Cryptography 101: Your Digital Shield 🛡️

How2's
1

Cryptography 101: Your Digital Shield :shield:

If you think cryptography is just for spies and secret agents, think again! Cryptography is the science that protects our modern digital lives, ensuring trust and privacy in everything from online banking to sensitive communication.

It solves three critical problems:

  1. Confidentiality: Keeping your communication private. (The secret message.)
  2. Integrity: Verifying a message hasn’t been secretly changed. (The message is whole.)
  3. Authentication: Determining who actually sent the message. (The identity is real.)

Without cryptography, the internet as we know it would be a chaotic, theft-ridden mess. If you’re a journalist, activist, or anyone who values privacy, understanding these concepts is non-negotiable.

:warning: A Note on Security: This guide provides essential concepts. If you face a targeted attack from well-funded adversaries (like governments or organized crime), you need professional operational security (OpSec) training. Organizations like the Freedom of the Press Foundation offer excellent training materials and courses.

Public Key Cryptography: The Two-Key System :old_key:

The foundation of secure communication tools like OpenPGP is Public Key Cryptography (also known as asymmetric cryptography). It relies on having two mathematically linked keys:

  • Public Key: Designed to be shared with everyone.
  • Private Key: Must be kept secret and known only to you.

bob_key
bob_key1021Ă—412 112 KB

Confidentiality (Encryption)

Imagine Alice wants to send a secret to Bob.

  1. Encryption: Alice grabs Bob’s Public Key and uses it to scramble (encrypt) her message.
  2. Transmission: She sends the scrambled message across the internet. It doesn’t matter who intercepts it.
  3. Decryption: Only Bob’s Private Key can unscramble the message.

The Public Key is a one-way street: it can lock the message, but it can’t unlock it.

Key Purpose Security Rule
Public Key Encryption and Signature Verification Share it widely!
Private Key Decryption and Signature Creation Keep it absolutely secret!

Authentication (Digital Signatures)

Digital signatures work in reverse, using your identity for proof:

  1. Signing: Alice uses her Private Key to create a digital signature for her message. (Because only she should be able to sign in her name.)
  2. Verification: Bob uses Alice’s Public Key to check the signature. If it matches, he knows the message truly came from Alice and hasn’t been altered.

OpenPGP: Keys, Certificates, and Certificates vs. Keys :page_facing_up:

In the world of OpenPGP, the terminology can be confusing.

  • An OpenPGP Certificate is the file you share. It’s a collection of your Public Keys (one for signing, one for encrypting), plus your name, email address (User ID), and software preferences.
  • An OpenPGP Key is the full package containing both your Public Keys AND their corresponding Private Keys.

The Rule is Simple: You share your Certificate. You NEVER share your Key.

Password-Based Encryption (Symmetric) :locked_with_key:

Public key cryptography is complex, but there is a simpler type called symmetric encryption.

  • It uses one key (a password) to both encrypt and decrypt a message.
  • The same password must be shared by both parties.

While OpenPGP supports this, it’s generally inconvenient because you can’t share the password widely—if you publish the password, everyone can read your message. Public keys are superior because you can publish your Public Key without compromising your privacy.

Authentication: Fighting Impersonation and Interception :detective:

Authentication is what makes sure you’re talking to the right person.

The Problem of Impersonation (Phishing)

Impersonation is when someone pretends to be someone else. This is how phishing scams work.

  • Cryptography’s Answer: If Bob can authenticate Alice’s key (confirming it’s really hers) and her messages are signed with that key, he can be confident the message is genuine, regardless of the writing style.

boy_auth
boy_auth728Ă—405 71 KB

The Problem of Interception (Man-in-the-Middle)

Interception (a Man-in-the-Middle attack) is more subtle. An attacker named Mallory intercepts the initial unencrypted communication where Alice and Bob are exchanging their Certificates.

  1. Mallory replaces Alice’s and Bob’s real Certificates with his own Certificates.
  2. Alice encrypts her secret message using the fake Certificate (Mallory’s Public Key).
  3. Mallory intercepts the message, decrypts it (using his Private Key), reads it, re-encrypts it using Bob’s real Public Key, and sends it to Bob.
  4. Bob decrypts it normally and suspects nothing!

bob_inter
bob_inter729Ă—724 140 KB

The Solution: Authenticate the Certificate

The only way to prevent this is to authenticate the certificates themselves:

  • Direct Authentication: Meet in person and compare your Certificate’s unique ID number, called a fingerprint. This is much harder for an attacker to spoof.
  • Certification Authority (CA): Use a trusted third party (like a company IT administrator) who verifies and certifies everyone’s fingerprints. If you trust the CA, you can trust everyone they certify.

:light_bulb: Real-World Threat: This is not theoretical. Governments have proposed “Ghost” backdoors that intentionally subvert authentication in secure messengers, allowing them to intercept and read messages without technically breaking the end-to-end encryption.

Why Public Key Cryptography is Powerful :flexed_biceps:

By combining encryption and signing, public key cryptography enables vital security features:

  • Confidentiality: Anyone can send you a private message by encrypting it with your published Certificate, knowing only you can read it. (Think protecting sources or trade secrets.)
  • Source Verification: You can send a signed reply, and the recipient can be certain it’s from you, preventing fraud and impersonation.
  • Software Integrity: A developer can sign a software release file. When you download it, you verify the signature with their Certificate, guaranteeing the file hasn’t been tampered with.

Limitations of Cryptography :stop_sign:

Cryptography is an incredible tool, but it’s not magic. It has limits:

  • Willful Sharing: Cryptography can’t stop the intended recipient from decrypting your secret and sharing it with the world.
  • Key Security: If you lose your Private Key or publish it accidentally, cryptography offers no protection.
  • Coercion: Cryptography can’t protect you if you are forced (legally or violently) to disclose your password or Private Key.
  • Evolving Attacks: Cryptography relies on mathematical difficulty. Over time, stronger computers and new mathematical breakthroughs require users to move to newer, stronger algorithms (like moving from RSA to Elliptic Curve, and now to Post-Quantum Cryptography).

If you suspect you are a target, these limitations are real risks. Seek out advanced training in Operational Security (OpSec).