We’ve explored various kinds of encryption all through this series. We saw that ciphers have a long history of success, failure, and innovation. We discovered that no cipher, from the humble Caesar Cipher to the formidable ElGamal cryptosystem, is truly secure. Unfortunately, at present, there is no way to achieve the perfect forward secrecy of the One-Time Pad, the gold standard of ciphers. We can make due, though, by continuing to innovate and exploiting the power of the symmetric and asymmetric ciphers available to us.
As we saw, there are essentially two categories of ciphers. Symmetric algorithms require the same key for both encryption and decryption. The major problem, then, is to securely communicate that key between the sender and the receiver. Asymmetric algorithms, on the other hand, use a public key and a private key. The former is used by the sender to encrypt her message, and the latter is used by the receiver to decrypt the ciphertext. We noticed that this public-key approach is a really good solution to the symmetry problem, but asymmetric algorithms are not without their own drawbacks. Indeed, no real cipher is without fault. But how does this all come together in real life?
There are two real-world applications with which we’re all familiar. In fact, you’re using them to read this blog right now. The WPA2 protocol is commonly used to secure Wi-Fi networks, which allows us to keep unauthorized users off our networks. WPA2 is the reason you have to ask your barista for the café’s Wi-Fi password, for example. The SSL/TLS protocol further enables us to securely connect to websites and other internet services via HTTPS (the green lock in your web browser). The two technologies are neat on their own, but they’re great together. WPA2 ensures that the local network is secure, and SSL/TLS ensures that our end-to-end connections are secure. Without WPA2 and SSL/TLS, we generally wouldn’t be able to use the internet in a secure way.
The WPA2 and SSL/TLS protocols are a bit complex, so we won’t try to explain them here. It’s worth noting, however, that both WPA2 and SSL/TLS make extensive use of ciphers. Before there was WPA2, for example, the original WEP and WPA protocols used the RC4 cipher. When RC4 was determined to be insecure, the WPA2 standard was created to use the much securer AES cipher.
Similarly, before the Internet Engineering Task Force banned the use of RC4 in 2015, that cipher was commonly used to secure web communications. For a few years now, there has been a trend toward using the securer AES cipher in SSL/TLS connections (e.g., HTTPS). It’s important to emphasize here that oftentimes best practice—as the history of encryption makes painfully aware—is to not rely on only one cipher.
We know there are two categories of ciphers. Unfortunately, we’re usually guilty of talking about them as if they’re separate and incongruous. This is both misleading and unrealistic. Symmetric and asymmetric ciphers have their own strengths and weaknesses, and they tend to be complementary. Hence, best practice is usually to combine symmetric and asymmetric ciphers to achieve an optimal level of security. This is precisely what many security protocols attempt to do. It’s not unusual to see asymmetric systems like RSA, Diffie-Hellman Key Exchange, and ElGamal combined with symmetric ciphers like 3DES and AES. While this is a great approach, it will never be the best.
If there’s one lesson to be learned here, it’s that no real cipher is truly secure. Keep an eye out, though. It may not be long before the technology exists to realize the awesome power of the One-Time Pad.