A brief history of modern communication security – and why PKI is the state of the art
Encryption techniques have been used for millennia to protect communication – first on Mesopotamian clay tablets and most recently in the internet of things (IoT). In this text, communication security expert Christophe Cauche summarizes the modern history of communication security, and explains why public key infrastructure (PKI) is currently the best solution for securing internet communication.
We don’t know exactly how long humans have been using codes and ciphers to protect secrets, but the first known examples are some clay tablets from Mesopotamia, created 3,500 years ago.
War-time improvements in cryptography
Modern cryptography was born during the second world war. Most people have heard about Alan Turing, thanks to his contributions to the Allies’ cracking of the German Enigma ciphering system (I recommend the movie “Imitation game”). Fewer know much about the engineer and mathematician Claude Shannon (1916–2001), so let’s shed some light on his contributions. During the second world war, he worked with cryptography in the US army’s secret service. He was involved in the X Project, which created a system for encrypting the communication between Washington and London.
After the war, in 1948, Shannon published an article on signal transmission theory called “A mathematical theory of communication” in the Bell Systems Technical Journal. The article (which is the first text using the word bit to describe a binary digit) was turned into the book “The mathematical theory of communication” in 1949, containing Warren Weaver’s comments and simplifications.
The model from 1949 is still in use
Shannon’s information theory model describes communication as a flow of messages:
One important result of Shannon’s work is the notion of information entropy, which is a measure of the uncertainty in a message, which determines the number of bits necessary to send the information. The way we exchange information today via the internet or by phone is thus a direct result of his theory. Shannon’s initial concern was how to send a message from one point to another without losing any content during the process. I bet he didn’t predict that his work would contribute to communicating fridges.
In 1949, Shannon also published an article called “Communication theory of secrecy systems.” Here he introduced the notion of a secured cryptographic system from an information theory perspective, and the notion of perfect secrecy of a cryptosystem. I won’t go into the details of the theorem for Shannon’s perfect secrecy here – it’s enough to say that it has been verified.
The rules of confusion and diffusion
Shannon also defined the rules of confusion and diffusion:
- Confusion means that each bit of the ciphertext should depend on several parts of the key, since this obscures the connections between the ciphertext and the key.
- Diffusion means that if a single bit of the plaintext is changed, approximately half of the bits in the ciphertext should change, and vice versa: if a single bit of the ciphertext is changed, approximately half of the bits in the plaintext should change.
The encryption algorithms we use today follow these rules to guarantee the best security.
Shannon was not only interested in cryptography: he had interesting hobbies such as juggling and chess. I won’t write more about him here since it’s outside the scope of this text, but I strongly urge you to seek out more information about this fascinating person.
Symmetric and asymmetric cryptography
The most well-known encryption technique uses the same key to encrypt and decrypt a message, and is thus called symmetric cryptography. It’s very efficient but presents us with several challenges, such as how to:
- Generate keys with appropriate complexity.
- Transmit the keys.
- Store the keys securely.
- Renew the keys.
- Create enough keys for all entities in a system to guaranty confidentiality.
So-called asymmetric cryptography solves these challenges in an easier way. With asymmetric cryptography, each entity has a private key that it keeps secret, and a public key that is available to everybody. Messages encrypted with one of the keys in such a pair can be decrypted with the other key in the pair, since the keys are mathematically linked (in such a way that guessing one key knowing the other is too complex an operation).
Alice and Bob explain asymmetric cryptography
Asymmetric cryptography is usually explained with the help of Alice and Bob: to guarantee confidentiality, Bob encrypts a message with Alice’s public key. Only Alice, with her private key, can decrypt the message. And if Bob decrypts a message with Alice’s public key, he can be sure that Alice sent the message, since only Alice’s private key could have been used to encrypt the message.
The main drawback with asymmetric algorithms is that they are approximately 1,000 times slower than symmetric algorithms. Therefore, entities use asymmetric cryptography to authenticate themselves, generate symmetric keys, and exchange the symmetric keys encrypted with the asymmetric algorithm. When the entities have received their symmetric keys, they use symmetric cryptography to protect their communication. Thus, both symmetric and asymmetric cryptography is needed for efficient communication security.
How PKI solves the main problem
In 1976, Whitfield Diffie and Martin Hellman published a method of securely exchanging cryptographic keys over a public channel. A year later, Ron Rivest, Adi Shamir and Leonard Adleman published the first asymmetric algorithm, called RSA (Rivest-Shamir-Adleman). Several other asymmetric algorithms have been published since, and they all have one main problem. How do you prove to Bob that he is using Alice’s public key and not someone else’s public key?
This problem is solved by introducing a so-called public key infrastructure (PKI), which is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The heart of a PKI is a so-called certificate authority (CA), which verifies Alice’s identity and binds her identity to her public key by issuing signed certificates to her (and to the other entities). The CA also publishes a list of certificates that can’t be trusted anymore since they were lost or compromised, for example.
PKI certificates enable widespread trust
Everybody who trusts the CA trusts the certificates it has issued, in the same way you trust a Swedish passport if you trust the Swedish state. PKIs are now very common, and enable trust between communicating entities in a wide range of scenarios, such as:
- Your browser trusts the Google CA, and therefore it trusts all web sites that have Google’s certificates.
- Your corporate network trusts your corporate CA, and therefore it trusts your and your colleagues’ computers, if they have certificates from your corporate CA.
- A French car vendor trusts a German car vendor’s CA and vice versa, and therefore connected cars of both brands can communicate securely with each other (car-to-everything, Car2X, communication) if they have the CAs’ certificates.
- A telco gateway trusts the telco’s CA, and therefore it trusts the telco’s LTE antennas if they have the CA’s certificates.
- The eIDAS regulation stipulates that a European trust list of all evaluated CAs is to be maintained, enabling trust for people’s digital identities all over the EU.
Why PKI is currently the best solution
Scientist have yet to find a better method than PKI to protect communication between people, things and services. Quantum cryptography may be tomorrow’s solution to guarantee communication security, but it’s still a young technology that’s only ready for deployment in a small number of very specific areas (I’ll write more about this in an upcoming blog post).
The reasons why PKI is currently the best solution to communicate securely on the internet is that it:
- Enables confidentiality by using cryptography and authentication.
- Enables integrity by using digital signatures.
- Allows for revocation of trust for entities.
- Allows for continual upgrading to better algorithms as they are released.
- Is a mature technology.
- Proves its reliability by its use in critical applications within areas such as banking and the military.
- Uses open standards, which means that the standards are evaluated.
- Easily scales so that it can be used for millions and even billions of entities.
What communication do you want to secure?
The Nexus PKI platform is currently used by a large number of customers for a wide range of applications. Certificates from our CA software are issued to everything from mobile apps, browsers, web servers, and virtual private network (VPN) gateways, to
consumer electronics devices, 4G antennas, smartcards, cars, plug-and-charge stations, and smart home automation boxes.
What about you – what communication do you want to secure?
Contact me if you want to hear more about how we can help you (or if you want to know more about Shannon’s juggling habit).
Published 24/9 2018