A Basic Guide to Cryptographic Protocols
The world is full of protocols. They aren't specifically a technology thing either. The word protocol refers to the official way that things are done. It's a set of rules, rituals, and actions that make sure something goes smoothly.
In the computer world, especially when it comes to networks, protocols allow different systems to speak to each other. TCP/IP or Transmission Control Protocol/ Internet Protocol is the most important one when it comes to the web. It means that any two network devices can connect, "shake hands" and communicate with each other.
When it comes to encryption, we also have protocols that describe how things should be done on a technological level. These are known as cryptographic protocols.
What's in a Cryptographic Protocol?
To understand cryptographic protocols a bit better, it helps to know what it is they actually do specifically. Although not all cryptographic protocols have precisely the same scope and function, they'll often include some of these features:
- Key agreement and/or exchange
- Authentication
- Encryption
- Non-repudiation
There's much more to it than that, but for our purposes, these are some of the most important concepts. Explained in a non-technical way. Let's look at each one in turn.
Key Agreement and Exchange
Key agreement in a cryptographic context refers to two entities who want to communicate securely and have to generate a cryptographic key to do it. However, the key has to be something neither of them can predict up front. So information provided by both parties is used to generate a key neither can control the exact form of.
This is in contrast to a key exchange where one party generates the key and sends it to the other, but it is much more simple. However, it means that you need a way to get that key to the other party without it being intercepted by a third party. Sure, you can encrypt your key. But that just means you have two keys to worry about.
Key agreement is one of the ways that the problem if a key distribution has been solved. Another is to use public key encryption. Here each party has a key-pair consisting of a public and private key. The public keys can be sent out for all to see. The corresponding private key can however only decrypt anything they encrypt.
One problem with the key agreement is that there is no authentication of the two parties. So another important component of a protocol is an authentication method.
Authentication
It's one thing to secure the actual data between two parties using encryption; it's another thing entirely to make sure the two parties are who they say.
This is a core problem in cryptography on the web. How do you know there isn't a "man in the middle" who is pretending to be the other party in both direction and inserting their cryptographic keys? All they have to do is decrypt the messages using the keys they fooled parties A and B with. Before merely passing the information along.
Obviously, without authentication, nothing on the internet would be safe. So many different methods have been developed. Often as a complement to the key agreement protocol. After all, it lacks authentication.
Public key cryptography (which I discussed above) is a popular method of authentication. Alongside digital signatures and certificates, which use a cryptographic method known as hashing to authenticate parties.
Encryption
The core of a cryptographic protocol is, of course, the actual encryption algorithm that it uses. This is a pretty big topic, and we have articles that explain both encryption itself and the various algorithms that are used to implement it elsewhere.
To cover it briefly, encryption is the art of using a special method to scramble a plain message into a coded form. The only ways to reverse this process is to either figure out a vulnerability in the encryption process, guess they key or steal it.
Vulnerabilities are found from time to time, which means a newer algorithm must come into use. Guessing the key by brute force will take millions of years with current technology and stealing keys is mitigated by security in the key exchange protocols. Overall, modern encryption is pretty airtight!
Non-repudiation
You'll see the term non-repudiation come up often in discussions about digital cryptography. What does it mean?
To repudiate something is to deny the truth of something. To reject it outright. Any cryptographic protocol must offer non-repudiation. In other words, it must be designed in such a way that no party can later deny that they signed or sent a message.
Think of it this way. You sign a contract, but later you decide that you really didn't want to do it. So you deny that the signature is yours and that you were the one to make it. However, you can't repudiate your signature. Two independent witnesses saw you do it. Therefore this signature method offers non-repudiation.
Public key pairs verified by digital signatures and certificates are the main ways that non-repudiation is offered these days. So far this method has held up pretty well.
SSL and TLS
Two of the most widely used and best-known protocols are SSL (secure socket layer) and TLS (transport layer security). The primary function of both protocols is to provide authentication and data encryption between network devices like servers and PCs.
SSL is the older protocol. It was developed by a company called Netscape back in 1995. Which is not long after the start of the World Wide Web itself. We started off with SSL 2.0. The first one never made it to a public release. Version 3.0 came out in 1996 after some vulnerabilities were patched. This lasted until 1999 when TLS was released to replace it.
Today, no one should still be using SSL. Not only is there a chance this old protocol is insecure, but it's also just slow. At least that would be the logical choice. Of course, there are still plenty of web servers out there that run SSL. It's a good idea to disable SSL support in your browser. Only let it connect to TLS sites.
All Protocols Observed
Cryptographic protocols bring order to the world of digital encryption. Without some agreed upon standard different encryption solutions just wouldn't work. Browsers would be bloated with thousands of bespoke solutions. So we have to be thankful that the wild west of the web has enough standardization to allow seamless, secure communication. There might be no modern web without them.
Obviously, the protocols we use today are under constant attack. Both by criminals and security researchers. Researchers who are trying to find vulnerabilities before the bad guys do. For example, it was the POODLE attack that rendered SSL 3.0 unsuitable for security. Even TLS 1.2 is vulnerable if configured incorrectly. The latest version solves the issue though.
Undoubtedly the protocols of today will eventually be defeated. But there will be a newer, smarter one waiting the moment that happens. Yes, not everyone needs to know what protocol is working in the background. Still, they're a fascinating topic and obviously very important.