This posting is the first in a series about the commercial applications of encryption. The postings will explain how encryption works, how it can be used in business, and its legal status.
It was once only of concern to diplomats, spies and the military. They used codes and ciphers to try and make their messages unreadable. Encryption was only widely used by commercial organisations during the telegraph era, when some companies encrypted their messages to prevent them being read by telegraph operators in the pay of competitors.
All that changed when the internet was opened to commercial use and e-commerce sites began to appear. Encryption is now an indispensable part of electronic commerce. It is hard to imagine any significant online commercial activity being possible without the involvement of encryption.
Some of the business applications of encryption are obvious. Companies need to be able to communicate securely, and email is not secure unless messages are encrypted. Digital data needs to be stored securely. Experience has shown that there is no way of guaranteeing that data cannot be lost or stolen. No matter what procedures are followed, eventually somebody will make a mistake and data will be leaked over the internet, or a laptop will be stolen. Encryption offers a solution to this problem. Even if encrypted data is stolen it should be unreadable by the thief.
Encryption is also used to secure online banking and e-commerce transactions. How many people would be willing to bank or buy online if their transactions were not secured by being encoded?
Other business applications of encryption are less obvious. How can you ensure that somebody you are dealing with over the internet is actually who they claim to be? How do you authenticate them? If you exchange legally binding documents in digital form how can you prevent them being altered to your disadvantage? How do you prevent someone from repudiating their agreement to a digital contract? Encryption is the answer to all these questions.
Finally, it should be mentioned that Digital Rights Management, in its many forms, is completely dependent upon the use of encryption. It can be used to prevent digital products being pirated. It can also be used to authenticate digital products. If you buy software over the internet how can you be sure that your copy has not been tampered and had a virus or spyware introduced. The answer is that software can be digitally signed, and this signature can be used to detect if tampering has taken place.
There are three main forms of encryption, and each will be described in more detail below.
Codes are a form of encryption which depends upon word substitution. For example, Overlord was the code word for the D-Day invasion in World War Two. This method of encryption requires codebooks to be written and circulated. Bentley’s Commercial Code Book [see below] was used to encode telegrams. In this case the motivation for using codes was cost rather than secrecy. Telegrams were charged by the letter and it was cheaper to send ‘acyub’ than ‘is in accordance with’.
Codes are not really suitable for business applications. Firstly, they are inflexible. You cannot include a phrase in a message unless you have previously created a code for that phrase. It is also difficult to securely distribute codebooks.
Steganography [hidden writing] is not so much a method of encrypting a message as of hiding the fact that a message has been transmitted. Software can be used to hide messages in graphical or audio files. In the illustration below a message has been concealed in the image on the right.
Messages can also be hidden in music files. The main commercial applications of stenography are in watermarking and fingerprinting.
If you have the copyright for an image you can use stenography to protect your rights by embedding a code within any digital copies of the image. That code would identify you as the copyright holder. There is also software which can be used to search the internet for such watermarks. If somebody stole your photograph and published it on the internet you could at least find the culprit.
Ciphers are the most flexible form of encryption because they depend upon letter substitution. For example, 6y*kn5#h is a ciphertext version of the plaintext word ‘contract’. They do not require codebooks and any message can be encrypted. Ciphers convert plaintext to ciphertext by means of an encryption algoritm. The choice of algorithm is crucial because some are more secure than others. Whilst there are some business applications of both codes and stenography, almost all secure messaging and data storage depends upon the use of ciphers.
Simple ciphers can be cracked by frequency analysis. This method was used in the Sherlock Holmes story ‘A Study in Scarlet’. Holmes needed to read messages which were being encrypted by a cipher which substituted dancing men figures for letters.
He was able to crack the messages by using a technique called frequency analysis. It is known that some letters occur more frequently than others in English text. For example, the letter E is the commonest. Holmes looked at the Dancing Men messages and counted which figure appeared the most frequently. He took this to be the ciphertext figure for the letter E, and so on.
Some English language frequency counts are given below.
Order of frequency of single letters:
E T O A N I R S H D L C W U M F YG P B V K X Q J Z
Order of frequency of initial letters:
T O A W B C D S F M R H I Y E G L N P U J K
Most frequent two-letter words:
of, to, in, it, is, be, as, at, so, we, he, by, or, on, do, if, me, my, up, an, go, no, us, am…
Most frequent three-letter words:
the, and, for, are, but, not, you, all, any, can, had, her, was, one, our, out, day, get, has, him, his, how, man, new, now, old, see, two, way, who, boy, did, its, let, put, say, she, too, use…
Modern methods of encryption have made frequency analysis impossible. In the message below ‘D’may be substituted for the letter ‘A’ in one part of the message, in another part inn may substitute for Z, + or 6. Also, the ciphertext provides no clue as to word or sentence length because there are no obvious spaces..
How secure are modern ciphers? The answer to that question is that we do not know. Secure encryption depends upon employing sound security practices, such as choosing good passwords, and using secure algorithms. Security practices are usually the point of failure. It is no use using strong encryption to protect data on your laptop if you then choose a weak password.
Some current algorithms, if properly used, are theoretically capable of protecting data for millions of years. The problem is that history tells us that even the most ingenious encryption schemes can be cracked. During WW2 the German military believed that Enigma could not be cracked. A reasonable belief but wrong.
In the 19th century the Vigenere cipher was thought to be undecipherable and was widely used. In the 20th century researchers discovered that Charles Babbage had cracked the cipher in about 1854, but he had never published his work. Modern commercial ciphers may be secure until the end of the universe, or they may secure until someone develops faster computers or new mathematical procedures. Or, they may have already have been cracked by someone who is keeping the fact to themselves.
In the next post I will look at the differences between symmetric and asymmetric encryption and how each can be used in business.