Cryptography for toddlers

As a tech lawyer, you come across with variety of technological solutions that are designed to comply sometimes even legal requirements. This is especially true in the current digitized world, where the law can only provide framework for digital applications and ecosystems functioning in legal manner, the actual compliance of law – or implementation – taking place inside the digital systems themselves.

I wrote earlier about this theme in a context of digital identity (https://iprinfo.fi/artikkeli/matrix-of-digital-identity/); the most relevant regulation concerning digital identity is the eIDAS Regulation, which sets standards and criteria for electronic signatures, qualified certificates and online trust services. But naturally, the digital identity solutions also need to address the requirements of GDPR. Even if the spirit of the digital identity wallets is that users are in control of their data, any technological solutions chosen for such wallets need to implement secure ways to exchange and process the data, so that users’ data is always kept safe.

Perhaps most important means to make this happen relates to cryptography. By a definition, cryptography is technique of securing information and communications through use of codes so that only those persons for whom the information is intended can understand and process it, thus preventing unauthorized access to the information. The prefix “crypt” is derived from the Greek word “kryptos” meaning “hidden”, and the suffix “graphy” means “writing”. Does this ring bells to your childhood’s plays sending cryptic messages?

At least in my childhood we applied many ways of cryptographic writing, using which you could prevent anyone else but the specific friend that the message was directed to, to read it. Let’s take for example mirror writing. You wrote your message using a mirror, so that it was impossible (?) to read the content without reading it via mirror. Indeed, mirror writing is said to be an extremely primitive form of cipher (“a secret or disguised way of writing”). However, a drawback was that the “crypto algorithm” was so obvious that there was a risk that a third party (such as your big sister!) finding/taking the piece of paper with the cryptographic notes could easily resolve the secret. In fact, mirror writing could easily be read even without the mirror.

Later, there were also more “technical” ways of cryptography, in a form of invisible ink and the “antidote” with which you could colour the invisible alphabets to visible. Naturally, for children of the current computerized world, this is also possible with computer – you just send out “empty” message, however the recipient knows that you have used white font and will just change the font colour. This cryptography is neither very safe one, as it is common knowledge that you can use white font in writing.

Another ancient (not that I’m that old) way of cryptographic writing was to create new rules for alphabets, or to create symbols for different alphabets. In the first case, you created a look-up table where each alphabet was referred to with another alphabet, so that the written text was totally gibberish – unless you knew which alphabets each of them were referring to. In latter case, different kind of symbols replaced the alphabets, and again the recipient needed to know the rules in order to decrypt, namely read the message.

Indeed, also in modern means of communications, encrypting messages and data converts them to “digital gibberish”, which can be returned to its original form through decryption. Typically, the encryption and correspondingly decryption takes place in form of encryption and decryption keys. In symmetric systems, the same secret key encrypted and decrypted the message. In fact, this was the case also in those “ciphers” I applied when I was a child – encryption was done in the same way as the decryption. However, Public-Key Cryptography, or an asymmetric cryptography, is based on pair of related keys - a public key and a corresponding private key. The public key is used to encrypt the data and the private key to decrypt it. The public key can be made freely available, allowing secure communications basically with anyone, without having to share the secret key. It is the private key that needs to be kept secret, in order for the data confidentiality not to be compromised.

But when talking about digital identity, it is necessary to not only prevent the unauthorized access to the communications but to validate the information and specifically, verify the true sender of it. This was not possible in the messaging during my childhood – there was no way for the recipient to know whether the message was really written by the person who had signed it, or whether it was counterfeit by fellow kids (then again, we could have created a symbol that proved the authenticity of the message and the sender).

PKI (Public-Key Infrastructure), an arrangement binding public keys with identities, is used except for securing confidentiality of the exchanged data (e.g. e-mails), also to confirm the identity of the parties involved in communications and to validate the information transferred therein. It is especially important during these times of digital transactions to be sure about the identity of a party to the transaction, namely to authenticate the person. In PKI this is done via digital signatures (something that also eIDAS regulates). ?

There is one more class of cryptographic algorithms, in addition to symmetric-key and asymmetric-key algorithms: Hashing algorithms. It is a mathematical function that makes data unreadable. Unlike encryption which is two-way function (encrypt/decrypt), hashing is one-way function, and the hashed data (such as password stored in a database) cannot be decrypted. Hashing is used mainly for comparison purposes, to verify the integrity of files and information, and it is also referred to as “digital fingerprint”.

I went long way from mirror writing to cryptographic algorithms, but there are so much more in the field of cryptography that by no means can be presented under the title “Cryptography for toddlers”, nor by a lawyer. What is certain, however, is that the role and importance of cryptography will continue to grow along the technological development and especially the rise of quantum computers that are said to solve even the most complex encryption algorithms in near future. Yet, technology should always be at least one step ahead, in ensuring that our data residing in digital ecosystems and devices is secured and tamper-proof.