The Edward Snowden revelations have played a significant role in raising the profile of encrpytion over the last few years. That debate will clearly continue to run, but with heightened cyber security threats the use of encryption is something very relevant for corporates – particularly where payments are concerned. And it is with payment security in mind that i write this post, but encryption and related themes covered below are applicable across applications and processes.
1. What is Crytography?
Crytography comes from the Greek kryptós (hidden) and gráphein (to write).
There are lots of definitions out there for cryptography – but fundamentally they state that it is the science that enables information to be stored or transferred in a form that is not readable by an unauthorised person. The intended recipient however is able to convert the seemingly jumbled up and random looking characters and/or symbols into a meaningful message.
One frequently cited example of this conversion into random looking messages was that used by Julius Caesar, the so-called “shift by 3” rule. Private messages that Julius Caesar sent his generals replaced A with D, B with E and so on. Only those trusted sources that knew the rule could interpret and read the private message.
2. What is Encryption?
Encryption is the process of converting plain text into scrambled up, essentially unreadable, data – also known as ciphertext
3. What is Decryption?
Decryption is the reverse of encryption! Decryption is the process that unscrambles the ciphertext into plain text that is readable by the intended (hopefully!) recipient.
4. What is a Key?
In Julius Caesar’s day, most of the data being transferred was by hand. Nowadays, most information that is being transferred is over the internet or over public networks. So it is likely that your data will be exposed and maybe even read by some sources. If it is in plain text, and the information is private, confidential or sensitive that might be a problem for you. But if the message is encrypted, its not a big deal – because even though some guy can see the scrambled data, he/she will not know what it is actually saying.
But you need a way for the sender and recipient to be able to encrypt (sender) and decrypt (recipient). This is where keys become important. As the name suggests keys are used to lock (encrypt) and unlock (decrypt) the data. Sounds very James Bond!
5. Sounds simple so far… What is a Public Key and a Private Key?
Okay, so this is where it gets a bit tricky….
The first thing to note is that “Keys come in two’s:
- Public Key –
- To receive encrypted messages, you need to share this with your partners
- This is used to encrypt the data
- Private Key –
- You should never share this with anybody, as the name suggests it is private
- This is used to decrypt the data that your partners have sent you
6. What is a Signature?
A digital signature is just like a hand written signature, it allows the recipient to be sure that the information was sent by the correct party.
A digital signature is created by encrypting data with your private key, and when the recipient receives the data they will be able to decrypt it using your public key. Since the public and private keys are related, this is possible.
You can choose whether you want to only encrypt data, or only sign data, or do both!
7. Why is a Signature Important?
Couple of reasons:
- Firstly (as mentioned above) it allows you to know that the information was sent by the expected party – and the sender cannot deny sending the information, known as non-repudiation
- Secondly, the plaintext (using PGP) is also converted into a unique fixed length output (for example 160 characters) – this is called a one way hash function and in PGP makes up the digital signature
- Using PGP the recipient will receive the plaintext and the signtaure, and will verify the signature
- This verification will check the hash value and if the file is modified en-route in anyway the signature verification process will fail
8. But you still havent told me about PGP Encryption…?!?!
Yeah, you need to know all of the above to understand PGP encryption. PGP encryption stands for Pretty Good Privacy.
Its funny, because Pretty Good Privacy sounds like its okay, just okay. Here is what you need to know:
- PGP encryption stands for Pretty Good Privacy
- Its funny, because Pretty Good Privacy sounds like its okay, just okay but in fact it is internet standard called OpenPGP which is used for data encryption and digital signatures
- PGP is free and open source software provided by Free Software Foundation called the GNU Privacy Guard (GPG) — which is sometimes confusing because i have heard people talking about GPG
- PGP essentially uses all of the above concepts, PGP:
- Compresses the plaintext
- Creates a 1-time “session key” to encrypt the data which is sent to the recipient along with the encrypted data
- Uses the public key to encrypt and the private key to decrypt data
9. How is PGP encryption relevant for Payments?
Corporates send payments to their banks for processing, but the problem is that the payments or payment files might be intercepted either at source (within your company) or en-route and somebody may modify the payment file and either add unauthorised payments or change the payment recipient details. That is a scary but real prospect.
This is where PGP encryption might be useful. You may want to consider using PGP encryption to scramble the payment file data so that the payment file cannot be read and in turn modified in anyway. In order to do this, you will need to setup PGP encryption and decryption processes within your company and find out the PGP encryption capabilities at your payment service providers.
Hope that helps!
- Bitcoin not bombs – Beginners guide to PGP
- Surveillance self defence – An Introduction to Public Key Cryptography and PGP
- PGPI – How PGP works