Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Sunday, February 19, 2006
So, what do I mean by "Practice Cryptography"?
We've all seen it, we've all done it -- we've all practiced the skills we have, to become better and more proficient at them.
We've started out with baby steps when just learning how to walk, and then we grew more confident and started to run... sometimes we tripped and fell, but we learned how not to make the same mistake the next time.
We've sat on a bicycle and haven't been able to figure out just how we're supposed to keep it going straight, much less how to balance it. It was absolutely foreign to the senses we'd developed to walk and run and skip and play hopscotch. Maybe we kept falling over for a while, but we all got the hang of it... and eventually, as we practiced, we learned how to ride without hands on the handlebars, or to do wheelies, or to do tricks.
Maybe you've held a yo-yo, and had no idea how to make it come back up, pulling your hand up slowly when it hit the bottom of the string. But, you learned how to make it come back to your hand quickly. Perhaps you even learned to do tricks -- by practicing them, and not giving up if you didn't do it quite right.
I think that we've all had these experiences... but we've all fallen for a trap that our governments and large corporations have devised for us. That trap is, there is only One True Way to do cryptography. And I can't believe that. Messages have been sent encoded for military maneuvers since the days of Julius Caesar. In World War 2, the Germans had the Enigma rotary machine, and the Allies eventually broke it because of a few messups. That sucked, but it was bound to happen.
Eventually, cryptography came to be used in the commercial sector. If you used Yahoo or Gmail or MSN or Hotmail today, you've used cryptography (without even realizing it). There are many, many good reasons to have unbreakable codes... usernames and passwords, for example. Why would you want those to get out onto the 'net? Credit card numbers -- even (or especially!) if you use PayPal or some other payment processing service, you don't want them to be found out by just anyone who could be hanging around a router out on the 'net.
But in the translation from cryptography from the military to the civilian sector, military ideas took hold. "Everyone has an identity, and every message can be traced back to that identity." Well, yes. But honestly, there's something missing here. And to figure out what it is, we're going to have to go back to what the three main reasons for cryptography really are:
1) Authentication: Verifying that a message came from who it seems to have come from. If you write checks or sign credit card receipts, you know the concept of authentication very well -- your signature is authenticated to verify that you are the one who authorized the transfer of your funds to the person you're giving them to. Same thing with cryptography -- it can be used for that.
2) Integrity. This follows closely on the heels of authentication. For example, if you authenticate a check to a bank, the bank needs to make sure that what it received was what you wrote the check for, that it hasn't been tampered with or altered from the time it left your hand to the time it got to the bank.
3) Confidentiality. We take it for granted, here in the US, that our phones are wiretap-free. But the recent spate of illegal wiretapping by our government should show that no conversation is safe. YOUR privacy could be compromised. YOUR information could fall into the wrong hands. And if your information falls into the wrong hands... then, to the computer, someone else /is/ you, and can do all the things that you can do -- forging your identity, stealing it, and making life a hassle for you. So, keep it secret... keep it safe.
But there's another application for confidentiality, that's close to the "identity theft" idea above...
We've started out with baby steps when just learning how to walk, and then we grew more confident and started to run... sometimes we tripped and fell, but we learned how not to make the same mistake the next time.
We've sat on a bicycle and haven't been able to figure out just how we're supposed to keep it going straight, much less how to balance it. It was absolutely foreign to the senses we'd developed to walk and run and skip and play hopscotch. Maybe we kept falling over for a while, but we all got the hang of it... and eventually, as we practiced, we learned how to ride without hands on the handlebars, or to do wheelies, or to do tricks.
Maybe you've held a yo-yo, and had no idea how to make it come back up, pulling your hand up slowly when it hit the bottom of the string. But, you learned how to make it come back to your hand quickly. Perhaps you even learned to do tricks -- by practicing them, and not giving up if you didn't do it quite right.
I think that we've all had these experiences... but we've all fallen for a trap that our governments and large corporations have devised for us. That trap is, there is only One True Way to do cryptography. And I can't believe that. Messages have been sent encoded for military maneuvers since the days of Julius Caesar. In World War 2, the Germans had the Enigma rotary machine, and the Allies eventually broke it because of a few messups. That sucked, but it was bound to happen.
Eventually, cryptography came to be used in the commercial sector. If you used Yahoo or Gmail or MSN or Hotmail today, you've used cryptography (without even realizing it). There are many, many good reasons to have unbreakable codes... usernames and passwords, for example. Why would you want those to get out onto the 'net? Credit card numbers -- even (or especially!) if you use PayPal or some other payment processing service, you don't want them to be found out by just anyone who could be hanging around a router out on the 'net.
But in the translation from cryptography from the military to the civilian sector, military ideas took hold. "Everyone has an identity, and every message can be traced back to that identity." Well, yes. But honestly, there's something missing here. And to figure out what it is, we're going to have to go back to what the three main reasons for cryptography really are:
1) Authentication: Verifying that a message came from who it seems to have come from. If you write checks or sign credit card receipts, you know the concept of authentication very well -- your signature is authenticated to verify that you are the one who authorized the transfer of your funds to the person you're giving them to. Same thing with cryptography -- it can be used for that.
2) Integrity. This follows closely on the heels of authentication. For example, if you authenticate a check to a bank, the bank needs to make sure that what it received was what you wrote the check for, that it hasn't been tampered with or altered from the time it left your hand to the time it got to the bank.
3) Confidentiality. We take it for granted, here in the US, that our phones are wiretap-free. But the recent spate of illegal wiretapping by our government should show that no conversation is safe. YOUR privacy could be compromised. YOUR information could fall into the wrong hands. And if your information falls into the wrong hands... then, to the computer, someone else /is/ you, and can do all the things that you can do -- forging your identity, stealing it, and making life a hassle for you. So, keep it secret... keep it safe.
But there's another application for confidentiality, that's close to the "identity theft" idea above...
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
