I thought I’d talk a little bit about cryptography. That is, the use of codes and ciphers to protect secret information.
CAESAR AND TRADITIONAL CIPHERS
In ancient Rome, Julius Caesar “encrypted” (or scrambled) military communications using a system that folks now call the “Caesar cipher”. They used this system so that in case a messenger was captured or untrustworthy, nobody could read the message except people who were supposed to. These were the people who knew exactly how to decipher or “decrypt” it.
It seems like a very simple sort of code today, but at the time, the “Caesar cipher” was a pretty clever deception. You shift a letter of the alphabet backward or forward. So if you go one letter forward, A becomes B, B becomes C, and so on, until Z becomes A. To write “Hello” in encrypted form by shifting one letter forward, you would write “Ifmmp”. If you shift two letters backward instead of one letter forward, “Hello” becomes “Fcjjm”.
George Mason University has a Caesar cipher tool if you’re interested: Caesar cipher demo (gmu.edu)
The words look like nonsense. And in a world where you couldn’t just copy/paste some text into Google to find out if it’s a simple kind of ciphertext or a foreign language or just gibberish, these sorts of traditional ciphers were rather effective.
Once you had your message encrypted, you sent it on with a messenger. If it was a long or dangerous journey, and a really important message, you could have even written up several copies of the same encrypted message and sent each one with a different courier by a different route, just to make sure the message got delivered. And because the message would be encrypted, there wouldn’t be a lot of extra risk.
If the message had been in “plaintext” (not encrypted and therefore readable by anyone), instead of “ciphertext” (encrypted text that only someone who knows the code can read), you’d have to be a lot more careful about who you chose to carry the message, and even if that person was trustworthy, there was still the risk of capture and unencrypted messages falling into the hands of an enemy.
Vigenère cipher
Another popular traditional cipher is the “Vigenère cipher”. It’s more complicated than the Caesar cipher, and for a long time was considered unbreakable. It was famously used by the Confederacy during the American Civil War, and many Confederate military messages were able to be deciphered by Union codebreakers due to the Confederates’ reliance on a small handful of the same keywords.
The way it works is you take your plaintext message, figure out a “keyword”, then repeat that keyword until it takes up at least the length of your plaintext message. Then, you add the alphanumeric values of the key letters and the letters in the message and replace the message with the result.
For example, say you want to say “Hello” using the Vigenère cipher. Then, you choose a keyword, let’s say “Key”. And let’s assume A equals 0, B equals 1, and so on. The keyword has to be repeated to at least the length of the message, so it would be “KeyKey”.
Then you add the values of the letters together. If the first letter of the message (“H”) is 7 (remember, we’re assuming A=0), and the first letter of the key (“K”) is 10, we add those together to get 17, which corresponds to the letter “R”. Keep going with this, and we get the now-encrypted message “rijvs”.
To decrypt the message, you subtract the value of the key from the ciphertext message. So if the first letter of the ciphertext is “R”, and you know that the first letter of the key is “K”, subtract 10 from 17 and we get 7, which corresponds to H, and so on.
If you want to fool around with the Vigenère cipher, Denver University has a Vigenère cipher tool: VIGENERE CYPHER (du.edu)
PROBLEMS WITH CRYPTOGRAPHY
The tricky part about encrypting messages was, how does the other person know “the code”? Throughout most of history, encrypted communications relied on having a pre-arranged “key” for decrypting those messages. In the case of the Caesar cipher, the decryption key would be the direction and number of letter shifts. Both you and the people you communicated with had to know the key to be able to send encrypted messages to one another.
Now, the Caesar cipher is simple. A modern computer can decrypt a message written in Caesar cipher in seconds. Even a person, if they studied it for a little while, could figure it out with pen and paper. Over time, ciphers got more advanced, so it started to take longer to crack the codes.
But there were some problems with cryptography. First, simplicity. Until the invention of modern computers, most ciphers were simple enough to be relatively easily solvable by “cryptanalysts” or “codebreakers”. The encryption wasn’t useless, though, because everyday people probably couldn’t decipher it, and even if it fell under the eyes of enemy codebreakers, deciphering would still take time.
Second problem, the pre-arranged keys. I probably don’t have to mention all the ways this could be a problem. If the intended recipient is too far away, you can’t arrange the keys in person, so you have to send the decryption keys, in unencrypted form (“plaintext”), with a courier. Even if the decryption keys reach their destination, how can you be certain that courier didn’t get apprehended or share that key with an enemy along the way? Then, if they were able to intercept future couriers, they could decipher any message you sent using that key!
Throughout most of military history, these were accepted limitations of cryptography. How effective your encryption was, in those days, was as much about speed of your couriers as it was the strength of your ciphers. Eventually any encrypted message could be decrypted…the trick was to have delivered the message and acted on the information before the enemy could figure out the secret code.
UNBREAKABLE CODES
There are a few forms of encryption which are considered unbreakable. The simplest of these is known as the “one-time pad” or “OTP”. As the name suggests, you only use each key once to encrypt and decrypt a single message. After you’ve used that key once, you destroy the paper it’s written on and use an entirely different key for your next message.
One-time pad ciphers are similar to the Vigenère cipher, but the key must be entirely random (instead of using “keywords” like the Vigenère), and most importantly, the key can only be used once.
So, even if an eavesdropper intercepts all of your messages, the code changes with each message, so codebreakers can’t find a discernable pattern within the garbled texts.
While one-time pads do have some limitations, they are considered secure and can even be done on pen and paper.
Twentieth Century
The world of cryptography started to change in the 20th century. Mechanical cryptographic devices were invented, such as the famous “Enigma” machine used by Nazi Germany to encrypt messages during WWII. This sort of technology raised the bar for cryptography, as these mechanical ciphers were usually too complex to crack by hand. Cracking these machine-made codes required inventing new codebreaking machines. But eventually, even ciphers like Enigma were broken. In the particular case of the Enigma cipher, it was broken thanks to the British codebreakers at Bletchley Park, including the famous Alan Turing, who also made many contributions to the field of computer science.
The real turning point for cryptography came during the information age. Computers have made the old ciphers much easier to break and have made much more difficult ciphers not only possible, but necessary. New forms of encryption have been invented with the help of modern computers, and many of these new encryption algorithms are unbreakable. Today, there’s a type of encryption known as “AES” or “Advanced Encryption Standard”. It uses computing power and some fairly advanced math to encrypt data. Decrypting this data without knowing the decryption key is impossible because figuring out the key mathematically requires calculations that are too difficult for humans or computers.
When you lock or encrypt a file with AES, you’ll create a password that you can use to unlock or decrypt that file later on. You’ll still have to use a strong, unique password when encrypting a file with AES, or hackers will easily be able to crack that password. But actually breaking the encryption algorithm using mathematics (meaning you could figure out any message encrypted using that algorithm, regardless of what password or decryption key was used), as has happened with many other lesser cryptographic systems, is not currently possible with AES.
An Old Problem
But, with AES, there is still one old problem. The only way someone can decrypt a secret message you send them is if you either pre-arranged what the password will be (not practical), or if you sent the password to them over the internet in unencrypted form (not safe). AES is great for keeping your own data safe on your own computer (for example, storing the passwords for your online accounts in an encrypted file on your hard drive which requires a master password to unlock), but if it’s something you need to safely send to someone else, AES isn’t the best option.
PUBLIC KEY CRYPTOGRAPHY
The only safe way to share an AES decryption key or password is if you give it to them in person. You can’t trust that AES credentials that have been shared over email, or anywhere over the internet, has not been intercepted by a third party. See, whenever you go to Facebook, or Google, or my website, there’s a conversation going on between your computer and the computer or computers where that app or website “lives”, mostly in large “server” computers in big buildings called “data centers”. But your computer doesn’t just connect directly through the air to whatever website you’re trying to visit.
It travels from your computer, through your router and modem, to your internet service provider (or ISP, which might be a company like AT&T, Spectrum, or Google Fiber), to the ISP of the server you’re trying to reach, then to the data center and their routers, then finally to the server and the website or app itself. And there may be additional “hops” or connection points in between your internet service provider and your destination’s internet service provider, such as intermediary ISPs, as well as “IXPs” or internet exchange points, which calculate the distances between communication points and send internet traffic through the most efficient routes.
To put it simply, when you visit Facebook, Google, my website, or any other place on the internet, you don’t always know who can see where you are going or what you are doing. Your online activity and communications pass through many different computers before they reach their intended recipients. Any of those links in the chain (each link being a computer, mostly routers and servers) could compromise your communications. Any of those systems could be owned by unscrupulous individuals, or broken into by hackers, or infected with viruses, any of which might scoop up your data as it passes through, in a form of electronic eavesdropping.
This is where things get really interesting. Computers gave us AES and unbreakable encryption, but it’s still not all that convenient. AES is good for protecting stored data, or “data at rest”. AES alone is not good for protecting communications, or “data in transit”.
A good solution to the problem of encrypting data in transit was discovered, with the creation of what is known as “public key cryptography”. This technology was originally invented by Martin Hellman, Ralph Merkle, and Whitfield Diffie, in a form known as the “Diffie-Hellman Key Exchange”. Public key cryptography is a little tricky to understand at first.
Here’s an example of how it works:
Say Alice wants to send Bob a message that nobody but Bob can read. So Alice uses an encryption program to generate a “key pair”, that is two files, one of which is a “public key” and the other is a “private key”. Alice’s computer creates these two “key” files using complex mathematical operations. The private key is meant for Alice’s eyes only and shouldn’t be shared with anyone else. The public key, on the other hand, can be freely shared…hence the name, “PUBLIC key”. See, the public key and private key together can unlock Alice’s encrypted files, but the public key alone cannot. Bob also generates his own “key pair”. So, what do the public keys do?
Well, Alice and Bob can send each other their PUBLIC keys. Again, the public keys do not have to be kept secret, so they can be safely sent over something like email. Alice can then use Bob’s public key, along with her own private and public keys, to “lock” or encrypt a file or message. At this point, the only thing that can “unlock” this file is Bob’s private key combined with Alice’s public key. Alice sends the now-encrypted message to Bob, who then “unlocks” or decrypts the message using his own key pair and Alice’s public key. Bob then writes a reply to Alice’s encrypted message, locking it with his own public and private keys and Alice’s public key. Only Alice’s private key, combined with Bob’s public key, can unlock this second message.
Key Pair
See, when you generate a “key pair”, your public and private keys are tied together. Anyone who has your public key can send you an encrypted message meant only for you, and you can only unlock or decrypt it if you have the sender’s public key AND your own key pair…the message is locked by the sender using their key pair and your public key and can only be unlocked using your key pair and their public key.
Public key cryptography is a form of “asymmetric encryption”, whereas private key cryptography (including AES), where only a single cryptographic key is used, is known as “symmetric encryption”. AES is the current standard form of symmetric encryption, while something called “RSA” (named after the initials of the people who invented it: Ronald Rivest, Adi Shamir, and Leonard Adleman) is a common form of asymmetric encryption today.
The public key cryptographic technology which secures your everyday internet activity is called “TLS” or Transport Layer Security, which is an upgraded version of something called “SSL” or Secure Socket Layer. TLS/SSL also utilizes “digital certificates”, issued by “CA”s or Certificate Authorities, which verify that sites you visit have the valid cryptographic keys.
CRYPTOGRAPHY TODAY
We use private key cryptographic protocols (such as AES) to encrypt “data at rest” on our own systems. One good example of this are password managers, where you can store the passwords for all your accounts in a single file and encrypt that file with a master password that only you know. Another example is device encryption, where all the data on your hard drive is encrypted and can only be decrypted with a password that only you should know. Encrypting your device means that even if a thief steals your phone or laptop, they shouldn’t be able to access your private data.
Note that a device encryption password is separate from your regular computer user password. If you set up device encryption on a desktop or laptop computer, you may have to enter the decryption password first to make the device accessible, then enter your user password to get to your normal data and programs. The user password offers some basic protection but does not encrypt your data and someone with a bit of technical skill can bypass it.
While smartphones often come with built-in device encryption, which you can usually set to unlock using a password, a PIN number, or biometrics like facial recognition or fingerprints, desktop and laptop computers often do not come with built-in device encryption software.
To protect “data in transit”, various forms of public key cryptography are used in most electronic communications these days. In most cases, the process happens in the background and automatically. For example, you’ve probably seen the “padlock” symbol (or a URL/web address that begins with https:// instead of http://) on websites. The padlock is often seen as a sign that the site you are visiting is “secure”.
But what the padlock really means is that when you visit that website, your connection to that website is encrypted and only you and the people running that website can see what you are doing. So if someone is snooping on your network, or on some data center that your internet traffic is routing through, they will only see encrypted or scrambled data that they won’t be able to decipher. That’s why it’s important to only enter information on sites that have the padlock (or that begin with https://).
It’s also important to remember that the padlock is not the only thing to worry about when visiting a website. A website with a padlock or beginning with https:// actually only means a secure or encrypted channel of communication to that site. Just because a website has the padlock doesn’t mean the website itself is actually secure or trustworthy, it only means that a third party can’t eavesdrop. Some cyber criminals even take the trouble of adding the padlock to their own malicious websites to make them look more legitimate, so make sure you’re taking common precautions on the web besides just looking for the padlock.
Most websites and apps implement a form of public key cryptography to protect your data, through processes which occur in the background, and the user doesn’t have to worry about manually establishing a secure connection to that app or site.
But, to communicate directly with another individual using public key cryptography, you can either manually share keys and send each other encrypted messages via email or some other medium, or you can use encrypted messaging apps like Signal (which can be installed on smartphones and used to send encrypted text messages) or Proton Mail (which can be used to send encrypted emails).
Encrypted messaging apps are easier than manually encrypting messages, but both parties must be using the same app for the encryption to work…if you send a Signal message to someone who doesn’t have Signal installed on their phone, it will show up as an unencrypted text message on their phone, and similarly if you send an email from your Proton Mail account to a Gmail account or any email address that isn’t a Proton Mail address, the email will not be encrypted. Also, there are lots of other encrypted messenger apps out there, and not all of them are trustworthy…some are insecure and don’t provide the protection they claim, many will sell your data, and some might even be downright malicious and try to steal your identity or install viruses on your device.
QUANTUM COMPUTING AND THE FUTURE OF CRYPTOGRAPHY
The internet is still a dangerous place. But modern cryptography helps make us all safer. It seems like we’ve solved a lot of the problems that traditionally plagued cryptography, since we have a reliable way to share cryptographic keys (using public key cryptography), and since we have strong enough encryption algorithms that can’t be broken by man or machine.
Not so fast! You see, a lot of companies and governments today are researching quantum computing. Quantum computers operate under different rules than regular computers. When they get a bit more advanced, most security experts think that quantum computers will be able to break the current standard encryption algorithms. Some larger military, intelligence, and law enforcement agencies may be siphoning our encrypted data in bulk. Even though that data can’t be decrypted yet and is largely useless to these organizations right now, it is likely that at least some of them are collecting this data in anticipation of being able to decrypt it later, once quantum cryptography really takes off.
Now, they probably aren’t hoarding encrypted data from regular folks, since that would be a lot of data and storing that data costs money. But it is something to think about. A lot of security researchers are thinking about it, and the US National Institute for Standards and Technology (or NIST) is working to create guidelines for “post-quantum cryptography”. This is to help businesses, government agencies, and researchers create and implement cryptographic software that will be “quantum safe”. But remember, we’re in the early stages of quantum computing. Nobody yet is sure how good quantum computers will be at making or breaking codes.
FINAL NOTES
Keep in mind, I’ve simplified things quite a bit here. The mechanics behind modern cryptography are rather complicated. If you’ve gotten this far, you should have a good grasp on the basics.
There’s also a lot more to traditional ciphers than I delved into here. While traditional ciphers are no longer considered secure, it might be interesting to look into if you like military history, or even if you enjoy things like puzzles and word games.
Finally, as I’ve mentioned, there’s more to staying safe online than just looking for the padlock symbol. Cryptography helps protect our data, but it’s only one aspect of security. While modern cryptographic protocols cannot be broken mathematically, they can still be circumvented. Your devices can still be infected with viruses and malware. A phishing email or a fake social media account could still send you to a fake website. They can try to get you to enter sensitive information, and encryption won’t protect you from these threats.
I hope you enjoyed this article, and if so, consider taking a look at my articles on the ARPANETand the SAGE system.
If you haven’t already, like and follow my Facebook page to get alerted when I post new content. And be sure to subscribe to my
If you want to learn more about cryptography, here are some useful links: