2.4 Cryptology

Cryptology is concerned with linguistic and mathematical techniques for securing information. The messages are coded to become unreadable to everyone but the intended recipient. Its long and colourful history goes back to around 5th century BC when the Spartans created the earliest known method of encryption using two identical wooden staffs and a piece of parchment. The parchment would be wrapped around the stick and the message written lengthwise. Unwrapped, the letters did not appear in any comprehensible order. The parchment was sent to the recipient, who had an identical staff to read the message on. Other methods to secure information from outsiders include lin- guistic cryptology (e.g. hieroglyphics) and steganography, which is the process of hiding the existence of the message itself.

The message written on the parchment along the length of the stick (scytale). The scytale uses what is now known as a transpositional cipher, whereby you
rearrange the order of letters in a message.²⁸

The security, provided by cryptography alone, should not be overestimated. Its fallibility is usually a result of human error or a bug in the overall security procedure. The use of cryptography has also been restricted by legislation in some countries. Mathematicians, scientists and civil rights activists in the US waged a 20 year battle to prevent the government prohibiting public access and use of cryptology, in what is now known as the Crypto Wars.

Disk encryption

You can use encryption to protect your entire hard drive. You will in essence encrypt every bit of information on it, so that only you, having entered a password, can access this data. Whenever data is extracted from your computer (for example, an email attachment) it is automatically decrypted. If your computer isstolen, the information on it will remain inaccessible to others²⁹.

You can also create an encrypted virtual drive on your computer. This option may suit those who do not wish to encrypt their entire computer, but allocate a space where to store information securely. If your computer has 5GB of free space, you can create an encrypted container and allocate 1GB of space to it. It will appear as a new drive on your computer (in fact this drive is not new and hence referred to as virtual). n will be encrypted, and you can store your documents on it. partitioThis

You can set your email program (e.g. Thunderbird) to store all files on the encrypted partition. Only you, or the bearer of your password, will be able to access the email on this partition.

You can also encrypt anentire USB memory card or other removable devices. This is useful when travelling with all of your documents on the memory card. Software like True Crypt, can also be run directly from your USB card, so that you will not need the program installed on every computer you wish to access your encrypted documents on.

Public Key Encryption

When using PKE, your key will be made up of two parts: a public and a private key. Together they will make up your key pair. The keys are intertwined and what you encrypt with one, you can decrypt with the other. This is an integral part of PKE and a basis for its security and fallibility.

You share your public key with anyone you want to communicate with. You can also upload your public key to a key server on the Internet. The private key is kept secret on your computer or floppy disk and additionally protected with a password that only you should know. Do not share your private key with anyone. If you think that your password has become compromised (stolen) then you will need to revoke your key pair and recreate them from scratch.

Encrypting and decrypting a message³⁰

Example: You have a message that you wish to send to me encrypted. First, I must give you a copy of my public key. You use this public key to encrypt the message and send it back by email or other means. Only I will be able to decrypt this message since only I have the missing link – my private key.

Key Security

• the size of your key pair (usually 2048 bits long)
• the ability to validate the recipient’s public key
• protecting your password that unlocks the private key

The PKE infrastructure relies on the valid identity of the public and private key. When you are encrypting a message to me using my public key, you want to be sure that this key belongs to me. Let's have a look at the properties of a key pair.

• User ID: usually the email address of the key holder. Make sure it is spelt correctly.
• Key ID: a unique ID automatically generated by the encryption program.
• Fingerprint: (sometimes called MD5 and SHA1. See ‘Encryption on the Internet’ chapter for more detail) this is a unique identifier that is generated from the public key.
• Date Created: the day on which the keypair was created.
• Date Expired: the day on which the keypair expires.

Fingerprint as seen in the GPGshell program

Try and verify the above details before using someone's public key to communicate with them. Since public key encryption does not require you to share a password with the message recipient, it is important that you can validate the true identity of the public key. Public keys are easy to create but the identifying features can also be falsified. That is why you should authenticate the person's public key before you use it (see 'Digital signa- tures' below). Once you have established that the public key belongs to them, you can 'sign' it. This will tell the program that you trust the key's vali- dity and wish to use it.³¹

We need the ability to verify the authenticity of our messages. This can be done by a digital signature, which also uses PKE to function. When you digitally sign a message, you include in it a unique mathematical calculation derived from its size, date and specific content. This digest is then encrypted with your private key so that the recipient can verify its validity. Once decrypted, the original digest in the signature is checked against the file received and confirms whether the file has been modified or not since it was signed. It is virtually impossible to change the content of your message without invalidating the signature.

• You need to create a keypair and keep your private key safe
• You encrypt your messages to the recipient’s public key
• You should always verify the recipient’s key by checking the fingerprint

• Compromising your private key. If the attacker manages to receive a copy of your private key by gaining access to your computer or otherwise, all they have to do is break the password protecting it. This can be done by brute force (using a password-cracking program that tries all common and random combinations) or by simply observing you type your password on the keyboard. Another method of stealing your password would be to install a keylogger program by gaining access to your computer with the help of an email attachment. A keylogger will record all the keys that you press on the keyboard and send this information to a designated Internet or email address. This way the attacker can receive the password you use to access your private key without requiring physical access to you or your computer.³⁴
  
  The solution here is to use updated anti-virus, and anti-spyware programs and a firewall. This will, hopefully, either detect the presence of a the keylogger or prevent it from sending your password outside. Take care when typing the password and make sure that no one can see your keyboard or the computer screen. Most good encryption programs do not display the password on the screen. You have to write it 'blind'.
• Key Recovery Systems. Since encryption is now integrated into more devices and uses with every passing day, its highly secure framework has become a problem for many government and law enforcement agencies. For many years they have been trying to implement key recovery systems (key escrow) which would give the authorities access to your private key. Alternatively, governments have began passing laws stating that you must surrender a copy of your private key to them for storage. Some closed encryption programs, where the encryption method has not been publicly tested, actually provide a backdoor for security agencies. Although this practice has been made illegal in many countries, it can still be found in different versions of software and hardware. The solution here is to use open source products (like GnuPG), thoroughly analysed and tested by the Internet community.
• Public key validity and deception. As already mentioned in this chapter, the validity of the public key you are encrypting to is central to the all-round security of public key cryptography. The problem is that keys can be easily falsified. Carelessness on the user’s part may lead to using an adversary’s key under the assumption that it actually belongs to someone else. Pay close attention when receiving and importing public keys. The steps to verifying public key validity are explained above. Even though this may slow down the process of communication slightly, these steps should not be ignored.

Choose encryption programs that have been publicly verified to have no back doors (such as PGP, GnuPG, TrueCrypt). Be aware of your local legis- lation and whether it allows you to use encryption and if yes, at what level of complexity (key size)³⁵. You should also understand that the current legislation in your country may oblige you to reveal your password to the authorities. Try to find out if there are any legislative privacy safeguards which you can use to prevent this from happening.