Introduction to Cryptography and Security Mechanisms: Overview

In this module we will investigate the role of cryptography, and security mechanisms that employ cryptography, in supporting a security architecture. You will discover on this MSc course that making a system "secure" consists of many different processes and procedures, some of which are managerial and some of which are technical. Cryptography is the core technology that lies behind the majority of technical security solutions that are currently available. It is for this reason that we have devoted a full core module to understanding cryptography and how it can be used.

The main aims of this module are to:

motivate the need for different types of security services
introduce you to the main types of cryptographic mechanism
explain how different cryptographic mechanisms provide different services
identify some of the issues relating to the management of these services

There are a number of important aspects to cryptography that you need to be aware of, and that hopefully will become even clearer as you study this module.

Cryptography is not just about encryption

We will discover that cryptography is not just about encryption, but is rather a whole collection of different mathematically based tools that can be employed to provide a host of different security services. You will hear many times on this course that three of the basic security services that are needed in almost any application are confidentiality, integrity and authentication. Cryptography provides the technical means to realise all three of these, not just the first.

Cryptography needs to be supported

Cryptography does nothing on its own. It is a basic and vital ingredient of any security architecture, but it is nothing more than that. Cryptography needs to be used in particular ways, it needs to be combined with other technologies, it needs to be implemented properly and it needs to be supported by the appropriate managerial processes. If any one of these aspects is deficient then it is quite likely that using cryptography does not bring the security guarantees that are being sought.

Cryptography is not the only solution

It is important to recognise that cryptography is not a panacea. Cryptography consists of mathematically-based techniques that can be used to provide security services. It is possible that in the future these security services will be provided by some other types of technology. However, for now, cryptography is widely recognised as being the only available technology for providing these core security services.

Cryptography is not just for mathematicians

It is certainly true that the basic cryptographic mechanisms rely on mathematical ideas. However it is important to recognise that understanding what cryptography does, and how it can be used, does not require extensive mathematical knowledge. This module has been written under the assumption that you have very little mathematical background. This is about as non-mathematical an explanation of cryptography as you are likely to encounter anywhere! We will provide you with the little mathematics that you need to know in order to appreciate how some of the mechanisms work, but the rest requires you to understand ideas, not mathematics.

At the end of this module you should be able to:

Explain exactly what cryptography can be used for
Appreciate the differences between various types of cipher system and in which situations they are most usefully employed
Identify the issues that need to be addressed when assessing what types of cryptographic mechanism are necessary to "secure" an application
Describe several basic cryptographic mechanisms for providing each of the core security services
Identify the limitations of cryptography and how to support it within a full security architecture

This module is divided into three parts:

Part 1: Overview

We begin our investigation with two weeks of overview, the aim of which is to quickly identify the areas that this module will address and to introduce all the relevant terminology. Weeks 1 and 2 together represent a sort of "compact" version of the entire module. Almost all of the issues that are visited in these weeks will be returned to later in the module.

Part 2: Theory

Weeks 3 to 8 contain the core theory material of this module. The need for cryptography is motivated and the core security services that can be provided by cryptography are identified. The basic model of a cipher system is introduced and the use of cryptography is discussed. We look back at a number of historical cipher systems. Most of these are unsuitable for any modern practical use, but they are simple algorithms with which to illustrate many of the core ideas and some of the basic cryptographic algorithm design principles. The differences between security in theory and security in practice are then discussed. It is shown that unbreakable cipher systems exist, but are not practical, and that most practical cipher systems are breakable in theory. Life is always about compromise!

There are two types of cipher system, and we look at the first of these: symmetric cipher systems. Different types of symmetric algorithms are discussed, as are the different ways in which they can be used. We then look at the other type of cipher system: public key cipher systems. The motivation for public key cryptography is explained and the two most famous public key algorithms are studied in some detail.

Finally we look at the ways in which cryptography can be used to provide security services other than confidentiality. First we concentrate on a number of different security services, including data integrity and entity authentication. Several different techniques for providing these services are described and compared. We then look at the main cryptographic technique for providing non-repudiation, the digital signature.

Part 3: Practice

In the remainder of the module we look at different ways in which the implementation of cryptography in practice needs to be supported. In Week 9 we look at the management of cryptographic keys. The life cycle of a cryptographic key and some of the most popular techniques for conducting the various components of this cycle are discussed. In Week 10 we look at some legal aspects of cryptography. Several areas in which the law has a significant impact on the use of cryptography are discussed. Lastly we discuss the types of issue that arise when trying to implement public key cryptography. Public key infrastructures are investigated and the difficulties and problems that need to be overcome in order to set in place such a supporting framework are analysed in detail.