Hi, my name is Dru Streicher, and I am going to talk about encryption today. A little bit about me, I am a Systems Administrator for Hurricane Labs, we’re Cleveland based network security company. I am a hardware hacker and a chip musician, and I also collect arcane technology. And I also collect vinyl records.
We’ll talk today a lot about very-very basic encryption stuff, and I really want this to be like an intro to encryption, because it is big and scary when you’re first looking at it, and you’re like: “How do I do this, what does this mean?” So I kind of wanted to make a very basic intro to encryption, because I think it’s very important.
So, when we talk about encryption – what are we talking about, like what is it for? A lot of people think that encryption is for security, and that’s not necessarily true. A bad password encrypted is still a bad password; a bad program that uses encryption is still a bad program. If you have a security hole encrypted, it does not make it any more secure. Encryption is basically for privacy. It is for peace of mind of knowing your information is where it needs to be and that you have access to it and you can control that access to it. And this is why it is important, so that we can hold on to our information and make sure that we know where it goes, who it goes to, and that we can essentially keep it to ourselves and keep it private, if we wish to.
So, what does encryption look like? As we talk about encryption we’re talking a lot about three things, three main terms that you’ll hear: plaintext, cypher and cyphertext. The plaintext in this is “secret”, so just a word “secret”, and then it’s being the cypher, which is just the complex math that turns it into the cyphertext, which turns it into this gibberish. It’s called SHA-512. There are different kinds: RSA, DES, SHA-1 – all kinds of different cyphers, and basically they kind of give you the same thing. They take your plaintext and spin it out to cyphertext, which is just a series of complex letters and numbers and symbols and stuff.
Encryption is very hard. I am not a math person; I don’t understand the math behind encryption, but I can kind of explain it a little bit. It uses something called one-way function. The best way that I have heard to describe a one-way function is: if you gave two people two phonebooks, and the first person wrote a secret message and took that letter and, say, the letter A was the first one, and then went to the first letter of the last person’s last name in the phonebook, and took that phone number and wrote it down on a piece of paper. And they do this for their whole message, and then they gave their piece of paper to the next person. Next person could go through the entire phonebook and find that phone number for the letter A, and trace it back to the letter A. So they are really easy to make, but are very hard to pull apart, and that is the way one-way functions work: they use prime numbers and lot of multiplication and factoring. And I don’t like math…
When we talk about encryption, it sounds really difficult – you’ve got all these things, you’ve got cyphertext, and all these scary words that he just said. You are using encryption every day, you just don’t realize it, or maybe you do. For instance, let’s talk about the difference between HTTP and HTTPS. And this is kind of an easy way, and I can show you using LOLcat. HTTP is just a standard web thing, and when you type in LOLcats.com then it takes you to these funny pictures of cats that we all love… and trade. And that’s fine if you’re going to LOLcats, nobody really cares – hey, do you really care if you know that I am going to LOLcats to look at these funny pictures? That’s really not a big deal.
But, say, you want to go to, you know, your bank website; then it ‘s not a good idea that anyone could listen in and figure out what your password is. So, maybe you want to encrypt that. That’s what HTTPS is. The S stands for “Secure”, and what it does is it encrypts all the traffic between your computer and the server. So, if there was anyone listening in, all they would get would be gibberish. They would not be able to tell that you’re going to LOLcats or your bank, or whatever you prefer.
In the next section we are going to talk about Alice and Bob (see image). Alice and BOB are kind of like the typical names: when you talk about cryptography and encryption, these would be the examples that you always use. So, meet Alice and Bob. This is Alice, and this is Bob. Alice has a very secret message that she wants to tell Bob. She doesn’t want anyone to know, especially not Eve, because Eve might like Bob too. So, Alice wants to keep this message only for Bob. She doesn’t want you to listen. So, what does she do? She decides to encrypt this message and send it to Bob using something called “symmetrical encryption“, which is just a basic password. So she uses the password “sw0rdf1sh” and encrypts her message to Bob. She encrypts the message and sends it to Bob, and Eve, if she intercepts it, cannot really do anything with it because it’s all gibberish. When Bob gets it he knows the password, so he can unencrypt it and read it in cleartext. And then he knows that Alice wants him to be her soulmate.
A real-world example of this is full disk encryption or disk encryption. If you have a laptop and, let’s say, you have your super secret password on there that protects all your files and everything – that’s great. If you’re not encrypting your drive or your directory itself; if you were to lose your hard drive or your laptop or someone would steal it, they could very easily boot and access your entire drive without any problem; that would take a couple of minutes and it would be very easy to get. What encryption does is it makes it private by encrypting all that information. You can do what’s called folders, or just a folder or two. Folders is probably what I would recommend, it basically does the entire drive, whereas some other things would do just what I call your home directory, like “My Documents” and all of that stuff.
The tools that we use for disk encryption are LUKS under Linux, FileVault under MAC OS X, and BITLOCKER under Windows. These are all built in, for the most part, to all major operating systems. For LUKS you might find some variations between the weirdest builds of Linux and Red Hat, I don’t really know. If you are looking for more folder-based or areas that you can control what you want to encrypt, if you just want to do files and stuff, or even if you do want to do folder encryption but you don’t want to use these tools, I recommend a program called TrueCrypt; it’s open source and it’s very user-friendly, very nice.