A while back I mentioned in my post on Backups that we needed to talk about Encryption, so here we are. First of all, I need to explain what encryption is. At its simplest, its a way of making a message unreadable by anyone other than the intended recipient.
I should also point out that there is a difference between a code and a cipher, though they tend to be used interchangably. A code is where each word in a message is replaced with a code word or symbol, whereas a cipher is where each letter in a message is replaced with a cipher letter or symbol. In fact, when most people say “code,” they are actually referring to ciphers.
Why encrypt anything?
Why would you want to use encryption though? You may say that you’ve nothing to hide, but think about that for a second. Say you’re accessing your bank account – would you want anyone who is able to intercept the messages you send to be able to read them? What about if you’re paying for something online? Would you want someone to be able to read your credit card number and security code? What about if you’re in contact with your doctor or hospital about a medical condition? You get the idea I hope…
For these reasons, and many more, communications between our computers, our laptops, tablets and smartphones and a whole host of services, whether financial or health related, or just generally private, are encrypted for us. If you’ve noticed some web pages start with https rather than http – that means that the former are encrypted and should be more secure.
How does it work?
Encryption has been around for millennia, though with the advent of more and more complicated maths and now computers, the processes have changed dramatically. I’m not going to go into the detail of how it all works here, other than with a very simple example.
Going back 2000 years, a common method of encryption would be to substitute one letter for another. The most popular way of doing this was called a Caesar Cipher (after the Roman emperor), and worked like this:
First of all, write down the alphabet
Then, move the letters along a number of places. In the example below, I’ve moved them 3 places, so A now sits below where D was:
Write your message using the new letters. In this example, HELLO would be:
As you can imagine, this would not take long to decode, but worked quite well in a time when a lot of people were illiterate.
Jump forward to today and you use huge prime numbers, really clever maths and quantum computers in an ever changing, rapidly evolving battle to keep messages confidential.
Encryption in history
There are two really interesting stories about encryption from World War II which I’d like to share with you.
The first is all about Bletchley Park and Enigma. I’m sure you’ll have heard of them, or at least of the film The Imitation Game, one of several which have covered the activities of Britain’s code breakers. Their work in breaking the German codes are said to have shortened the war by at least 2 years, but it’s relatively unknown that Enigma was actually broken in the mid-1930s by Polish code breakers. Not long before war broke out the machines were changed to make them more difficult to break. If you ever have the chance to visit Bletchley (it’s near Milton Keynes in England) you should do so -it’s a fascinating and absorbing day out.
The second story is less well known. Clever maths and computers are all well and good, but there’s another way to make messages unintelligible. Write them in a language that only the sender and recipient understand. That’s what the Americans did, using teams of Navajo tribesmen. Other than members of the tribe, only a handful of other people spoke their language. The Navajo working in this way were known as Windtalkers, and were deployed throughout the Pacific.
Passwords and encryption
Sorry, but I have to bring passwords into this. You may have heard of plain text password storage – that’s where a password is stored and isn’t encrypted. Most systems now use a process called hashing, which is a form of encryption. This involves taking the password and applying some maths to it to get an unrelated string of text, which is then stored. When you log in again and enter your password, it is typically hashed again and that string compared against the one which has been stored. If you type the same passsword, the hashes will match, but even a small change will result in no match. Note that you don’t “unhash” the text.
Here’s an example to illustrate this. I used a common tool called an MD5 hash generator (try it, you can find free ones using Google), and ran it against the word password. The hash which was generated was:
I used the same tool, and this time used a capital letter P in Password. The result?
You can see that they’re totally different.
When hackers try to break into systems, they have ways of accessing the stored passwords, which as you now know are hashed. BUT – they have a pregenerated list of common passwords and even dictionary words with their associated hashes. It’s easy for them to scan the hashes looking for a match in their list. (The lists are called Rainbow Tables.) This is one reason why you should never use common passwords, or dictionary words: they’re the first ones to be tried by hackers and therefore the first to be broken.
If you want to know more about the history and how things have changed, I’d recommend reading Simon Singh’s The Code Book, though be warned that towards the end the maths gets quite heavy! You’ll also learn more about Enigma, the Windtalkers, dead languages and about Alice, Bob and Eve (aka Mallory) who are used to explain a common form of encryption used today which uses a Public Key Infrastructure (PKI).