Learning never exhausts the mind

Published on by

In this tutorial we will look at how cryptography, encryption and SSL certificates actually work to secure the internet and how the public/private key exchange system works.
Internet Security 101 Series
  1. Introduction to Hacking
  2. History of Cryptography
  3. Online Privacy And Why It Matters
  4. Supercookies: The Web's Latest Tracking Device
  5. Ultimate Guide to SSL for the Newbie
  6. How Internet Security and SSL Works to Secure the Internet
  7. Man in the Middle Hacking and Transport Layer Protection
  8. Social Engineering
  9. Cookie Security and Session Hijacking
  10. What is Cross Site Scripting? (XSS)
  11. What is Internal Implementation Disclosure?
  12. Parameter Tampering and How to Protect Against It
  13. What are SQL Injection Attacks?
  14. Protection Against Cross Site Attacks

The internet security techniques described here are greatly simplified, but serve to illustrate how the system works on the basic level.

Basic encryption for data transmission as we have seen is fairly easy to implement and also easy to hack. If you haven't read the article, it involves one or many methods for encrypting data and a password required to decrypt the data at the other end. A basic encryption algorithm is ROT13 where each letter of the alphabet is rotated 13 places (Hello becomes Uryyb). A more advanced system uses passphrase substitution, and this can only be cracked when you know (or defeat) the password.

Actual systems use more sophisticated algorithms where the password is generally 128 bits or higher giving a password length of 2128 characters, randomly generated.

Now the problem with using this over the internet is that you have to transmit the encrypted data, and the key (we'll start calling these long random generated passwords keys now) so that the person at the destination can decrypt the data. This is obviously open to hacking as both encrypted data and the key are sent together. A secure way of doing this would be to send the encrypted data over the internet, and send the key separately in a different format, such as in person on a USB stick or CD.

This wouldn't really work on the internet for browsing your online banking or doing your shopping would it? Every time you go to logon, you have to wait for a CD to arrive in the post.

The solution here is to use a set of public and private keys and have these exchanged in a secure way.

An example of internet security - key exchange

Let's have a look at how we might be able to send a secure key between two computers without eavesdropping or anyone stealing the secure key. This is a simplified version of internet security.

Public/Private Key Exchange Demonstration

Public/Private Key Exchange Demonstration

In this example we are trying to convey a copy of the blue key, which is our secure private key that nobody else must know about, to the receiver. We will do this by using two public locks, green and red. First, the blue secure key is placed inside a container which is then locked with the senders red padlock. Only the red key can open this padlock.

The locked container is then sent to the receiver, who at this stage cannot open the container.

Public/Private Key Exchange Demonstration

Public/Private Key Exchange Demonstration

The receiver then puts their padlock (green) on the container, and sends the doubly locked container back to the sender.

When the receiver gets the container back, they then remove the red padlock using their red key and sends the container back to the receiver again.

Public/Private Key Exchange Demonstration

Public/Private Key Exchange Demonstration

Now the receiver has a container which only has the green padlock on, which can be opened using the green key and thus the receiver now has access to the blue secure key. From now on all communication between the sender and receiver can be securely send and received by locking with a blue padlock.

Public/Private Key Exchange Demonstration

Public/Private Key Exchange Demonstration

As I said, this is a greatly over simplified example of internet security to illustrate how the system works. In reality the systems use complex mathematical calculations and long encryption keys to secure the data transmission. The simplified technique illustrates how secure keys can be transmitted over insecure lines without eavesdropping, snooping or hacking.

Tutorial Series

This post is part of the series Internet Security 101. Use the links below to advance to the next tutorial in the couse, or go back and see the previous in the tutorial series.

Leave a Reply

Fields marked with * are mandatory.

We respect your privacy, and will not make your email public. Hashed email address may be checked against Gravatar service to retrieve avatars. This site uses Akismet to reduce spam. Learn how your comment data is processed.