Cipher suites are collections of ciphers and used to keep data secure across the Internet.

This article explores what a cipher is and a cipher suite does.

Please consider this a “general” introduction to the area. I skirt past a lot of the math and operational precision of what goes into specific modern cipher suites. I do this in favour of making the area understandable and a starting point for discussions.

- Introduction
- Keeping it secret
- Breaking in

[read more=”Read more” less=”Read less”]

# Introduction

## Why do we need this?

Two generals in an army are across the battlefield. They need to discuss tactics but realise the need for secrecy.

If they write a message to each other it is possible that the courier carrying the message may be intercepted or worse the courier may read the message themselves. How do you pass the message but *reduce* the risk of it being understood?

There are different ways of obscuring the message but there has to be agreement between the generals on how they will communicate.

So they write the message down in a way the third person can see but can’t immediately understand.

**Cryptography** comes from the greek *krptos* meaning hidden or secret and *graphein* to write.

Wikipedia define cryptography as the practice and study of techniques for secure communication in the presence of third parties called **adversaries**.

## Cipher

Let’s do a very simple cipher which can also be spelt cypher. Imagine the following key. We need to encrypt the message HELLO WORLD

The top row of letters translates into the letters below

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |

W | X | Y | Z | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V |

So your HELLO WORLD from the top row translates into DAHHK SKNHZ from the bottom row.

You’ve just performed your first **encryption**.

## Algorithm

An **algorithm** is a set of steps which performs a specific action.

There are two ways in and out of this algorithm. **Encrypt** means take readable words and put them through the cipher. **Decrypt** means take encrypted text and convert them back to readable.

- So fn_cipher_decrypt (“DAHHK SKNHZ!”) would return “HELLO WORLD!”
- fn_cipher_encrypt (“HELLO WORLD!”) would return “DAHHK SKNHZ!”

Computers are very good at hiding complexity and doing simple tasks like the above quickly. You don’t have to know HOW it works, just that it does.

So long as our two generals use the same algorithm then the encryption will encrypt and decrypt exactly the same.

## Handshakes, the key to Cipher Suites

At the start of the encryption the two generals have to agree which secret approach they’re going to use to encryption.

This process of negotiating the algorithm and different settings is collectively called a “**handshake**”

Whilst not a mystery they are unique to the people doing them and can signify pre-agreed communication.

So there are things like, how complex, what maths and which algorithms shall we use are all negotiated at the start of the conversation.

All of these agreements can be grouped up into a **cipher suite** to save time.

You can see some fun non-encryption related handshakes here. These examples demonstrate pre-agreed communication.

## Complexity

Our cipher isn’t very complex. It can be broken just through experimentation and there are 26 possible combinations.

Modern computers can operate in an order of **PFLOPS** (Peta Floating Point Operations Per Second) a unit of computing speed equal to one thousand million million (10^{15}) floating-point operations per second.

So modern computers can try 1,000,000,000,000,000 combinations in a second. As of June 2018 the Summit IBM supercomputer operates at 122.3 petaflops.

We are going to need a more complex cipher!

Mathematicians, computer scientists and even entire government departments such as the **NSA** (National Security Agency of America) specialise in coming up with complex systems to keep messages secret.

# Keeping it secret

## Evolution

As technology evolves and computing power becomes stronger it becomes easier and easier to break ciphers. Different combinations of ciphers, algorithms and agreement on approaches means there are many cipher suites available.

As of 2018 the strongest methods of encryption involve using **public-key cryptography**.

1976 saw two mathematicians called Whitfield Diffie and Marin Hellman proposed a new approach to encryption but hadn’t worked out the exact algorithm. In honour of their discovery you will see **DH** in a lot of cipher suites.

1978 saw Ronald Rivest, Adi Shamir and Len Adleman came up with an algorithm consequently named after them. The **RSA** algorithm.

Without getting into the mathematics of it all, there are two keys a public and private key which are very big numbers.

In the interest of fairness, the British claim from 1970 to 1974 they invented it first but didn’t reveal it to the world. I’m not going near that debate!

The maths of elliptic curves prove helpful. **ECDH** (Elliptic-curve Diffie-Hellman) appears in the titles of some algorithms. Combinations using ECDH feature in a number of cipher suites.

The keys are different but mathematically related numbers.

The public key is shared to everyone similarly the private is kept private.

When you encrypt a message with the public key only the private key can decrypt it.

The reverse is also true the private key can encrypt a message and only the public key can decrypt it.

You use the RSA algorithm to do the encryption and decryption.

## The Internet needs security

As the internet found its footing around 1995 globally it has since grown and grown.

The Internet started mainly with academic papers. Nobody really minded too much about security. The point was sharing information.

Over time more and more services emerged. As more and more business operates through the Internet the need for security has risen.

As a result the security of the internet and specifically the encryption of communications between a user and a service have become more of a focus. Intercepting passwords or reading emails has become a very serious business which can make and break very important institutions.

So like anything technical newer versions come along to replace weaker versions. Cipher suites have also evolved resulting in more and more combinations being available.

The first levels of encryption used in Internet communications were called **SSL** or Secured Sockets Layer. It was simply a cipher suite which your Internet browser and the service you were chatting to agreed upon and then all messages including looking at documents.

Not everyone uses the latest security versions, they should but…

#### SSL

Different versions came along so we saw SSL 1.0, 2.0 and 3.0.

Codenamed POODLE, one of the big issues of 2014 found a flaw in how browsers handle encryption that made SSL breakable in seconds consequently newer, better and stronger encryption was required.

#### TLS

Luckily a stronger option called **TLS** (Transport Layer Security) is available. TLS has been around since January 1999 but considered overkill. Not any more.

TLS has gone through a number of upgrades. 1.0 was in 1999, 1.1 was 2006, 1.2 was 2008 and 1.3 is August 2018.

# Breaking in

## Cracking

When a person “**cracks**” a safe they are able to get into the safe without the owners permission as a result “**cracking**” breaks into encrypted conversations. In computer circles cracking does have multiple meanings, just for clarity.

**Cryptoanalysis** is study of breaking into encrypted messages hence if one part of your cipher suite is weak then the whole suite is weak.

As actually understanding how to break in is very math and security intensive it is important that business understands what is and is not safe to use.

As of 2018, SSL bad, TLS good. Try use TLS 1.2 but not every computer can, especially older ones or ones that use software from before 2008.

There are many international companies who publicly and privately work on encryption.

One of the simplest tests is to use https://www.ssllabs.com/ssltest/

Qualys SSL Labs power the site above all grading sites, giving you an idea what the currently considered “best” rated security available to you is.

A+ is the best *currently* available similarly F is a fail and easy to break into. As security capabilities changes so your grade can change.

## Sense check

The math and approach of breaking into cipher suites is very difficult consequently requiring very powerful computing.

The infinite monkey theorem says put a monkey in front of a typewriter with infinite time hitting random keys. Through sheer luck and randomness the monkey will eventually write the complete works of Shakespeare. A very very large amount of time but not impossible.

Time is the most important part of encryption while certainly very cipher suite breaks given enough time and computing power.

If the information is time sensitive then long windows to crack mean the information is safe. If it takes 200 years to crack your encrypted email with your favorite recipe do you care?

So it is far easier for adversaries to attempt to trick you out of your password than break your encryption.

You leave the front door open to your house and go to work. Robbers steal your stuff. It is hard to have sympathy and insurance will not cover you.

For this reason keeping an eye on your security is important. Are your servers and services using an easily cracked encryption… are you leaving the door to your business online open?

Security is constantly evolving and vigilance is the only defense.

## I’m interested tell me more

Security and encryption are interesting areas because the messages are secret and who doesn’t enjoy finding out a good secret.

So if you’re interested in movies relating to encryption, ciphers and cipher suites I recommend the following

If you want to see more about the encryption algorithms and how the processes works. I do caveat that they expect you to have a bit of maths and computer understanding.

[/read]