26 exhaustive fashion. So its wise to add an additional layer of protection: encrypt the data transfer so that even if a snoop were tapping the line, all they would see is garbage. One serious flaw or design element in using cryptography to seal up data is that it is only a temporary fix. The real comparison should be to use a suitable key length or encryption algorithm that outpaces the ever-increasing advance in technological capabilities. Also, the lifetime of that data itself should be compared in a similar fashion. Using small keys and weak but fast encryption techniques is fine for data that will be worthless in 24 hours, especially since it will take a would-be cipher hack more time than that to crack it.

2.2.2 Cryptography: How to Keep a Secret

A good starting point for illustration is the code system generally attributed to Julius Caesar. Caesar swapped each letter in the alphabet for another letter some distance away. Hence, all 26 letters of the standard western alphabet would have a complementary cipher letter which would be used for a coded transmission. For example, the letter I could represent A, the letter J could stand for B, and the letter K for C. The entire alphabet would have such a transposition wrapping from Z around to A where necessary. As you can see, each letter is replaced by another 8 letters away. Hence, by knowing only one letter transposition, you know them all. Several modifications make the code more complex, but no harder to break. By assigning random letters to stand for other letters, and by not repeating them, one would need the entire translation table to decrypt a message, rather than just knowing the replacement distance as in our previous example. But it turns out that knowing the language the clear text is in gives valuable insight into cracking the code. A simple frequency chart plotting letter occurrence produces the clear text with ease. One protection factor that strengthens the algorithm is not being able to reverse the process. Using variations on the mathematical modulo operation is essential for this. The mod operation on two numbers produces the remainder when the first number is divided by the second. For example, 17 mod 3 would be 2, because 17 divided by 3 is 5, with a remainder of 2. It is possible to have a mod value of zero; this would be the case if the operation was, for example, 15 mod 5. An interesting thing to note about using the mod operation is that ridiculously large numbers can be reduced dramatically by simply moding them by a smaller number. A possibly non- obvious truth to mod mathis that the result can never be larger than the second operand in the mod equation less one. Thus, in our first example 17 mod 3, without even knowing the answer, we can guarantee that the answer will never be larger than 2. If you produced 5 for an answer, then it too would have been divisible by 3, while still leaving 2 for the answer. In this manner, you can see that even 923897958729349872356 mod 3 still leaves only 0, 1, and 2 for possible answers. An important point with using the modulo operation is that given one of the operators and the answer, it is impossible to know what the other operand was. For example, if we told you that some number mod 3 produced the answer of 2, could you guess what number we were referring to? Remember that 5 mod 3 = 2, and 8 mod 3 = 2, and 11 mod 3 = 2. You can see the pattern developing easily from here. This even if simply put is one reason why it is 27 impossible to reverse a mod equation with exact certainty, and why a decent amount of protection is provided by cipher equations.

2.2.3 Cryptography in Network Communications

Protecting a network conversation is almost as fundamental as having one. The protection part comes from the need to send data over an unknown public network. This is commonly referred to as the transmission over an insecure channel problem, and is almost always solved by one of two methods. The easiest solution is, of course, to make the channel secure by privatizing the medium. If you make sure that third parties do not have access to the physical line, snooping becomes extraordinarily difficult, so the connection is solid. As usual, this is not always the best approach, for several reasons. It is expensive to secure an entire media delivery system, which may be unfeasible as well as impractical to alter in a timely fashion, not to mention that sometimes it is impossible to secure a delivery system to a users complete satisfaction. This is exactly the reason why the virtual private network will be deployed on a large scale in the coming years. Since the solution is not to privatize an existing delivery system, it must be to secure the data itself on the insecure channel. In other words, make it accessible for everyone, but transform it in a way using cryptography that only an affiliate can undo it.

2.2.4 Cryptographic Algorithms

In the following section we cover the three basic types of encryption algorithms that can be used to protect data. Some of these systems are marginally unsuitable for VPNs, or present administration troubles, and others seem like they were made exactly for protecting network communications.

2.2.4.1 Hash algorithms

Hash algorithms, which are usually known as message digests or one-way hashes, take an arbitrarily large string and mathematically convert it into a fixed-length, one-way number. Hashes are typically used to check the validity of a particular message or password. A good scenario is one where a system needs to be able to check the authentication of a particular user, but does not want to store an unencrypted password on the disk. Doing so would compromise security for every user on the whole system at once. When the system hashes the passwords and then stores the hash, the attacker who gains access to the password file still has nothing with which to help him. But, he can engage in brute force attacks against all the users at once, which provides adequate reason for the system administrator to keep the hashed password file as safe as possible. The process of hashing must be fast and reliable, and must produce a result that is fundamentally difficult to reverse. Because there is a loss of data in the production of the hash e.g., the transformation of a potentially large value into a smaller fixed-length one, a cryptoanalyst has only the tools of brute force attacks, social engineering, or algorithm- specific attacks. It is possible for there to be more than one input value that hashes to the same result. A robust algorithm makes it computationally unfeasible to find two such values easily.