The cyberspace exists for the purpose of enabling communications from A to B and elemental to its success is cryptography, which is the application of mathematics within mechanisms that achieve security. Cryptography gives the cyberspace its secure mass, so it is the cyberspace’s Higgs Boson. The security outcomes that it enables are confidentiality, data integrity, data origin authentication, non-repudiation and entity authentication. These together with your wider security hygiene provide your protection in a wild environment of threats, risks and harms.
So when you’re communicating from A to B in this wild environment, you want secure communications. Ideally, that will be a secure channel between these points, but if we cannot achieve that we will need the message itself to be as secure as possible. So, when you connect to a website using HTTPS, you’ll create a secure channel, but when you’re sending emails you probably won’t, so you’ll want to apply protection to the email itself.
Understanding security operations and, therefore, security law, isn’t possible without a good grasp of cryptography, what it is doing and why. So as an opener, let’s consider encryption. This is the application of mathematics to achieve confidentiality, which is the state of operational security whereby information is only accessible to authorised persons. The basic idea of encryption is that plaintext – that is human readable information – is converted into ciphertext, which is information that is illegible to a human or machine without the use of a decryption key. Encryption will be achieved through the use of encryption algorithms that apply a key to convert plaintext to ciphertext and a key to reverse the process.
Symmetric encryption – a shared secret for a closed environment
Encryption technologies in the sense of those used in the cyberspace did not become common place until the 1970s (by which I mean available outside of government agencies) and the original idea was based on one that is literally thousands of years old: the use of a “shared secret”, whereby both parties to the encrypted communication share the same key, which can be used for both functions of encryption and decryption.
The idea of a shared key, which is known as symmetric encryption, obviously makes most sense when the parties to a communication are in a prior relationship. In other words, it’s great for a closed environment, such as within a group of companies, or between different organisations that are able to put in place measures to safely share the key, or between people that are physically close to one another.
The problem of the wild, public Internet
However, as the internet took off, there was an obvious problem: A and B are not always going to be in a closed environment. By definition and design, the Internet is open and people can communicate with anyone else, anywhere in the world, including strangers (provided that a filter or great big firewall isn’t put in their way). The shared secret idea doesn’t make much sense in an open environment, where the communication begins with two strangers, whether they be people who do not know one another, or are computers that do not know one another, or are people operating computers to access websites where either party is not known to one another.
The solution, that was conceived of by experts working secretly in GCHQ and academics working openly in the United States is Public Key Cryptography and it is an idea of such simplicity and beauty that it could only be conceived of by a beautiful mind. It created security for a wild environment of strangers communicating with strangers, at a distance and without a basis of mutual trust.
Asymmetric encryption – the beautiful mind
A and B are both strangers and they do not share a secret, but they each possess two keys, an encryption key and a decryption key. They both publish their encryption keys, which are called public keys, but they keep their decryption keys secret, which are called private keys.
So, let’s say that A wants to send a confidential message to B. A encrypts the message with B’s public key and when B receives it, B decrypts it with their private key. And this enables a communication between strangers to be send securely over the public internet, keeping it safe from eavesdroppers and spies. Public Key encryption is asymmetric encryption.
Now, what could possibly be in the message that A sends to B, which is encrypted with B’s public key? Well, it could be anything, but what if it is a symmetric encryption/decryption key? Yes, you’ve grasped it! Public Key encryption can be used to safely share a secret, to enable people previously in an open environment to transition into a closed environment where they can use symmetric encryption. This is called key establishment.
Did you ask why would they want to used use Public Key encryption to establish a symmetric key? The reason is that Public Key encryption comes with a greater computational overhead than symmetric encryption, plus the size of the message that can be encrypted with a public key is very small in comparison to the size of the message that can be encrypted with symmetric key (which can theoretically be of infinite size).
Magic, huh?! And the way the Internet works is full of loads of mathematical cryptographic magic like this.
Want to know more?
If you want to know more about crypto, I'd recommend Professor Keith Martin's book. I've learned a huge amount from it and genuinely regard it as one of the best written, accessible and interesting books in this field.