SQLServerCentral / Discuss Content Posted by Michael Coles / Article Discussions / Article Discussions by Author / The Basics of Cryptology / Latest Posts

RE: The Basics of Cryptology

Mike C — Sat, 10 Feb 2007 21:55:00 GMT

Hi Brian,For some reason I'm not receiving emails from my threads here anymore (need to check my settings I guess), so I didn't see this one until just now. I've actually written an article on SQL 2005 encryption that talks about the ANSI X9.17 standard and how SQL 2005's encryption parallels its key security model. SQL 2005 has the ability to take a password/passphrase and "mangle" it using hash functions and a bunch of bit level manipulations to generate keys that are quite un-reverse-engineerable.Generating your own encryption keys is a heckuva subject to get into though Random number generation functions in most computer languages aren't considered to be up to the task of generating encryption keys, and to do the job right you'd need some specialized software or hardware. I've done some work in the area with various algorithms - one of my favorites is the "Twister" random number generation algorithm, because it is simple and does a decent job (it was created by professional statisticians). I believe Schneier points out in his book though, that if you want true random numbers you really have to hook your computer up to some sort of subatomic particle detection device and rely on Heisenberg's uncertainty principle to do the rest If I have time one day I'll pull together information on some of these approaches and maybe put together some sample key generation code as well.Thanks!

RE: The Basics of Cryptology

Brian Hickey — Thu, 10 Aug 2006 05:13:00 GMT

Interesting article and well done. There is a cryptographic time warp, however. I read the article today - 8/10/2006 and all comments are from 2005 - LOL!

Next article might be about generating your own application key (Banks - as the author certainly knows) require certain basic levels of encryption on data fields and we can generate many good keys to encrypt and decrypt with (3DES as one example). All we need is a seed and a vector and we can generate some really awesome encryption.

RE: The Basics of Cryptology

veer — Mon, 15 Aug 2005 12:27:00 GMT

"Discussions never End" -veer

Keep up the great work and use the feedback from all others and come out with more articles on this subject.

THanks in Advance...

"Every Initiation process has the biggest resistance that is why they need extra Energy" -Veer

RE: The Basics of Cryptology

Mike C — Sat, 13 Aug 2005 19:47:00 GMT

Thanks Chris, I wrote this as an introductory article to the subject and I'm glad you found it interesting. I submitted one more on this topic that is a short intro to the mechanics of modern encryption algorithms. It goes into a little more detail about the theory and implementation of computer encryption. I hope you find that one useful as well.

Thanks again!

RE: The Basics of Cryptology

Mike C — Thu, 11 Aug 2005 20:49:00 GMT

Yeah I think PGP is actually a third-party add-on; I had to roll a version for a bank back in the day on the old ColdFusion platform.

I believe Outlook uses PKI - S/MIME, which means you have to install the proper certificates that contain the Public Key to send, and have your private key installed to receive, encrypted e-mail using Outlook. I'm not sure you have to enter an additional code/key when you receive the e-mails (unless you've added a password to your personal folders), although you do have to have the proper certificates installed.

RE: The Basics of Cryptology

Kenneth Lee — Thu, 11 Aug 2005 13:00:00 GMT

Actually, I don't know what I'm talking about. This was how I understood MS Outlook worked. I could easily be totally wrong. PGP sounds like it could be the method being used and I misunderstood how it worked.

RE: The Basics of Cryptology

Mike C — Wed, 10 Aug 2005 15:36:00 GMT

Yup, thanks for keeping me honest! I don't know what's wrong today - must be a full moon. The public and private keys both share a common modulus, which is used in both the encryption and decryption process; therefore the receiver only needs the private key to decrypt the message.

For secure e-mail, are you talking about PGP? If I recall correctly, PGP uses symmetric encryption to encrypt a message, and then uses asymmetric public-key encryption to encrypt the symmetric key, which is then sent with the message.

Thanks!

RE: The Basics of Cryptology

Mike C — Wed, 10 Aug 2005 15:18:00 GMT

Thanks for the feedback!

Yeah, I saw the typo in the image after Douglas pointed out the Asymmetric Encryption typo. I also mis-spelled "voila" as "viola" early on. That's what I get for trying to edit these things late at night without enough caffeine in my system [My kingdom for a Mountain Dew!]

You are right of course SQL Server can be configured to use SSL to secure communications between clients and servers. The reason I glossed over the Asymmetric Encryption discussion was because this article is really a further explanation/continuation of the toolkit article, and the toolkit provides only Symmetric Encryption tools. I do believe Asymmetric Encryption needed to be mentioned to round out the discussion, but I found out pretty quickly that a decent treatment of Asymmetric Encryption really would take a full article by itself. And that article would really have to delve into the mathematics, which I was trying to avoid in this introductory article.

For those interested in pursuing the asymmetric encryption model, the Schneier book gives a very nice treatment of the asymmetric encryption, including several excellent examples of how it works in the real world (or, in some cases, how it should work...). Wikipedia also has several articles on asymmetric encryption, RSA and SSL.

RE: The Basics of Cryptology

Kenneth Lee — Wed, 10 Aug 2005 15:06:00 GMT

My understanding of how public/private keys work is a little different. The sender uses the public key to encrypt and send the data to the receiver. The receiver uses the private key to decrypt the message. The two keys are related to each other because each can encrypt and the other decrypt the message, but they are used individually.

On secure E-mail, both sides have public/private keys. First it is encrypted with the sender's private key, then it is encrypted with the receiver's public key. The receiver has to supply a password that decrypts his personal private key, decrypts the message using that private key and then uses the sender's public key to decrypt the plain text message.

RE: The Basics of Cryptology

Kenneth Lee — Wed, 10 Aug 2005 14:47:00 GMT

If Douglas hadn't caught it, I would have mentioned your public/private error. In your image, (Figure 4) you have "Marian Rejewski beings work...1932" That would be "...begins work..."

OK SSL (Secure Sockets Layer) doesn't involve SQL directly, but I'm a little surprised you didn't include that in your Asymmetric Key section, because it is a heavy user of this technology to encript client data that may eventually be stored in a SQL DB.

RE: The Basics of Cryptology

Peter Evans — Wed, 10 Aug 2005 14:08:00 GMT

Nice intro to a very complex field. I particularly enjoyed your timeline image.

Another further reading book I would add for those who love details is

Making, Breaking CODES: An Introduction to Cryptology. ISBN 0-13-030369-0http://vig.prenhall.com/catalog/academic/product/0,1144,0130303690,00.html

Another good book like the The Code Book mention in an earlier post is:

Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age.

I find it goes into more details about the break through of Asymmetric Encryption how its relevant to the key distribution problem.

RE: The Basics of Cryptology

Mike C — Wed, 10 Aug 2005 08:42:00 GMT

A typo was discovered by Douglas Chrystall in the article. In the section on Asymmetric Encryption, I wrote:

"You encrypt a message with your public key, and it can be decrypted by the receiver using your publicly available public key and their private key."

I meant to write:

"You encrypt a message with the receiver's public key, and it can be decrypted by the receiver using their private key."

Thanks for the catch Douglas!

RE: The Basics of Cryptology

Mike C — Wed, 10 Aug 2005 07:51:00 GMT

Thanks for the reference! I read Singh's book myself a few years ago and found it very entertaining and informative. If I recall correctly, he also discusses the future of cryptology: 'quantum cryptology'. Unfortunately I've lost my copy (I think I loaned it to someone and never got it back), so I didn't reference it for this article; but I'd definitely recommend it to anyone who wants to know more about the history of cryptology. Here's a link to it at Amazon: http://www.amazon.com/exec/obidos/tg/detail/-/0385495323/qid=1123680339/sr=8-2/ref=pd_bbs_sbs_2/103-0153168-7501472?v=glance&s=books&n=507846

He also has another book, "Fermat's Enigma", about how one of the world's hardest mathematical problems was solved. It's very good as well. Here's that link: http://www.amazon.com/exec/obidos/tg/detail/-/0385493622/qid=1123680339/sr=8-3/ref=pd_bbs_sbs_3/103-0153168-7501472?v=glance&s=books&n=507846

Thanks again!

RE: The Basics of Cryptology

Mike C — Wed, 10 Aug 2005 07:39:00 GMT

Yes, I forgot to add a title when I submitted it, so Cryptology was added to the title afterwards. Cryptology includes both Cryptography (securing messages) and Cryptanalysis (defeating cryptography/"codebreaking"). I think the title was probably chosen because it covers both Cryptography and Cryptanalysis, although I do focus more on the Cryptography side.

Thanks!

RE: The Basics of Cryptology

Craig720 — Wed, 10 Aug 2005 05:36:00 GMT

The title of the article mentions the word "cryptology," yet the article discusses "cryptography." Similar yet distinctly different words. I got confused, so I did some quick web searching. For those who desire further illucidation, this is what I found:From Google:The science of cryptology is the science of secure communications.From Wikipedia:The study of how to circumvent the use of cryptography is called cryptanalysis, or codebreaking. Cryptography and cryptanalysis are sometimes grouped together under the umbrella term cryptology, encompassing the entire subject.Craig

RE: The Basics of Cryptology

Chris D — Wed, 10 Aug 2005 02:33:00 GMT

Good Read.

I don't know much on the subject and found it very interesting, think you've inspired me to find out abit more.

Thanks,

Chris.

RE: The Basics of Cryptology

Michael Lysons — Wed, 10 Aug 2005 02:12:00 GMT

Great article. Nice to see a not so SQL-intensive article, but still showing how SQL can be used in this context. Good stuff :-)

RE: The Basics of Cryptology

dec_obrien — Wed, 10 Aug 2005 02:12:00 GMT

Nice article.An excellent book on the whole subject is "The Code Book" by Simon Singh ISBN: 0385495323. (I think he also presented a four-part miniseries on Channel4 UK on the subject). It is more of a history book than a techie book but does explain how all of the codes/ ciphers work including the Enigma (with diagrams!)

The Basics of Cryptology

Mike C — Mon, 25 Jul 2005 18:49:00 GMT

Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/mcoles/thebasicsofcryptology.asp