Code & Data Security

Resource Center

The Importance of Cryptography

November 14, 2013

Tiny Url for this post:


The requirement of information security within an organization has undergone two major changes in the last several years. The security of information felt to be valuable to an organization was provided primarily by physical and administrative documents, before the widespread of data processing equipment. An example of the latter is personnel screening procedures used during hiring process. An example of the former is the use of rugged filling cabinets with a combination lock for storing sensitive documents.

With the introduction of the computer, the need of automated tools for protecting files and other information stored on the computer became mandatory. This is required for a system like time-sharing system and also sometime need is even more acute for systems that can be accessed over a public telephone data network or internet.

The second major change that affected security is the introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer. Network security is required to protect data while in transit. In fact network security term is misleading since all business, government and academic organization interconnected their data processing equipment with a collection of interconnected networks.

Cryptography is a science that applies complex mathematics and logic to design strong encryption methods. Cryptography is also an art. Cryptography allows people to keep confidence in the electronic world. People can do their business on electric channel without worrying of deceit and deception.

When people started doing business online and needed to transfer funds electronically, the applications of cryptography for integrity began to surpass its use for confidentiality. In today’s world thousands of people interact electronically every day by different means like e-mails, ATM machines, e-commerce or cellular phones. The rapid increase of information transmitted electronically resulted to an increased reliance on cryptography and authentication.

The simplest example of cryptography is transformation of information to prevent other from observing its meaning. Here, we prevent information from reaching an enemy in usable form. Confidentiality is the viewed as the central issue in the field of information protection. Secure communication is the straightforward use of cryptography. The key management problem has prevented secure communication from becoming commonplace. The development of public-key cryptography creates a large-scale network of people who can communication securely with one another even if they had never communicated before.

Early cryptographers used three methods for information encryption:

  1. Substitution
  2. Transposition
  3. Codes.

Monoalphabetic ciphers

One of the earliest methods in cipher is a Caesar cipher with only 25 possible keys, which is far from secure. A dramatic increase in the key space can be achieved by allowing an arbitrary substitution.

There are 26! Possible keys if “cipher” can be any permutation of the 26 alphabetic characters. This is 10 orders of magnitude greater than the key for DES and would seem to prevent brute-force techniques for cryptanalysis. This approach is referred to as a monoalphabetic substitution cipher, because a single cipher alphabet (mapping from plain alphabet to cipher alphabet) is used per message.

However, there is another line of attack. The analyst can exploit the regularities of the language if the cryptanalyst knows the nature of plaintext. Let’s take one partial example to see how such a cryptanalysis might proceed.





To start with we can determine relative frequency of letters and compare it to a standard frequency distribution in English as shown in below chart.


Figure 1: Relative Frequency of Letters in English Text


If we have a long message then this technique is sufficient since we have a short message we cannot expect exact match. The relative frequencies of the letters in the cipher text shown above (in percentage) are as follows.


P 13.33 H 5.83 F 3.33 B 1.67 C 0.00
Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00
S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00
U 8.33 V 4.17 T 2.50 I 0.83 N 0.00
O 7.50 X 4.17 A 1.67 J 0.83 R 0.00
M 6.67


Now if we compare this breakdown with figure 1, it seems that cipher letter P and Z are similar of plain letters e and t, but it’s not confirm which is which. Letters H, M, O, U and S are all of relatively high frequency and probably correspond to set {a, h, I, n, o, r, s} from the set of plain letters. The letters with the lowest frequencies {A, B, G, Y, I, J} are likely included in the set {b, j, k, q, v, x, z}.


There are many ways we can proceed from this point. First way is we can make some tentative assignments and start to fill in the plaintext to see if it looks like relevant message. The other one and more systematic approach is to look for other regularities. For instance certain words may be known to be in the text. Or we could look for sequences of repeating cipher letters and try to assume their plain text.


The most common diagram in our cipher text is ZW, which appears three times. So we can make correspondence Z to t and W with h. Then, by our earlier assumption we can equate P with e. Notice that sequence ZWP appears in the cipher text and we can translate sequence as “the”, most frequent three letter word in English so we are on right track.


Next, we have sequence ZWSZ at the first line. We know Z is t and W is h so this sequence will be th_t. so S equates to a (forth missing word).


So far we have Z=t, S=a, P=e. we have identified only four letters but we have a quit bit of the message. Continued analysis of frequencies and trial and error should easily yield a solution. So complete plaintext is as follows.


It was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in Moscow.

Monolphabetic ciphers are easily breakable since it reflects frequency data of the original alphabet. A solution to this is to provide multiple substitution for the single letter called homophones. For example letter P could be assigned different cipher symbols such as 16, 75, 36, and 22, with each homophones used in rotation or randomly.


Polyalphabetic Ciphers

To improve simple monoalphabetic technique is to use different monoalphabetic substitution as one proceeds through the plaintext message. This approach is called polyalphabetic substitution cipher. This technique has following features.

  1. A key determines denotes which rule is used or chosen for a given transformation.
  2. A set of related monoalphabetic substitution rule is used.


Vigenere cipher is the best known and simplest such algorithm. In this algorithm set of related monoalphabetic substitution rules consists of the 26 Caesar ciphers, with shifts 0 through 25. Each cipher is denoted by a key letter and it’s cipher text letter that substitutes for the plaintext letter. Hence, ceaser cipher with a shift of 3 is denoted by the key value d.


For better understanding of the scheme and to aid in its use, a matrix known as the Vigenere table is shown in the below figure. So, 26 ciphers are laid out horizontally, with the key letter to its left for each cipher. And normal alphabet for the plaintext runs across top. Let’s understand encryption process. Suppose a key letter is x and a plaintext letter is y, so the cipher text letter is at the intersection of the row labelled x and column labelled y; in this case the cipher text us W.



To encrypt a message, a key is needed and that should be as long as message. Usually a key is repetitive keyword. For instance if the key word is FRINGE and the message is “geteachsoldieameal”, Can be encrypted as follows.



Plain text: geteachsoldierameal



Decryption is also quite simple where a key letter again identifies a row. The position of the cipher text letter in that row determines the column, and the plain text letter is at the top of that column.


Strength of this cipher is each plaintext letter can have multiple cipher text letters, one for each unique letter of the keyword. The letter frequency information is obscured. But still not all knowledge of the plaintext structure is lost.


Breaking the Vigenère cipher

Although slow to gain acceptance, the Vigenère cipher was a strong and seemingly unbreakable encryption method until the 19th century. Charles Babbage and Friedrich Wilhelm Kasiski demonstrated in the mid and late 1800s respectively that even polyalphabetic ciphers provide is vulnerable to cryptanalysis. Because the key and the plain text share the same frequency distribution of letters, and statistical method can be applied.


Transposition Ciphers

All the techniques we have seen so far include substitution on a cipher text symbol for a plain text symbol. A very different kind of mapping is achieved by performing permutation on the plain text letters. This technique is called transposition cipher.


The simplest of all is rail fence technique. In this technique plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. For instance to encipher the message “giveeachsoldierameal” with rail fence with depth 2, we can write as below.



The encrypted message is


This sort of technique is difficult to cryptanalyze. A more complex way is to write the message in a rectangle. Write the message row by row and then read the message column by column, but permute the order of the columns. So order of the column will become key to the algorithm.


Key: 4 3 1 2 5 6 7

Plain text: G I V E E A C






A pure transposition cipher can be easily recognized as it has the same letter frequencies as the original plaintext. For this type of columnar transposition, is fairly straightforward and involves lying out the cipher text in a matrix and then playing around the with column position.


To make transposition more secure once can perform more than on stage of transposition. And the final result is more complex permutation which can’t be easily guessed. Hence, the foregoing message is reencrypted as below using the same algorithm.



Key: 4 3 1 2 5 6 7

Plain text: t t n a a p t

m t s u o a o

d w c o I x k

n l y p e t z



To better understanding and visualize double transposition, designate the letters in the original plaintext message by the numbers designating their position. So we have 28 letters in the message and the original sequence of letters is



01 02 03 04 05 06 07 08 09 10 11 12 13 14

15 16 17 18 19 20 21 22 23 24 25 26 27 28


And after first order transposition we have


03 10 17 24 04 11 18 25 02 09 16 23 01 08

15 22 05 12 19 26 06 13 20 27 07 14 21 28

So above was somewhat regular structure but after the second order transposition, we have


17 09 05 27 24 16 12 07 10 02 22 20 03 25

15 13 04 23 19 14 11 01 26 21 18 08 06 28

So this is much less structured permutation. And also much more difficult o cryptanalyze.


Contemporary Cryptography


As we have seen in the earlier methods breaking viginire cipher is possible and people are starting looking for better unbreakable cipher. To achieve this we require change to the plaintext even if tis just 3 characters and it must produce significant change in the cipher text. Such that there is no relationship exist between plain and cipher text.



Block Cipher


Now days everyone is using AES (Advanced encryption standard). It proves to be very secure though its already been broken on paper. AES is a symmetric cipher which means it uses same key for encryption and decryption.


Figure 2: Simple block cipher


As we can see in above graphic the plaintext is broken into blocks. The block size is typically of size 128 bits. Each block passes through the block algorithm using a key resulting in the final cipher text. One of the issues is if we make use of same plain text and same key it produced the similar cipher text, that’s called lack of diffusion. And so change in plain text gives corresponding change in the cipher text.


Figure 3: CBC Cipher mode


At the start up CBC Cipher XORs the plaintext blocks with IV and submits to the block algorithm. Algorithm produces a block of cipher text and its XORed with the next block of plain text and submitted to the block algorithm using the same key. In case final block of plain text is smaller than a cipher block size, the plain text block is padded with a required number of bits.


Another block cipher mode (AES) uses a more sophisticated approach including byte substitution, column mixing. And it’s difficult to break by any attack other than key discovery attempts.


Key Management


We have discussed a lot about symmetric cipher and the critical component is the use of key. We have to make sure no unauthorized access occurs to key. And in case we lose a key eventually we lost our data too protected by that key. So let’s see some of the areas of key management briefly.


Principles of Key Management


Below are the required three conditions


  1. What key strength is adequate for the data protected?
  2. How will you ensure they are protected but available when needed?
  3. Where will you store them(key)?


Key Storage

Many organizations feel to store key on the same system and drive as the encrypted files are stored. This seems good idea when your key is encrypted but still its bad security practise. If in case your system fails and key is not recoverable. We might have backup for that system but backup restored do not work as intended.

Encrypt the keys is the first thing regardless of where you keep your key. You have to decide where you want to store encryption key for the encrypted encryption key. None of this confusion is require when you store your keys in secure, central location. One can make a use of escrow services ( safe deposit box, a trusted third party) to store encryption key.

Key Protection

Encrypted keys can’t be locked away and only brought out by trusted employees as needed. Instead, keep the keys available and safe. Access security for the key is at most basic level. It does not matter how well protected your keys are when not in use, valid users and applications must gain access. Addition to authentication also emphasis on identity verification should be strong and aggressively enforces separation of duties, need-to-know and least privileges.


Key Strength

Use of weak keys may achieve compliance but it provides false sense of security to its customers and investors. For AES it can use 128, 192 or 256 bit keys. But 128 bit key is strong enough for business data as long as it is random. One can measure key strength by key size and attacker’s ability to step through possible combination until right key is found. The best way to choose a key (all bit combinations) is that should be appear in the key space i.e. all possible keys.



Cryptography’s role in society

Encryption does not guarantee that every piece of data is protected from unauthorized access. It only guarantees unnecessary cost and unhappy manager. Now let’s see where exactly encryption fits in overall security controls architecture.

Encryption acts as an additional layer of security. The biggest mistake made by any organization is by considering encryption as solution for all security issues.

For example Encryption is not in affect when data is not in transit like data at resides at server and when being processed at client end. So if attacker gets access to server he doesn’t care whether organizations make use of encryption or not as he will get plaintext.

In other case it may be possible key gets compromised. And Security team make assumption of 100% security through encryption and do not pay attention to (SEIM) or response policies.

Before deploying encryption please implement following controls.

  • Implement authentication & authorization controls between application and databases.
  • Strong application access control
  • Separate data access management; employees should allow to access data based on the access control.
  • Physical security should be implemented for storage, and system components.
  • Implement log management and monitoring to find anomalous activity across network.
  • Follow security best practices for database and system components.


When to encrypt

  1. Encrypt data that moves: Data that moves from one zone to another whether it’s within organization or between external end points. Encrypt it. Data moving between trusted wireless zone always at a high risk so encrypt it as well.


  2. Encryption for separation of duties: At organization some data gets stored in flat file and encrypting spread sheet provides additional layer of protection so only employees with right authorization can access this files.


    Few applications have built in access control to protect database level data but these controls are not accurate at most time. So encrypting row level data of database provides good security.


  3. Encrypt when required: Organization has to follow some regulatory and satisfy few requirements to be compliant with government policies. This type of encryption is very generalized instead of security perspective. For example: encrypting medical data might not provide security to your organization but it’s required for HIPPA compliance.


  4. Encrypt when you want to reduce a risk: This is basically applicable based on the above three situation. During risk assessment if you feel the current controls might not be adequate and provide enough security then encrypt your data. This applies to risk comes from attack and non-compliance.




As we have seen in the history of cryptography cryptographers creates new ciphers which are unbreakable and cryptanalyst trying to break unbreakable cipher. Any algorithm who creates cipher text and if it contains frequency of plain text then it’s not considered to be secure.

Key management is also very important aspect of the cryptography which in overlooked by most of the organizations. Key should be stored in secure manner and still should be accessible in easy way when required. Further, central key management helps to apply common encryption policies across all devices and data.

“ENCRYPT EVERYTHING” is not the correct view and reasonable as well one cannot consider encryption as a sole solution for all the security issues rather it should be based on risk assessment and priority basis.

Learn more about Seeker

More Knowledge base