Learn the concept of encryption with Scytales

The process of transforming information through a set of algorithms so that its original meaning cannot be determined is known as encryption. The history of encryption began long before the advent of computers. That is because to win wars, it was essential to protect friendly information from being leaked to the enemy.

In ancient Sparta, wooden rods like the one pictured above are said to have been used to pass military secrets. They called them Scytale, hence the name Scytale encryption. Here is how it works.

1. The sender and receiver each have a wooden stick of the same shape and size.
2. The sender wraps a long piece of parchment around the stick and writes a message in a horizontal orientation.
3. The sender unrolls the parchment and hands it to the receiver.
4. The receiver wraps the parchment around the rod again to decipher the message.

It is a simple approach, but it captures all the key concepts of cryptography. Let's break it down.

1. The original message that the sender wants to convey is called "plain text".
2. The sender uses an algorithm called "wrap a piece of parchment around a Scytale and write the message horizontally" to make the plaintext unrecognizable, which is called encryption.
3. The same algorithm will produce different results depending on the thickness of the Scytale. The data that determines the result of the algorithm is called the encryption key.
4. The receiver deciphers the plaintext with an algorithm called "wrap the parchment around the Scytale and read the message horizontally", or "decryption". Decryption is the same algorithm, but the result depends on a decryption key: the thickness of the Scytale.

Imagine a Spartan soldier is captured by the Athenians while trying to deliver an encrypted letter. The Athenians will eagerly read the message on the parchment, but they will not be able to decipher the original meaning.

Symmetric-key encryption

Scytale’s encryption was "the thickness of a Scytale." Encryption methods that use the same key for both encryption and decryption are known as symmetric-key encryption. Let's go back to the story of the captured Spartan soldier to understand the advantages and disadvantages of symmetric-key encryption.

Suppose one of the Athenian soldiers has heard of Scytale encryption. What if he makes his own wooden stick and wraps a piece of parchment around it? Unless it is the same thickness as the one used by the captured soldier, it is impossible to decrypt. Even if the encryption algorithm is known, it is safe because the decryption key, the Scytale, is missing.

However, if the Spartan soldiers were captured while trying to pass along the Scytale needed for decryption, that is a different story. One of the soldiers would know the algorithm and would be able to decrypt the letter the moment he captured the Scytale. Modern symmetric-key algorithms like AES use much more complex encryption methods than Scytales, but they have not overcome this fundamental weakness: if it is captured in the middle, it is over.

To make an encrypted communication, you must pass the encryption algorithm and key to the other party at least once. If the key is stolen in transit, subsequent communication is as good as sending it in plain text. Furthermore, the enemy can create false messages with captured Scytales to wreak havoc.

The reason we use symmetric-key encryption with these risks is that it can be encrypted and decrypted much faster than asymmetric-key encryption, which we will discuss next. A common approach is to protect the encryption key with a secure algorithm only when it is passed, and encrypt the rest of the communication with a symmetric-key algorithm.

Asymmetric-key encryption

Conversely, there is also "asymmetric key encryption," where the key used for encryption is different from the key used for decryption. In asymmetric key cryptography, a pair of keys are used together, called the public and private keys, respectively. The public and private keys can only be decrypted by each other, meaning that a message encrypted with the public key must be decrypted with the private key, and a message encrypted with the private key must be decrypted with the public key.

The receiver passes the public key to the sender, saying, "When you send me a message, encrypt it with this key. It does not matter if someone intercepts or eavesdrops on the process of passing the public key, which is amazing when you think about the Spartan soldier who was terrified of having the Scytales stolen. Let's take a look at the communication process to see how this is possible.

1. The receiver reveals its public key.
2. The sender encrypts and forwards their message using the receiver's public key.
3. The receiver decrypts the forwarded message using their private key.

Even if a hacker intercepts the packet in the middle, they can only get the receiver’s public key and ciphertext. The message cannot be decrypted because only the receiver has the private key needed to decrypt it. The only way to decrypt the message is to get into the receiver’s computer and get the private key, which is much harder than intercepting the packet. It is the same way that it is harder to go into enemy territory and capture a soldier passing a Scytale than it is to capture the soldier passing the Scytales.

When describing symmetric-key encryption, we mentioned that if the encryption key is stolen, not only can the enemy reveal the contents of the ciphertext, but they can also be fooled by false messages. Asymmetric-key algorithms prevent this from happening. Here's a step-by-step look at the process of communicating with an asymmetric key algorithm.

1. The sender discloses the following two pieces of data
   1. The public key
   2. A message encrypted with a private key
2. The receiver attempts to decrypt the message with the public key.
3. Depending on the result of the decryption, it judges as follows.
   1. Success: The message was sent by the sender.
   2. Failed: The message was sent by someone else pretending to be the sender.

If decryption fails, why does it look like a forged message? If a hacker were to steal the packet, they would have no way of knowing the sender's private key used to encrypt it, so they would have to use a different private key that they own to encrypt the false message. They would not be able to encrypt the message with the sender's public key, which would reveal the forgery.

One-way encryption

Finally, we have 'one-way encryption', which is impossible to decrypt. To understand one-way encryption, you first need to understand the concept of a "hash function," which is a function whose hash value is constant in size no matter what you set as an argument. For example, SHA-256, a popular one-way encryption algorithm, returns a hash value of 32 bytes regardless of the length of its arguments. Giving this function's argument a plaintext and using the returned string as a ciphertext is one-way encryption.

A hash function is also a type of mathematical function, so if the arguments are the same, the result is the same, but it is impossible to figure out what the arguments were by looking at the result. In other words, if the plaintext is the same, the ciphertext is the same, but it is impossible to figure out what the ciphertext was by looking at the plaintext. Let's look at an example of encrypting two strings.

• WhatapLabs
• F903118960A7FF1FC5948220EBDF60AD3AEE8AC9884736891A0C7944EDA57244Whatap Labs

13BB3932FD59710CECA3FBC421CD3C344864341C3A585000268A9FC9B1DB7566

The difference between "WhatapLabs" and "Whatap Labs" is a single space in the middle, but the resulting string is completely different. This small difference is known as the "avalanche" effect, and the hash functions we use for encryption have a very strong avalanche effect.

Let's say a user sets their password to "WhatapLabs". If we stored the plaintext in the database, the user would be very vulnerable to a breach. If you store the hash value "F90311..." instead, the damage is limited because it cannot be decrypted in the event of a breach. Fortunately, this does not prevent us from implementing login feature: if the password entered by the user trying to log in matches the hash 'F90311....', the login succeeds, otherwise it fails.

It's important to note that using one-way encryption is not without its weaknesses. When different arguments have the same hash function, it's called a "collision." If you know how to cause a collision, you can achieve the same effect as if you had decrypted the password. For example, suppose the hash function used by a website returns the same hash value for the arguments 'WhatapLabs' and 'Monitoring'. A hacker would be able to log in with the password 'Monitoring' without knowing the plaintext WhatapLabs.

Secure algorithms like sha-256, which we introduced earlier, have not yet been found to have a known number of cases of hash collisions, while older algorithms like md5 or sha-1 have known cases of collisions and should never be used to encrypt sensitive information like passwords.

Encryption methods used to protect information that DevOps engineers should know

Today we have given you a high-level overview of the encryption methods used to protect information. It is safe to say that there is hardly a corner of the current network environment where encryption is not used. In the next installment, we will look at specific use cases for encryption algorithms.