Today in this digital world, we have many technologies protecting our data. The use of passwords, authenticators, and cryptography are some of them. We have seen the importance of a strong password discussed in our previous article “Password Audits”. Passwords and authenticators are a level of security used to verify that you are who you say you are and to get access to your data. But cryptography is usually used as additional protection for your data so that even if stolen, that will not raise a threat for you. It is even used on several levels of information security.
Cryptography is a form of protecting your information through the usage of codes so that only the intended person alone will be able to open and read it. To put it technically, cryptography is a way of secured communication derived from a set of rules called algorithms, to transfer a message in an encrypted manner.
With algorithms, the data is changed into an unreadable format which an authorized user alone be able to read and not by an unauthorized user, allowing it to move across the internet freely. Cryptography can be done for both the data-in-rest and data-in-transit allowing it to stay secret. The data is turned into a cyphertext (an encoded message which is created by the algorithm — this process is called Encoding) by the sender’s machine and the receiver’s machine will only be able to decode the ciphertext into the original data.
There are two types of cryptography used across the globe.
The algorithm or key used to encrypt and decrypt are the same or relating to each other. These keys are not supposed to be shared over the public internet as they can be accessible to an intruder who might use them to eavesdrop on the communication going on through the channel.
A combination of public and private keys is used to encrypt and decrypt the data shared. A public key is used to encrypt the data and only the person with a private key can decrypt and read it.
Let me explain a scenario to help you grasp it better.
Imagine that a person Andy wants to communicate with Sam over the internet and he wants the message to be secured. We know the public internet is not a safe place to share confidential matters and so most organizations have a communication channel of their own. So, Andy chooses to share the message via their private communication channel.
But what if there is an intruder, who gained unauthorized access to the channel? No one will be able to detect it unless it raises an issue. If he gained the message Andy shared, it can cause a threat to the organization. This is where cryptography comes into play.
Rather than sending the message as plain text, Andy’s machine will convert it to a cyphertext and shared it with Sam over their communication channel which his machine can decode with the key on his side. Even if there is an eavesdropper in the channel, he will only be getting the cyphertext which will give him/her nothing but some unusable bunch of numbers, alphabets, and special characters.
Asymmetric cryptography is very much appreciated these days as the public keys can be shared over the internet itself without worrying but not the private key.
The origin of cryptography is dated back to 2000 B.C. and is still turning the tables in a favourable way for many organizations as they can come with their key pairs and algorithms that stay within the organization itself and there are some standardized encryption methods available as well.
The National Institute of Standards and Technology (NIST) is an organization to help US economic and public welfare issues with leadership over the nation’s measurements and standards infrastructure. They have many standards for data security and let us see their cryptography standards NIST 800–175B (revised one).
It covers a broad set of mathematical techniques to achieve confidentiality typically by using some techniques and services. This document describes some common practices, methods, and measures to keep your data safe and these standards provides the benefits of:
4. Cost savings
5. Common form of reference
We highly recommend every organization to go through these standards in case of planning to implement its key management system and all. Feel free to write to us in case of any Information security issues or queries.