Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intro to Encryption

Posted by CmdrTaco on from the getting-on-the-same-page dept.

An anonymous reader submitted a Techworld story which is a sort of encryption primer. The difference between codes & cyphers, and what all those acronyms like RSA and DES actually mean. This is good primer material for newbs, and a good refresher for fogeys.

12 of 244 comments (clear)

  1. Inaccuracy in article? by DarkHelmet · · Score: 5, Informative
    About RSA: Current hardware means key lengths should be 1024 bits for complete security. The present generation of web browsers use 128-bit keys so cannot be considered secure against a determined and sufficiently well-resourced attack.

    Certificates are 1024 or 2048 bit with SSL. On the other hand, once the key is sent and shared, a 128 bit symmetric form of encryption is used. The only thing RSA is used for is sending / receiving the symmetric encryption key, yes?

    Correct me if I'm wrong.

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
    1. Re:Inaccuracy in article? by wfberg · · Score: 4, Informative

      About RSA: Current hardware means key lengths should be 1024 bits for complete security. The present generation of web browsers use 128-bit keys so cannot be considered secure against a determined and sufficiently well-resourced attack.
      Certificates are 1024 or 2048 bit with SSL. On the other hand, once the key is sent and shared, a 128 bit symmetric form of encryption is used. The only thing RSA is used for is sending / receiving the symmetric encryption key, yes?


      Kinda yes. The public key is used to encrypt the session key, which is used in turn to encrypt the payload using a symmetric algorithm for speed.

      Certificates are a bit bigger than 1024 or 2048 bits. They contain the public key (consisting in the case of RSA, among other things, of the 1024/2048 bit modulus) the owner's identification (e.g. e-mail address, common name, url, ..), validity dates, and a digital signature from a certificate authority (in some cases they're only self-signed, in other cases, dosens of people may contribute to authenticating a public key's ownership information, as in PGP).

      A certificate is just that; it's to certify that a certain public key belongs to a certain entity.

      If you pay enough to microsoft/opera/etc., you can certify anybody you want and all internet explorer users will take it for granted, because no one checks certificates.
      --
      SCO employee? Check out the bounty
  2. Much better than that article by yahyamf · · Score: 5, Informative

    I would strongly recommend the Code Book by Simon Singh over that short article. It takes the reader from the Ceaser cipher all the way to quantum codes and is a very enjoyable read. The Codebreakers by David Kahn is also an excellent though somewhat lengthier volume

  3. Handbook by Ann+Coulter · · Score: 5, Informative

    The Handbook of Applied Cryptography: http://www.cacr.math.uwaterloo.ca/hac/ is a very detailed guide to some cryptographic algorithms and theories. This is not for newbies at all. For those wanting to implement a particular cipher, this book is the place to refer to. On top of everything, it is free.

    1. Re:Handbook by wfberg · · Score: 4, Informative

      I'd recommend applied crptography by Bruce Schneier instead.

      Not only does it cover the same ground, it also goes into detail a bit more about real tricky business; protocols (where most mistakes are made these days, since nearly everybody uses off-the-shelf algorithms like AES, DSA, RSA and ElGamal). This guy knows how to write, and succeeds in warning you of potential pitfalls in a humorous manner. Also, he knows his stuff; he submitted one of the AES candidates, Blowfish.

      Bruce also publishes the most excellent Crypto-Gram newsletter.

      Beware of not heeding Bruce's stern words of warning. You may end up in the doghouse! The humiliation! The shame upon your house!

      --
      SCO employee? Check out the bounty
    2. Re:Handbook by plover · · Score: 4, Informative
      Actually, Practical Cryptography is probably more useful to most people. In that book, Bruce provides real-world examples of security needs and then details how the protocols should be implemented so as to preserve that security. He leaves the math alone, and discusses the protocols and data instead.

      He wrote it after realizing how poorly people had misunderstood his warnings in Applied Cryptography (as documented in Secrets and Lies.) I thought his warnings were plain enough, but apparently too many people just plopped in some encryption because they "needed" some, and Blowfish was printed right there in the appendix.

      --
      John
  4. Re:intro to encryption by Anonymous Coward · · Score: 5, Informative

    a b c d e f g h i j k l m n o p q r s t u v w x y z
    n o p q r s t u v w x y z a b c d e f g h i j k l m

    first post!

  5. Applied Cryptography by Meostro · · Score: 5, Informative

    Bruce Schneier's Applied Cryptography is another excellent resource for all you crypto-geeks out there. It goes from the basics (including the substitution cipher presented in the article) through basic crypto (ENIGMA, DES) all the way up through state-of-the-art (don't think AES was in my 1st ed., but I believe it's in there now). He talks about everything from the theoretical to the practical, hash collisions to rubber-hose cryptography.

    It comes with source too! You know you love source....

  6. Not really the best intro for crypto by Gentoo+Fan · · Score: 4, Informative

    I'd point people here first, then to a few other links that other people have pointed out. The article linked is a bit terse for a newbie.

  7. Clarification on web-browser security... by xquark · · Score: 4, Informative

    >>The present generation of web browsers use 128-bit keys
    >> so cannot be considered secure against a determined
    >> and sufficiently well-resourced attack.

    The 128-bit there is the symmetric cipher key length, RSA is
    used for signature authentication and not encryption, key
    exchanges occur via hand-shake algorithms ie: diffie-hellman
    and derivatives there of...

    a 128-bit symmetric cipher is actually very strong, for temporary
    transit data ie: purchase data, cc numbers etc.

    Arash Partow
    __________________________________________ ________
    Be one who knows what they don't know,
    Instead of being one who knows not what they don't know,
    Thinking they know everything about all things.
    http://www.partow.net

    --
    Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
  8. random & pseudorandom pads by cant_get_a_good_nick · · Score: 4, Informative

    Random pads with truly random data is unbreakable. The few times it has been broken has been due to human error (reusing the same random data stream). The US tracked some russian spies with this, they reused pads, and we found out there was a mole in the atomic bomb program.

    That said, paddign with pseudo-random data is very unsafe. Breaking this type of encryption is typically one of the first homework assignments in cryptography courses. The article is either very fuzzy on this distinction, or plain out wrong, depending on how you read it.

  9. Re:Comprehensive list of unsolved codes and cipher by cpeikert · · Score: 4, Informative

    If after reading the intro to encryption you are so inspired to try to crack one, I highly recommend this list...

    The problem with challenges like "crack this uncracked cipher" is that the challenge is not realistic.

    Most of these codes/ciphers give you no idea the process behind how they were generated. That's unrealistic: usually an analyst will have the algorithm that does the encryption (if not the key itself), either via open-source, reverse engineering of a public binary, legitimate purchase, or espionage.

    Most of these challenges only give you a tiny piece of ciphertext. That's not realistic: if you're trying to break, say, SSL, you'll be able to get your hands on megabytes of transcripts, and you'll even be able to generate ciphertexts that correspond to plaintexts of your choice.

    Most of these "ciphers" don't generalize to arbitrary messages. That's unrealistic. Sure, someone can design some ad-hoc cipher to encrypt the location of his buried treasure using landmarks, clever puns, and weird symbols. That's a far cry from being able to efficiently encrypt an arbitrary TCP/IP stream.