Security of Internet Communications I: Confidentiality

Leturia Azkarate, Igor

Informatikaria eta ikertzailea

Elhuyar Hizkuntza eta Teknologia

Today the information that travels the Internet is very important: private emails, confidential documents, passwords of online service accounts, credit card data... But is all this information safe from the Internet?
interneteko-komunikazioen-segurtasuna-i-konfidentz
Ed. © Sergey Nivens/350RF

Both in the level of e-mail, browsing the web, and in other things on the Internet, we send information; from the point of departure that information to reach the destination goes through many points: it leaves our computer or another digital device, passes through some router (network router of the company, home wiko or bar...), then arrives to the provider of Internet and from there still many other nodes to the destination. Anyone who exercises control of any of these intermediate points, whether the company's computer, the owner of the bar or the police who is in contact with the Internet provider - or, in the case of the wifi, even anyone who has a computer with Wi-Fi cer-, can easily access the information.

Much of the network's communications (most of the web browsing, many mailing and mail receptions) are open and accessible to anyone. But the Internet has mechanisms to transport sensitive information such as passwords, credit card data or secret emails securely and confidentially. To do this, it uses cryptography, that is, encrypting (encoding or encrypting) messages become incomprehensible to anyone other than the recipient. Specifically, a special type of cryptography is used on the Internet: public key cryptography or asymmetric cryptography.

Problems of classical cryptography on the internet

The encryption systems of messages have been widely used throughout history, especially for important communications between kings, generals and other authorities, but also for secret messages of love between lovers. The methods that were initially simple have been becoming more and more complex as technology allows it and have been discovering techniques for breaking down previous systems. Among the most well-known and used encryption methods in history we can mention the figure of César, the figure of Vigène and the rotor machines like Lorenz or Enigma.

Basically, all these encryption systems are based on the same principle: the message is transformed by a function, using a key, and the receiver then applies the reverse function to obtain the original message with the same key. In the simplest example, the function can be subtraction and key number 1. In this way, the message "IBM" would become "HAL" if we applied to each letter the function "-1" that we replaced by the previous letter, and the recipient, knowing the key (number 1), applying the function "+1" to the encrypted message, would get "IBM" again. This is called symmetric cryptography because it uses the same key to encrypt and decrypt.

These systems have become increasingly fragile by complicating the encryption function with the help of technology from each era. Currently, cryptography is done through computers that allow these functions to be very complex and that the keys are long to develop totally unbreakable systems. Thus, the AES (Advanced Encryption Standard) encryption used by the US government (among many others) is a symmetric cryptography system.

But these types of systems have a problem when surfing the internet, buying online or sending private emails: both parties must know the key and no one else. Therefore, you can not always use the same key, you need a different key for each recipient and sender, and for no one to know that key, you can't send it online, as mentioned above, as it can be detected. So, in some cases, like those of governments, can the key be sent by messenger to every organization that wants to communicate, but for communications on the Internet? For each store and customer, by website and visitor, for each sender and recipient of the email, it is impossible in practice to have to previously share a key or send it by courier: it would be very expensive and not safe (messengers may be corrupt or can steal the key on the way).

Cryptography with public key

If electronic commerce and the sending of compromised information through the Internet have evolved, it is because in the 1970's a new system of encryption was invented totally different and breaking to the existing systems, totally opposite to intuition and at the same time very safe: public key cryptography or asymmetric cryptography.

In public key cryptography a encryption function and a key are used, but this function is not reverse (called unidirectional functions), so even knowing the key can not decipher the message, but it takes another decryption function and another key (that is why it is called asymmetric cryptography). So, if someone wants to allow others to communicate privately with him (for example, the seller to buyers so that they can send the credit card data), it makes public the encryption key. Anyone can use this public key to send you an encrypted message, but even knowing that public key all over the world, the message can only decipher it, since only he knows the key to deciphering (called private key).

On e-commerce sites, web mail services and many other places the secure version of HTTP is common: HTTPS. Ed. © Vlad Kochelaevskiy/350RF

For this system to work, there must be a function according to a key that is not inverted, that the investment is obtained by another function and another key, and that cannot be calculated by knowing the second key. The existence of this type of functions and keys is totally opposite to intuition, but they exist thanks to modular arithmetic, prime numbers and factoring. Researchers from the prestigious MIT (Massachusetts Institute of Technology) found the first in 1977.

It has been commented that one of the operating conditions of the system is that the decryption key cannot be based on the encryption key. However, as is logical, both are related and you can calculate the second from the first: it is simply a factorization, that is, the extraction of divisors of this number. The question is that in order to do so there are no quick formulas, you can only do it by testing all the numbers. Therefore, if these numbers are relatively large (and hundreds of digits are used), factoring becomes an impossible problem with current technology, and the encryption system is virtually inviolable. The method, called RSA, in homage to inventors, was subsequently invented by staff of Clifford Cocks GCHQ (Government Communications Headquerosarters, or the British Intelligence Service) in 1973, i.e., four years earlier, but all the information of this organization was secret and was not communicated until 1997.

After the RSA other cryptography systems with public key have been invented such as DSA or ElGamal.

Confidentiality on the Internet

Internet communications are organized at level according to the OSI model, as we tell you in the previous number. To ensure the confidentiality of these communications, a TLS (Transport Layer Security) protocol has been defined for the transport level (formerly known as SSL or Secure Sockets Layer). In this case, both the sender and the receiver use cryptography by public key (RSA normally, but it can be another if both have implemented) to agree on another key (random) and then the actual communication is done with this key and with a symmetric cryptography method (AES for example), since computationally it is not so costly and security equivalent.

For each level protocol of Internet application (HTTP for web, SMTP for mail and IMAP, FTP to upload files, Telnet to open sessions on remote computers, etc.) Its safe versions (HTTPS, SMTPS, IMAPS, SFTP and SSH respectively) have been created. Some of them, such as HTTPS, SMTPS or IMAPS, are limited to adding TLS to the original protocol at the transport level and assigning another port to the new protocol (now, through the new STARTTLS protocol, applications can use the same port for secure connections in cases where both parties have implemented it). Others, such as SFTP and SSH, have the same function but are different protocols that use public key encryption. When these protocols are used, we can consider the confidentiality of our communications guaranteed. And how do we know if we are using these protocols?

When we are browsing the web, if we see a lock in the address and at the beginning of the same "https://", it means that we are using the HTTPS protocol and therefore communication is safe. When paying on e-commerce sites, it is commonly used in services such as web mail and many other sites.

In the case of mail programs, we will have to review in our account settings which protocols approve to send and receive mail. In any case, although the mail program uses the SMTPS and IMAPS protocols, it means that no one will be able to read the communication between us and our mail provider, but in the post-shipment phases no one else will read. If we want to avoid it, we can integrate into our mailing program the PGP (Pretty Good Privacy) program (created by Phil Zimmermann in 1991 and which has become very known and used) or its free version GPG (GNU Privacy Guard), which encrypt the information using the public key of the final recipient and therefore can only read it.

To open sessions or upload files on remote computers, we must ensure that SSH or SFTP protocols are used if we want to maintain confidentiality. In other programs (VNC, VPN or Virtual Private Networks, etc.) We must check if they use protocols with encryption or encryption systems. If we take these questions into account, our private information will continue to be so even through the Internet.

If you are interested in security, confidentiality and cryptography, you will find more information in Simon Singh's interesting book of codes that the Elhuyar Foundation has published in Basque.

Babesleak
Eusko Jaurlaritzako Industria, Merkataritza eta Turismo Saila