The underpinning of web security

We all know there is some security on the web – https, ssl, encryption, mac, etc. But, do we know what is behind all these security? In this article, I attempt to explain in simple terms, the underpinning behind web security.

Let us take the case of RSA, a  public key infrastructure mechanism that kicks in when a website is accessed over https – remember the padlock we see in the browser address bar when we access a bank website?

The way RSA works is that it has two keys. A public key, published to anyone including browsers via the certificate downloaded while accessing a https web page. A private key, only available to the website you access over https. When data is sent by the browser, it is scrambled (encrypted) using the public key and the scrambled data is sent to the server. The server decrypts and gets the original data using the private key it has, this prevents eavesdropping of the transmitted message.

The keys under discussion are  nothing but integers. The public key is a product of 2 prime numbers p and q. The private key is p and q. While this is much simplified for understanding purposes, it is not hyperbolic though. Security is riding on the fact that it is hard to find p and q given the product pq, especially, for large values of p and q, of the order of hundreds of digits. Once somebody finds p and q, they can decrypt the messages that they can sniff off the internet.

Let us understand why it is hard. In order to factor a number (such as finding p and q given pq), one needs to divide the product by numbers from 1 to the square root of that number (why, needs another article). And this takes an immense amount of time for computers, of the order of several billion years beyond the age of the universe, when p & q are large prime numbers and one can do millions of divisions in a second. You can try this on your computer for considerably large numbers. These methods, that make reversing harder are called trapdoor functions. They are easy one way (multiplying p & q), harder the other way (finding p & q given pq).

This is the underpinning behind web security – some simple, but genius, factorization math. When computing capacity increases in the future to the level where we can factor huge numbers quickly – bets are off on the current security model.  This is also the reason why the number of bits of the keys used for encrypting has increased over the years, most recently from 1024 to 2048, to keep up with increasing computing capacity.

While cracking is hard with public key infrastructure that uses 2 different keys for encryption and decryption (asymmetric cryptography),  same is true for symmetric encryptions, where same key is used for encryption and decryption, such as AES where the probability of guessing a key is hard as the possible universe from which the key is drawn is too large to try out all possible keys within a practical amount of time. Certain things like initialization vectors, cipher modes, substitutions, permutations, etc have been left out for understanding purposes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s