By Romain F. (Network Security Engineer)
Now virtually standard on most messaging applications, encryption has become an essential cybersecurity tool.
A persistent Anglicism means that it is often referred to as "encryption," a term we will not use here as we are among civilized people.
More seriously, we will be careful to say "encrypt" and not "cryptographically secure." However, we will use the term "cryptography" (the act of making a message unreadable) because it is not an Anglicism. Paradoxically.
But how exactly does it work? Did you know that humans have been using encryption since ancient times? That this tool had a major influence on the events of World War II and that computer science was, in part, born out of the need to decrypt German communications at that time?
That's what we'll be looking at together throughout this article.
I – Definition
Encryption is a mathematical process designed to render a message or communication unreadable or inaudible in order to keep that communication confidential.
It is protected by what is known as an encryption key. This key can be a password, a code, or a computer file.
Encryption dates back to ancient times with the Caesar cipher, which we will look at in more detail later. According to Suetonius (a high-ranking Roman official and historian of the 1st century), Julius Caesar used this encryption method for his secret correspondence.
Over time, encryption solutions have become more complex and now rely primarily on calculations performed by computers.
II – Symmetric encryption
Symmetric encryption refers to all encryption solutions protected by a password or unique code.
I mentioned Caesar's code earlier. It's a classic example. The way it works is simple.
Let's start by assigning a number to each letter, which gives us the following table
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 |
We will now apply the encryption key +3 to our alphabet. We could use a larger encryption key, but I prefer to keep it simple for this example. We then obtain the following values:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 1 | 2 | 3 |
Since our alphabet only has 26 letters, we go back to 1 once we reach that number.
Now, we will encrypt our alphabet by transposing the numbers with the letters associated with them in the first table.
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 1 | 2 | 3 |
| D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | A | B | C |
Our encrypted alphabet is shifted by three letters from our normal alphabet. Thus, the message "Hello world" encrypted with encryption key 3 will be written as "Khoor zruog" (no, this is not the name of an orc from Warcraft, but rather an encrypted message).
We could summarize Caesar's code with the following mathematical function:
F(x)=x+y
Where x is the number associated with the original letter, y is our encryption key, and F(x) is the encrypted letter.
A person without the encryption key will spend several hours trying to find the solution.
I have explained here how the simplest form of encryption works. As you might expect, the Caesar cipher has not been used for several centuries, except for educational purposes.
The symmetric encryption solutions used today are based on significantly more complex mathematical functions that are calculated by computers.
You can also have fun with some of them on the website https://www.dcode.fr.
Apart from Caesar's cipher, one of the most famous symmetric encryption solutions is Enigma.
Invented by the Germans in the 1920s, Enigma was based on a typewriter connected to a letter permutation table. These devices were used extensively by Germany during World War II.
The machine was configured in advance according to a predefined code. The user typed their text into the machine, which automatically generated an encrypted message according to the configuration of the permutation table.
The code changed every 24 hours.
Extremely complex to decipher without knowing the code, English mathematicians worked on the problem for several years. It was finally on the initiative of mathematician Alan Turing that the first message was deciphered around 1942.
In 1941, Turing established the technical specifications for electromechanical machines capable of calculating faster than the human brain thanks to the use of binary code. These "Turing machines" or "Turing bombs" were the first supercomputers and therefore the distant ancestors of the computer or smartphone you are using to read this article.
If you are interested in this subject, I recommend Morten Tyldum's 2014 film The Imitation Game, inspired by Andrew Hodges' biography Alan Turing: The Enigma .
The flaw in symmetric encryption lies in the discovery of its encryption key, which can be obtained through what is known as a brute force attack, which involves testing all possible combinations until a clear message is obtained. This is exactly what Alan Turing and his colleagues did in the 1940s.
The difference is that today's hackers use attack scripts that test a library of possible codes, whereas Alan Turing used a supercomputer that took up an entire room.
III – Asymmetric encryption
It was in response to the flaws in symmetric encryption that security researchers looked into other solutions and developed asymmetric encryption. It is based on a pair of public and private keys.
To understand the principle, we are all going to engage in a role-playing exercise.
The year is 1780. You are the Baron or Baroness of a small region in France and you are invited to the salon of the Marquise de Montespan, where you meet the Count of Amiens and discuss various methods of improving agriculture in your region. Yes, you are a nobleman concerned about the welfare of your people, which is good. They will remember this in nine years' time, which will allow you to keep your head on your shoulders.
You give the Count a key, which we will call the "public key," and a safe.
Once back home, the Count takes up his pen, ink, and parchment and writes you a long letter to continue your correspondence. He places the letter in the chest you gave him and locks it with your public key. The key can be used to lock the chest, but not to open it.
When you receive the safe, you will be given another key, different from the previous one, which we will call the "private key." This key is unique; you are the only one who has it. It allows you to open the safe and access the message it contains.
By doing so, you can be sure that:
- The sender is indeed the Count you met, or at least a so-called "trusted" sender to whom you gave your public key.
- No one was able to read or modify the message contained in the safe.
- The sender can hardly deny being the author of the message.
The most knowledgeable among you will have recognized three of the five pillars of IT security here: confidentiality, integrity, and non-repudiation. Authentication and availability are not applicable here (remember, this is 1780).
Let's return to the present and replace our keys with computer files and the safe lock with encryption software. This software encrypts the message using a mathematical function and your public key. The same software will use another mathematical function with your private key to decrypt the message. This is an asymmetric encryption tool.
The security of these tools relies on the confidentiality of the private key. You can distribute your public key as you see fit, but your private key must remain, as its name suggests, private. If this is not the case, the key is considered compromised and it is recommended that you renew the key pair.
To explain how it works, let's take a look at RSA encryption (named after Rivest, Shamir, and Adelman, the three inventors of this solution), which is one of the most reliable asymmetric encryption solutions, published in 1978.
RSA is based on prime number factors. This information may seem trivial, but it is fundamental. A prime number can only be divided by 1 or itself, which makes it very difficult to factorize, especially for large numbers. While this operation is feasible for a human being with numbers such as 3 and 11, it becomes much more complex with a prime number such as 3,000,251.
Since RSA encryption key calculations are tedious, I have included them at the end of the article if you are interested.
Nevertheless, here are the encryption function C(x) and decryption function D(x) of the RSA protocol:
C(x) ≡ₐxⁱ
D(x) ≡ₐxⁿ
Where i, n, and a are components of the public key and private key (a is common to both, while i appears only in the public key and n only in the private key) [1].
The encryption function C(x) reads "C(x) is congruent to x to the power of i modulo a." Which is extremely clear.
Rest assured, this only means that when C(x) is divided by a,xⁱ remains. Encryption is ensured in accordance with these mathematical conditions.
Asymmetric encryption is also subject to brute force attack risks. However, in the case of RSA, for example, everything depends on the choice of prime numbers used. The larger the numbers, the longer it will take to decrypt them by attack, and the more time will be wasted.
It is therefore important to regularly renew encryption keys so as not to encourage an attacker to take the gamble of attempting to decrypt them, which could take several years.
For example, in 2010, security researchers managed to break low-level RSA encryption after two and a half years of calculations (https://www.generation-nt.com/cle-rsa-768-bits-cassee-inria-actualite-939471.html).
An integral part of our history, encryption has evolved over time to meet the obvious needs for confidentiality and security.
It has enabled the emergence of tools that we now use in our daily lives.
We use it without even realizing it, whether it's to protect our communications with loved ones via Signal and WhatsApp, or by using a VPN to work remotely.
I have talked a lot about encryption applied to messaging because it is the most concrete example. But there are also encryption solutions applied to networks or storage media.
He also exhibits himself in art. Like Kryptos (https://fr.wikipedia.org/wiki/Kryptos_(sculpture)), a monument on display at the CIA headquarters, whose text has only been partially deciphered in 30 years.
The use of encryption to protect privacy is also the spearhead of the Cypherpunk movement, which emerged in the early 1990s and counts among its members Philip Zimmermann (creator of the PGP asymmetric encryption software) and Julian Assange.
However, encryption is not foolproof. In 2019, a quantum computer managed to break RSA encryption in 8 hours (https://siecledigital.fr/2019/06/04/un-ordinateur-quantique-casse-le-cryptage-rsa-sur-2048-bits-en-8-heures/).
Far from worrying cybersecurity researchers, this event demonstrates what we already knew: that we must not rest on our laurels and must constantly work on new protection solutions that can withstand and evolve with technological innovations. As Bruce Schneier wrote in 2000, "information security is a process, not a product."
[1] In reality, we will use the letters e (encrypt), d (decrypt), and n, but Word does not allow me to use the corresponding superscripts.
APPENDIX: RSA encryption key calculations
On choisit deux nombres premiers entier p et q tel que p < q
We then calculate n and Ψ ("phi") such that
n = p × q
Ψ = (p – 1) × (q – 1)
We determine the number e such that the greatest common divisor (GCD) of e and Ψ is equal to 1.
Finally, the number d such that d is congruent to e raised to the power of -1 modulo Ψ
The public key consists of the values (n; e), the private key of the values (n; d)
You can find various examples using simple numbers here:
