Intro to Cryptography
Explanation: Cryptography
Motivation
Now that computers are a part of our everyday lives, privacy is a bigger concern than ever before. If a stranger had unfettered access to your computer you would likely have some major problems. Maybe they could find your credit card info, steal your identity, or blackmail you with some embarassing photos. Most people have a password on their user account that you have to enter to log in to the computer. However, that alone is not secure. If someone hacked your computer or broke into your house they could very easily read everything off your hard drive without needing to "log in". Thus there is a need for some way to store data where only certain people can read it.
Encryption
In order to let some people read data but not others, many different encryption schemes have been invented. Encryption is the process of modifying data using a pre-defined method so that anyone who knows the method can easily recover the data, but anyone who does not know the method is unable to do so. For example, I take the phrase "Hello" and encrypt it to be "Uryyb". If I store the encrypted text "Uryyb" on my computer, this looks like gibberish to anyone who does not know how to decrypt it.
Decryption
Decryption is simply reversing the process of encryption on a bit of data. Since I know how I encrypted my message, at a later date I can take the text "Uryyb" and decrypt it to recover the original message "Hello". As long as I am the only one who knows the rules for the encryption and decryption, anyone else who tries to read my message will just see "Uryyb" and have no idea what I'm talking about.
Symmetric Cryptography
In the explanations above, I used a very simple cipher to encrypt and decrypt the text. I simply took every letter and replaced it with the letter in the alphabet that's 13 letters later. If you get to "Z", you just wrap around and keep counting. This is famously called the ROT13 (Rotate 13) cipher, and if my brief explanation wasn't clear enough you can read more on Wikipedia. This simple example is notable for being symmetric, which is with what most people are likely familiar. The encryption and decryption methods are exactly the same. Just find the letter that comes 13 letters later in the alphabet. If you encrypt a PDF file or ZIP archive by adding a password, that same password is used to decrypt it. Hence the name symmetric.
Assymetric Cryptography
It is also possible to have an assymetric algorithm where the encryption and decryption methods are different. This is used in Public Key Cryptography to allow for communication using only a single unsecured channel. In Assymetric Cryptography, you have two passwords. One password can only be used for encryption, and one password can only be used for decryption. This might seem strange at first, but it really helps in situations when you need to communicate securely with someone but don't have a way of sending them a password.
Cracking Encryption
The easiest way to beat most Encryption schemes is to find out the password. So don't just leave your password out in the open, and never send passwords in IM or e-mail if you can help it. The next fastest way to crack encryption is to simply try the most commonly used passwords. This is more effective than you might think. In 2011, about 91% of users had a password in the top 1,000 most common. Even scarier than that, about 99.8% had a password from the 10,000 most common. The situation has improved a bit since then, but you can view the original report here. The last main method of cracking is called brute force. This literally just means try every single possible combination until one of them works. Let's assume the full set of printing ASCII characters (95) and a computer able to try 1 billion passwords a second. On average it would take 0.08 seconds for a 4 character password, 38 days for an 8 character password, or 700 trillion years for a 16 character password. Of course, it's usually much easier than that, since people tend not to make their passwords perfectly random strings of all 95 printable ASCII characters. At the very least I hope you'll always make all your passwords 8 characters long.
Best Practices
The best passwords are very hard to remember. They should be a
random string of as many different characters as the website or
whatever will allow. The easiest way to achieve this is with a
Password Safe, a program that keeps track of your passwords for
you. You unlock the safe using a master password that you can
remember, but then use randomly generated alphanumeric passwords
for each website. You can keep the password database on a flash
drive so that your passwords are always with you. Since the
database is encrypted, as long as no one learns your master
password, everything should be very secure. I highly recommend
KeePass for this purpose.
Failing that, however, at least try to follow these guidelines:
- Never use anything from your username in your password
- Don't use common phrass or sayings
- Try to have the same number of lowercase and capital letters
- Use numbers and punctuation as often as letters
- Avoid common substitutions such as "4" for "A" and "3" for "E"
- Don't base your password in any way on common passwords like "password" or "12345"
- Don't use the names of famous people in your password
- If you write down your password, only do so once, and keep it in a safe place
Conclusion
Practical Encryption schemes are much more complicated than ROT13 and generally repeat a specific process hundreds of times in order to make it harder for computers to brute force the encryption. Honestly the biggest security hole has been and probably always will be the user. No matter how hard to crack an encryption algorithm is, all you have to do is use "qwerty" as your password to break the entire system. Again, I highly recommend using KeePass at least for important things like banking. Also, if you really don't want anyone reading the files on your hard drive, you can consider full-disk encryption. Overall, try to be smart about security, and if you're ever unsure ask Google or your local computer nerd.