The basic idea of key-based cryptography is that you take
a chunk of
data (plain text) and scramble it up (ciphertext) so that the
information is hidden beneath a level of encryption. In theory,
person (or machine) doing the scrambling and the recipient of
ciphertext knows how to decrypt (unscramble) it, because it will
have been encrypted
using an agreed-upon set of keys or a specific
cipher and passphrase (key).
This key-based method of cryptography is common, wherein the
question is only known to the persons or machines doing the encrypting
decrypting. Think of it like a car key. The owner of the car
has the key,
obviously. When the owner walks away from the car, she locks
it and keeps
the key safely secured. No one can get into or use the car without
sort of "brute force."
The responsibility of protecting the key rests solely with
the owner of
the car. If the owner puts a set of keys in one of those magnetized
holders underneath the car, that's a very loose method of
security. If the owner keeps the key with her at all times, even
it on a chain around her neck, that's a pretty good level of
But say the owner's friend needs to borrow the car, so the
passes along an extra set of keys for the friend to use. Both
now drive the car, but the security of the key itself is compromised
because someone else has it. If the friend makes copies of the
key (for other
people to use when the owner is out of town, say), the level
becomes even more diluted. Eventually, the original lock-and-key
will be lost entirely, and in order to recover it, the owner
will have to have new locks put on the
car and new keys made.
Keys used in encrypted communications have the same problems
conventional keys: They can be lost, stolen, even bought and
sold. And some
can be discovered by crackers through a method called "social
Crackers don't necessarily use a serious amount of CPU cycles
crack a cipher. Most of the time, they just ask for the password
unsuspecting technician. Or maybe they call up your receptionist
chat" and glean a tidbit or two of crucial information. You'd
be surprised at
how often this occurs.
Sometimes crackers play on the notion that most people choose
passwords that are easy to crack, like any word found in a dictionary.
Words like "hopscotch," "meteor," or "porcupine" may seem like
hard-to-guess and easy-to-remember non sequiturs, but they're
passwords because most password-cracking software cycles through
dictionary. If your password is anywhere in that dictionary,
bye-bye to your sensitive data. Better passwords are alphanumeric
such as "1Am*Sh$b" or "BA8Hw2Lq."
There are methods of cryptography that don't rely on keys
but even those aren't foolproof. If the decryption program is
the key itself, then the machine becomes one big, concrete representation
key, which can be stolen. For example, take the infamous Enigma
machine. This machine was used by the Germans in World War II
and decrypt secret messages. Although it looked like a typewriter
steroids, the Enigma machine was not built to type plain text.
Based on a
complex series of settings, wheels, and rotors, the typed text
skewed ever so slightly, so as to produce the encrypted data.
instance, the machine was the key; it proved to be a very valuable
piece of equipment, especially in the hands of the Allies.
Taking all of this into consideration social engineering,
people holding keys, encryption embedded into machines themselves
may wonder if your sensitive data is really safe. If you keep
locked down, keep your private keys private, don't use an Enigma
and don't give your root password to your receptionist, your
probably pretty safe. The techniques outlined in this tutorial
you as you attempt to reach a comfortable level of security,
but be advised
that these few Web-based tricks only scratch the surface of data