Introducing common cryptographic concepts

In order to securely exchange data, we use more than just encryption algorithms. We also use several cryptographic tools and techniques. When discussing these concepts, you will hear terms such as symmetric and asymmetric encryption, along with cryptographic hash.

Important note

You will get a better understanding of these terms as we progress through the chapters. If you need a quick review, visit https://www.makeuseof.com/tag/encryption-terms/ for an explanation of 11 of the most common encryption terms.

In this section, we'll provide the broad strokes of the concepts of a TTP and the PKI to help your understanding. In addition, since you'll often see an explanation of a complex topic using the names of fictional characters, we'll talk about the story of Bob and Alice.

We'll go into the details of the aforementioned terms and others as the book progresses. For now, let's start with the importance of a TTP.

Trusting a TTP

Think about doing a transaction on the internet. When you go to an online shopping site, you will want to encrypt your transactions to provide confidentiality as you exchange data with the website. Let's consider the following scenario.

Alice wants to purchase some pet supplies for her two cats. She heads out to the pet supply store, Kiddikatz. If the communication is not encrypted, the transaction could be intercepted and read by Mallory, a malicious active attacker, as part of a Man-in-The-Middle (MiTM) attack, as shown in the following graphic:

Figure 1.3 – A MiTM attack

To prevent a MiTM attack, Alice will use Transport Layer Security (TLS) to encrypt and secure the transaction. Prior to the transaction, both parties will need to exchange keys. That is where the TTP becomes important.

A TTP is necessary in a hybrid cryptosystem. In a faceless, nameless environment such as the internet, TTPs helps us to communicate securely on the web.

The idea of a TTP works by using transitive trust. As shown in the following graphic, we see that if Alice trusts the TTP, and Kiddikatz trusts the TTP, then Alice automatically trusts Kiddikatz:


Figure 1.4 – A transaction using a TTP

We know that TTPs are important in a digital transaction. Next, let's see how you can determine whether or not a site can be trusted.

Ensuring trust on the network

When you go to your browser and you see a lock next to the web address, that means you can trust the site. As shown in the following screenshot, we can see that the site for Packt Publishing is a secure connection:

Figure 1.5 – Secure website for Packt Publishing

Some companies that provide this trust include Verisign, Cloudflare, Google Trust Services, and Thawte. All of this is made possible because of the PKI, as outlined next.

Managing keys using the PKI

As we have seen, a TTP provides the trust required when completing transactions on the internet. During a transaction, all entities are able to securely communicate with one another by using the PKI.

Although the term Public Key Infrastructure implies that the PKI generates keys, that is not the case. Instead, the PKI generates a digital certificate to securely distribute keys between a server (such as a web server) and a client. PKI uses a TTP to generate a certificate, which provides the authentication for each entity.

Let's step through the process of distributing public keys by using a certificate.

Obtaining the certificates

Encryption algorithms use keys. There are two main types of encryption. The type of encryption will determine whether one or two keys are used. The difference is as follows:

• Symmetric encryption: Uses a single shared key (or secret) key
• Asymmetric encryption: Uses a pair of keys – a public key and a private key

When using asymmetric encryption, an entity's private key is kept private. However, the public key is shared for everyone to see, as it is public.

When obtaining someone's public key for a transaction, we need to be able to trust that the key is from the entity from whom we received it. As a result, when completing transactions on the internet, we use a TTP.

As shown in the following diagram, the TTP provides a certificate to each entity, which ensures proof of identity and holds the other party's verified public key:

Figure 1.6 – Certificate exchange in the PKI

The PKI provides the structure necessary to ensure trust and securely share the public keys between those involved in a digital transaction.

Once Alice and Kiddikatz are assured trust in one another, they can securely exchange the session key and begin the transaction.

When discussing cryptography, it is common to use themes, much like the ones used in programming, such as Foo Bar and Hello World. In the next section, let's get to know the story of Bob, Alice, and other characters, which will help us when explaining cryptographic concepts.

Getting to know Bob and Alice

When outlining technical concepts, it's important to provide an easy-to-understand explanation. Using a story with characters helps explain technical topics.

Using the characters Alice and Bob is the most common way we use to explain cryptographic concepts. For example, you might see the following when describing a scenario:

Alice needs to send Bob a secure message. They must first obtain the same shared key.

If you need more characters, there are others you can use. The characters are listed in Bruce Schneier's book Applied Cryptography, where he presents a list of characters that include the following:

• Alice: Primary participant in the transaction
• Bob: Secondary participant in the transaction
• Mallory: A malicious (MiTM) attacker
• Eve: An eavesdropper, usually a passive attacker
• Victor or Vanna: A verifier
• Trent: A TTP

Using the names of individuals makes complex concepts more relatable. As a result, we will see more of Bob and Alice throughout our discussion on cryptography.

When discussing encryption, one of the simplest ways to conceal the true meaning of data is by using substitution and transposition, as we'll see next.