Inverifi logo

ISO 27001 Controls: Cryptography

The importance of cryptography and how it keeps your data safe

ISO 27001 controls; cryptography illustration image

I could say cryptography is an essential part of any organisation dealing with confidential data, but to say so, would be a massive understatement of its scope.

 

Cryptography is everywhere. When you pay for something, it is used to transfer money from your bank account. When you use WhatsApp, it’s used to ensure that your messages stay private. It was even used to load what you’re reading now.

 

This blog entry is about how cryptography works, and why it’s important. And, by the way, it isn’t only about keeping data private.

 

ISO 27001 annex control A.10.1.1 requires appropriate policies on the use of cryptography within an organisation.

How Cryptography Works

The subject of how cryptography works is very complex, so I will have to oversimplify it, massively. If you want to go down that rabbit hole, Wikipedia can explain it better.

 

The process of encryption involves taking a piece of confidential data, and processing it with a mathematical algorithm. The result of this process is a piece of data that appears meaningless to anyone who intercepts it.

 

This encrypted data can then be decrypted, resulting in the original confidential data.

 

A fundamental part of cryptography is the use of variable numbers, called keys, in conjunction with the algorithms being used.

 

The confidentiality of these keys can vary, but in all cases, some of them must be kept secret, in order for cryptography to serve its purpose.
Symmetric key cryptography

Symmetric key cryptography

When two parties want to exchange confidential data over a network using symmetric key cryptography, they first have to agree on a shared secret key. They must do this, without disclosing their key to potential interceptors.

 

Determining a shared secret key may be possible over an intercepted communication line, using the Diffie-Hellman key exchange process. The linked video explains it very clearly, and it’s only 5 minutes long.

 

If you want to use the Diffie-Hellman key exchange process, you should be aware that it isn’t necessarily foolproof. It can be secure, even over an intercepted line, but not if messages sent over that line can be tampered with.

Public key cryptography

With public key cryptography, each party wanting to exchange data has two keys – a public key, which is shared freely, and a private key, which is only known by its owner.

 

To send a private message to a recipient, you would use their public key to encrypt the message. They would then use their private key to decrypt it.

 

For other uses of cryptography, you might instead choose to encrypt a message with your private key, and allow anyone to decrypt it with your public key. This might sound weird, but there are reasons to do this. We’ll get back to this later.

Uses of Cryptography

There are two main uses of cryptography, explained below.

Data privacy

There are many reasons why two parties may wish to exchange data in a private manner, without other parties being able to see this data.

 

Symmetric key cryptography and public key cryptography can both be used to securely exchange confidential data. Which one is best, depends on the use case.

Data integrity

As mentioned earlier, with public key cryptography, a piece of data can be encrypted with one’s own private key. This data can then be published, and decrypted with its publisher’s public key.

 

This obviously has no use in keeping the published data confidential; anyone is able to decrypt it.

 

However, the fact that it can be decrypted, using the publisher’s public key, proves that they must have encrypted it with their private key. This effectively serves as a cryptographic signature, proving that the message came from a specific person.

 

Quite often, a message will be encrypted with the sender’s private key, and the recipient’s public key. This ensures that only the recipient can read it, and guarantees to them that the sender is indeed the one who sent it.

Conclusion

Fortunately, you don’t need to know how cryptography works, in order to take advantage of it. If you did, I can promise, this blog entry would be quite a bit longer.

 

The subject of cryptography is pretty complex, but I find it quite interesting. It probably isn’t everyone’s cup of tea, but I thought it was worth writing about.

 

So, next time you’re typing in your BitLocker password, setting up an HTTPS certificate, or even loading a web page, think about all the cryptographic processes going on behind the scenes.

More blogs you might like