Certificates and Security, Part 1

Published on March 14, 2023 at 5:48 pm by LEW
Print 🖨 PDF 📄 eBook 📱

Introduction

I decided to revisit some of the stuff I have done in the past related to certificates and computer security. In the process I took the time to review some current articles on the subject. One thing I noticed, while specific topics are covered I did not see any really broad overviews of the subject from beginning to end

I did note there were many things various authors expected one to know, or did not consider important to the subject. In a way I understand this, as it can detract from main points. Space can be a limitation when most people are not going to be interested in digging quite so deep.

Unfortunately for me I am not one of those people. I have to, and want to, dig a little deeper sometimes. To that end, I have decided to do a series of posts on the subject focusing mainly on things like encryption and certificates. In the first couple of posts I will be focusing on some basic information about encryption, as a foundation to build upon. From this foundation I will branch into other topics, as needed.

Encoding is not Encryption

The first thing I want to clear up is the difference between encoding and encrypting, as I saw these words being used interchangeably in to many places. Files are either encoded or encrypted for different reasons, yielding different results.

Coding or encoding is basically changing the presentation of information for a variety of reasons. In the good old per-computer days encoding was mainly used to shorten a message length. In radio communications there where the “10” codes, and the “Q” codes used by various groups. For example in aviation “QBS” followed by a number means to ascend or descend to the given altitude.

In the computer province, encoding usually means changing a file format for use in other application. For example changing a word processor file into a presentation file, or chagrining a bmp image to a jpeg image, or zipping up a file to make it smaller.

The content has not been fundamentally changed, and if you have the appropriate application you can view the file content. This requires no special key or methodology, as will be discussed later.

Encoder Example

Encrypting Information

Encryption uses additional information (known as a key) of some type to make a file illegible without having a key to decrypt it. Therefore only people with the properer key can access the content of the file. To everyone else the information in the file will appear as random gibberish.

Encryption has been around since there has been information that needed to remain private and protected from the prying eyes of others. There is evidence of encrypting messages going back to ancient Egypt, Greece, and Rome

Early encryption mainly used a symmetric cipher key. That is to say, the same key was used to encrypt and decrypt a message. A cipher can be simple or it can be quite complex. Most simple ciphers are fairly easy to break. Some of the physical weakness of a symmetric cipher are that there needs to exist multiple copies of a key, and the key has to be delivered to the recipients.

An early replacement cipher was known as the Caesar cipher. Below is a modern day example of this cipher. The alpha numeric characters have been shifted by eight places, the “A” moved form position “1” to position “8”. Also note the inclusion of the space, making the cipher 37 characters long.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

0

1

2

3

4

5

6

7

8

9

3

4

5

6

7

8

9

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

0

1

2

Using this cipher we can encrypt the following message to make it illegible to those without the key (above table).

RENDEZVOUS AT 165 BLEAKER STREET

K7G67SOHNLT3MTV ZT4E73D7KTLMK77M

Note that as ciphers go, this is somewhat simple and could be broken with a few good guesses, some basic knowledge of English, and a little luck. Or with the limited number of permutations, a brute force approach would quickly crack it also.

This is what is known as a Symmetrical cipher, in that the same key can be used to encrypt and decrypt messages.

Symmetrical Cipher Advantages and Disadvantages

With a little math and a random number generator, one can increase the complexity of a symmetrical cipher, making it much harder to crack. You can also use rotating keys and other techniques to increase security of the cipher.

The big advantage of symmetrical ciphers is that they are fast, something that can not be said about asymmetrical ciphers (next section). For this reason they are one of the most used cipher techniques on the internet today.

But symmetrical ciphers do have a couple of problems. The first of which is getting the cipher key to the recipient. At some point it has to be transmitted as plain text (unencrypted transmission) to the end user.

The other problem is repeated text can improve the chance of cracking the cipher (this was part of how the Enigma cipher was cracked back in World War II).

Asymmetrical Ciphers

The asymmetrical cipher is based on a function where the reverse operation does not return the original answer. An example of this is the modulus system in mathematics. An example can highlight this point.

In basic algebra if three numbers have the following relationship, then having any two numbers allows the third number to be calculated.

x + y = z

For example if you have x and z, then y is easily determined.

z - x = y

In Modulo Mathematics things are a little different. Having three variables in a modulus formula give the correct answer only in one form.

x mod y = z

In this mode of mathematics having y and z, does not allow for calculation of x. The equation for determining x would be different, and not directly translatable from the initial equation. You would need multiple different equations to translate between the different variables.

This is the basic principle of asymmetric encryption. Two separate keys are required. A message encrypted by one key requires the other key to decrypt it, and vice versa. That is if you encrypt with the second key, the first is required to decrypt.

As an example The RSA cryptosystem uses two large prime numbers and some modulus calculations to come up with two keys for encryption and decryption. The math can get a bit complex for the layperson (like me). There are several sites out there that try to explain it better than I could, that you can visit.

The point being that you have two keys, and one is used to encrypt, then the other is required to decrypt.

Pretty Good Privacy (PGP)

Now that we have our two keys, what we do with them is where PGP (Pretty Good Privacy) comes into play. PGP depends on the one-way nature of the math, and keeping one key private, while the other is made public.

Lets run through a quick example of how this all comes together. Lets say you want to visit a website using the https protocol (like https://retiredrtechie.com). During the initial handshaking, your browser would receive a copy of the websites public key. Once your browser authentic’s the public key (a process we will discuss in a latter post), it can use the public key to encrypt any communicaitons.

Because it is encrypted with the retiredtechie.coms public key, only retiredtechie.com can decrypt the message with its private key.

There is obviously more to this than the above, which will be discussed in the next post. However the takeaway is that if you encrypt traffic with someones public key, then only they can easily decrypt it with their private key. For anyone else, it would take years, or a good deal of luck to decrypt the message.

Public Key Encryption  Private key Decryption

Public Key                                                           Private key

Conclusion

This has been a high level oversimplification of sending secure traffic. It serves mainly as a basis for further discussion. In the next post of this series we will discuss in more detail how the process works for web browsing.

Once we have an understating of this we will branch off into certificates,signing certificates, chains of trust, and validations.

Certificates and Security, Part 1

Certificates and Security, Part 2

SharePin It!

Add New Comment

Your email address will not be published. Required fields are marked *