_content=in%20line%20ad" title="Free Cybersecurity Resources"]
Sources:
- Kerckhoffs’ Principle, Encyclopedia of Cryptography and Security