Cryptography and
Encryption

updated 2016 June 17
 
. This page used in the following courses taught by Prof. Richardson
.
BIT 801
FCA 240
BCS 555		 MGD 415 / MGT 471
MGD 426
FSM 620
MGM 723
.
.
This page is prepared by Prof. Tim Richardson for his students.
The purpose is to put all the basic info together in one place about Encryption / Cryptography.
This is not intended to be an exhaustive treatment of the subject
- the subject of Encryption and Cryptography has grown to be a very large and diverse topic - this is just a basic basic intro
 
 
LEARNING 
OBJECTIVES		 The objectives for this unit are to help the student understand
  • what are the fundamentals of Cryptography
  • what are some of the business and marketing reasons why Encryption is necessary in the Information Age
  • the important points of messaging and communication security and the key components of security in correspondence
  • the fundamentals of digital signatures
When the student has completed this unit it would expected that they could read information about  I.T. security topics discussing Cryptography and Encryption in a business context and know the meaning of the fundamental terms and scenarios.
..
INTRODUCTION One of the important consequences of the intense competitive market for consumer products and services is an intensified enthusiasm for companies to possess more information about existing customers in order to retain these customers. A big part of retaining customers is obtaining customer profile information including spending circumstances and personal information. The possession of such information puts customers at risk for identity theft, 
1. when their personal information is accessed by unauthorized people
2. when their personal information is accessed during the process of transmitting the data between authorized people
It is these two reasons that are the main drive behind an increasing need to understand and employ the science of cryptography and utilize encryption techniques to keep customer profile information safe from misuse by criminals and diseffected employees.

Students reading this unit should also look at the unit on Identity Theft
 www.witiger.com/ecommerce/identitytheft.htm

 
What is
Cryptography ?		 "Cryptography is a method of mathematically encoding used to transform messages inot an unreadable format in an effort to maintain confidentiality of data"
Greenstein

Cryptography comprises a family of technologies
that include the following:
.
  • Encryption transforms data into some unreadable form to ensure privacy. Internet communication is like sending postcards in that anyone who is interested can read a particular message; encryption offers the digital equivalent of a sealed envelope.

    •  
  • Decryption is the reverse of encryption; it transforms encrypted data back into the original, intelligible form.

    •  
  • Authentication identifies an entity such as an individual, a machine on the network or an organization.

    •  
  • Digital signatures bind a document to the possessor of a particular key and are the digital equivalent of paper signatures. Signature verification is the inverse of a digital signature; it verifies that a particular signature is valid."
quoted from  www.techweb.com/se/directlink.cgi?CRN19970630S0089 (link no longer active in 2006)

A "Google" search shows the terms noted above are widely replicated on many sites. One of the most reliable sources is the Glossary on the website of the Joint Information Systems Committee, based at Oxford University Computing Services. www.dcoce.ox.ac.uk/
Encryption
 

Hackers
Crackers
and 
security 
breaches

 "Why Cryptography Is Harder Than It Looks" 
by Bruce Schneier, CTO and Founder, Counterpane Internet Security, Inc.
 www.schneier.com/essay-037.html
.
Here is a snapshot of some of the points made by Schneier
.
Vulnerability
fundamentals		 "In the end, many security systems are broken by the people who use them. Most fraud against commerce systems is perpetrated by insiders. Honest users cause problems because they usually don't care about security. They want simplicity, convenience, and compatibility with existing (insecure) systems. They choose bad passwords, write them down, give friends and relatives their private keys, leave computers logged in, and so on. It's hard to sell door locks to people who don't want to be bothered with keys. A well-designed system must take people into account. Often the hardest part of cryptography is getting people to use it. ... It's hard to build a system that provides strong authentication on top of systems that can be penetrated by knowing someone's mother's maiden name."
.
Digital
Signatures
Student David Y. in graduate course BIT 801 at Seneca in April 2008 did a presentation in class about Digital Signatures.

David's presentation was particularly good, and he agreed to let us use a PDF version of it here in the cryptography section since the use of digital signatures is an important part of the encryption process in business applications.
http://www.witiger.com/powerpoints/DigitalSignaturePresentation.pdf click to dowload
.
Student Umair V in MGD415 at UTM in early Feb 2009 sent an email in which he discussed an upcoming topic in class. 

Umair said 
"I was browsing through the course outline in preparation for the test and I stumbled upon the "Encryption" topic under "Security Strategies". You mention how cryptography is important in the business world, an example of that would be how President Obama will be switching his phone, which he passionately loves from a BlackBerry to a Microsoft special NSA-certified cryptography smartphone called "Sectera Edge" build specially for President Obama costing Microsot $3,500. "

 
.
Umair added 
"The device will work in the same secure manner on any mobile network, according to Siegel". Plus, Its got the same, "Encryption, Decryption, Authentication and Digital Signature processing for extra security measures. RIM could have provided this security as well, since they would love to get free marketing for the next four years, however, the article mentioned an interesting point of how the government can't trust a Canadian company with such sensitive information and since they're already using over 90% of Microsoft's product, it would only make sense to go with the same company for all your product needs. "

WTGR adds
click to view larger This is not a total loss for BlackBerry. President Obama will be allowed to keep his BlackBerry 8830 for "personal use" but for official business he has to use the Sectera Edge - which is a bulky WinMo 6.1 phone shown to the left


pic provided by Umair
.
 
 
"Electronic Commerce" Greenstein & Feinman, 
Chpt 3, The Greenstein book titles this chapter "Regulatory Environment", but the beginning of the chapter deals mostly with the basics of Cryptography

see also Chpt 8 "Cryptography and Authentification"
the powerpoints for Chpt 3 used to be at 
 www.mhhe.com/business/accounting/greenstein/downsupps.mhtml
but the link is no longer active in 2007
m
fv
 
 
 
This "grinder" is a pretty good representation of what a "key" does to a message that you want encrypted.

"Data is encrypted using an "algorithm"  basically a mathematical formula that has only one non-factorable solution.  Algorithms also use schemes such as double or triple encrypting the data. The "key" is the one and only number that the  algorithm can use to decrypt the  message. "

from www.cypost.com/encr_basic.html 
(link doesn't work in 2016)
bb
http://www.e-scotia.com/escotia/escotia.html
Much of the material in this inset table (either in direct quotes or summary form) comes from e-Scotia.com's site.

e-Scotia had a whole page on Security and Cryptography at
www.e-scotia.com/escotia/
escotia_security.html

 

 There are 5 key components of security in correspondence that business is trying to establish in e-commerce situations
  • Confidentiality - the communication between two parties has not been seen by a third party and the material of the communication has remained secret
  • Integrity - the communication has not been tampered with nor has the message been edited (or the amount of money been changed) and there is must be a way of matching the copy held by the receiver, to the original sent by the sender
  • Authentification - the identity of the author/sender can be verified so that the receiver knows the message / information did indeed come from the proper source
  • Non-repudiation - the sender cannot deny having sent the message nor can they have means to change any of the content (including currency amounts) within the message. This is critical to keeping agreements when time lag (between sending and receiving) sees market conditions change
  • Access Control - only the authorized recipient can open the message. Usually to open it you need some sort of cyber key which will be a large unbreakable number hopefully difficult to hack in to.
Carrie Denton, Managing Director, ScotiaFX/E-commerce gave permission to quote from their site.
Copies of emails are kept in the permissions binder
 
http://www.e-scotia.com/escotia/escotia.html  Digital Cryptography works on two levels
Encryption Digital Signatures
Data is scrambled or digitally encrypted and only parties who have
the right key can unlock and decode the data. 

Encryption allows communication to be confidential however it will not: 
 

  • Provide proof that the originator has participated in the  transaction
  • Authenticate the identity of the sender
  • Protect the data from being intercepted and modified. 
 Digital signatures can be authenticated by third parties with credibility of the sender and receiver. In e-commerce, leading financial institutions and government authorities are positioning themselves to be "certification authorities". When the digital signature of the recipient is validated by a "certification authority", assurance can be provided that:
 
  • The sender of a message/transaction is who they claim to be
  • The sender has participated in the transaction, meaning they are aware of the content and amounts if money is part of the message)
  • The information details, (payee or payor) and any statement of money has not been changed in mid-transit. 
.
56 bit keys versus 128 bit key

The length of the key is a factor in  preventing brute force attacks. The longer  a key is (in bits) the more tries one would need to make to find the right key. With a  56-bit key, there is a large but definite limit to the number of keys you need to check (72 quadrillion possible combinations). Some applications can test 200 million keys per second. With a little time and money, someone can build a specialized computer array that can break a 56 bit key encrypted message in a matter of minutes. 

If the key is 128 bits long, or the equivalent of a 16-character message on a personal computer, a brute-force attack would be 4.7 sextillion (4,700,000,000,000,000,000,000) times more difficult than cracking a  56-bit key. Given the current power of computers, a 56-bit key is  considered crackable; a 128-bit key isn't - at least not without an  enormous amount of effort. 

was formerly posted at  www.cypost.com/encr_basic.html
.

RSA is a public key cryptosystem for both encryption and authentication. It  was invented in 1977. It is an encryption algorithm that uses very large prime  numbers to generate the public key and the private key. RSA is typically used in conjunction with a secret key cryptosystem such as DES. DES would be used to encrypt the message as a whole and then use RSA to encrypt the secret key. Thus, RSA provides a digital envelope for the message. RSA is in wide use  today, it is possibly the most commonly used public key algorithm used.  Because of this it has undergone a lot of public scrutiny and there is much  empirical evidence of its security. It can be used for both encryption and signing.
from  http://library.thinkquest.org/27158/concept2_4.html
 
 
Future
Developments
in
Cryptography		 jj The "Report on Business" section of the Globe & Mail reported a story 2007 April
A Quantum Leap in Information Security: Pioneering physicist aims to lock out data hackers with speed-of-light cryptography

The story discussed the developments of Dr. Wolfgang Tittel and his colleagues at the University of Calgary. Dr. Tittel holds the news Chair in Quantum Cryptography
see www.icore.ca/research_quantumcrypt.htm
.
 
witiger.com
   CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE
.
  MISTAKES ITEXTS USED I IMAGES I RANK IDISCLAIMER I STUDENT CONTRIBUTORS I FORMER STUDENTS I
.
.

  Prof. W. Tim G. Richardson © www.witiger.com