Cryptography – “Scrambling information”
The objective of cryptography is to scramble a message (also called plaintext) so that only the intended recipient is able to recover the
original plaintext. As illustrated in the figure, Bob (the sender) wishes to send a secret message to Alice (the recipient). He encrypts the plaintext using an encryption algorithm. The encryption process scrambles the plaintext to produce what is known as ciphertext. Alice recovers the plaintext using the process of decryption. The encryption/decryption algorithm is usually not secret. What makes the ciphertext difficult to decipher is the use of one or more keys in the encryption/decryption process. In secret key (or symmetric) encryption, one key is used and is known only to Bob and Alice. In public key (or asymmetric) encryption both Bob and Alice own a pair of unique keys. The pair consists of a private key and a public key. The public key is known by the public, but only Bob and Alice know their respective private keys.
The word cryptography is derived from the Greek words, krypto, meaning hidden, and graphein, meaning to write. Thus, cryptography is the process of making and using codes (or ciphertext) to secure transmission of information. The codes are obtained by converting plaintext (words, or phrases) into encrypted data.
When private information is sent over a network (like the Internet) in plaintext, the message can be intercepted and stolen. When you store unencrypted information on a hard drive, or on removable media; others are able to read that information should they get access to it through theft or other means. The consequences for these unfortunate mishaps could range from identity theft to loss of money and other assets.
Example of occurrence:
The following excerpt is from the New York times, dated August 17, 2009:
The man who prosecutors said had masterminded some of the most brazen thefts of credit and debit card numbers in history was charged on Monday with an even larger set of digital break-ins.
In an indictment, the Justice Department said that Albert Gonzalez, 28, of Miami and two unnamed Russian conspirators made off with more than 130 million credit and debit card numbers from late 2006 to early 2008.
Prosecutors called it the largest case of computer crime and identity theft ever prosecuted. According to the government, the culprits infiltrated the computer networks of Heartland Payment Systems, a payment processor in Princeton, N.J.; 7-Eleven Inc.; Hannaford Brothers, a regional supermarket chain; and two unnamed national retailers.
An unspecified portion of the stolen credit and debit card numbers were then sold online, and some were used to make unauthorized purchases and withdrawals from banks, according to the indictment, which was filed in United States District Court in Newark…
Richard Wang, manager of SophosLabs, a security company, said the case provided more evidence that retailers and banks needed to strengthen industry standards and encrypt credit card numbers when they are transmitted between computers. Currently, major banks agree to encrypt such data only when it is stored.
How to Protect Yourself with Cryptography:
- Encrypt your personal files: Encrypt important files on your hard drive and removable media.
- Encrypt wireless network data: To protect the data that travels through your wireless network against eavesdropping, you should encrypt it. The available encryption choices in increasing order of security are: none (no data encryption is performed), Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES).
- Encrypt sensitive email: If the software which you use to send e-mail allows it, you should encrypt sensitive e-mail so that only the recipient of the e-mail is able to read it.
- Check that businesses encrypt your personal data: You should ensure that companies and other organizations with whom you do business encrypt your personal data, such as credit card numbers and social security numbers, before they are stored or transmitted over a network.
- Use secure transactions over the Internet: Ensure that personal transactions over the Internet are secure.
Example 1: You can encrypt a file in MS Word 2013 using the steps shown in the figure below.
Example 2: EFS – Encrypting the file system
- How to use it: To encrypt a file using EFS, right click on the file or folder, select properties and follow the directions in figure below.
- Encryption: EFS automatically creates a public key pair (this is done only once. It is not repeated for encryption of future files). However, a unique key called the file encryption key (FEK) is automatically generated every time the user needs to encrypt a file. After encrypting a file, EFS uses the user’s public key to encrypt the FEK. It also encrypts the FEK using the recovery agent’s public key.
- Decryption: When you log into your account and try to open an encrypted file, Windows retrieves your private key, decrypts the FEK, and uses it to decrypt the contents of the file as it is read from the hard disk.
- EFS is a feature of the NTFS file system. Files encrypted with EFS remain encrypted only while they reside on the NTFS volume. Vista Home Basic, Home Premium (and Starter Edition) do not support it.
- Only the original owner and the computer’s designated recovery agent can access encrypted files.
- Complete the security checklist (print).
- Encrypt a document using Microsoft Word 2013.
- Encrypt a file and a folder using EFS.
|Vulnerability: Unprotected sensitive data Course: Computer Literacy|
|Task – Answer the following questions||Yes/No||N/A|
|1. Are your personal files encrypted?|
|2. Is your wireless data encrypted?|
|3. Are your sensitive e-mail messages encrypted?|
|4. Do the companies and other organizations you do business with encrypt sensitive data about you that they store on their systems or communicate over networks?|
|5. Are the e-transactions you conduct over the Internet secure?|
|If you answered no to any of the above questions, then your data is vulnerable to theft and misuse.
- What is the difference between private key encryption and public key encryption?
- How many public/private key pairs does the EFS system automatically generate if a user encrypts 10 files—one at a time? How many file encryption keys (FEKs) are generated in this case? Explain.
Further Work (optional – check with your instructor if you need to answer the following questions)
- Discuss how you would use public key encryption to encrypt a symmetric private key which you used to encrypt a message to be sent to Alice. Describe how Alice would recover the message? (Note: The encrypted symmetric key accompanies the message to Alice.)
- Which key does EFS use to encrypt the FEK?
- If a file encrypted with EFS is e-mailed to another user, does that file remain encrypted? Explain? If a file encrypted with EFS on your hard disk is copied to a removable drive, does it remain encrypted?