Recapping the Course

Summary

We have seen that cryptography is essentially a toolkit of mathematical techniques for implementing the core security services required to protect information. We have learned many important lessons about cryptography along the way. In particular:

• Cryptography is much more than encryption: The term cryptography derives from Greek for ‘hidden writing,’ which inaccurately implies that cryptography is primarily about providing confidentiality. Although confidentiality is important, the cryptographic toolkit consists of far more than just tools for encryption. Cryptographic primitives can be employed to provide a host of different security services. As well as confidentiality mechanisms, we have studied mechanisms for providing data integrity, data origin authentication, entity authentication, and non-repudiation. While cryptographers have designed many even more specialized tools, the majority of applications of cryptography can be built from the mechanisms discussed in this course.

• Cryptography is an everyday technology: Cryptography has become a technology that most of us use almost every day of our lives. We have examined several of these applications in this course. However, most users do not realize they are using cryptography daily. Cryptography may literally mean ‘hidden writing,’ but it is the use of cryptography that is hidden in most applications. In many cases, we have no alternative to cryptography for providing most of these security services, so it is reasonable to expect that this everyday use of cryptography will continue for the foreseeable future.

• Cryptography is a process: Cryptography does nothing on its own. While it is a crucial underlying component of any information security architecture, cryptography is nothing more than this. Achieving the security services that cryptographic mechanisms are designed to provide requires cryptography to be treated as a process. The correct cryptographic mechanisms must be selected, combined, and used appropriately.

  Cryptography needs to be carefully incorporated into other technologies. Cryptographic keys undergo a complete lifecycle, overseen by sound key management. If any stage of this process is deficient, it is likely that the desired security services are not provided, despite cryptography.

• Cryptography is not only for mathematicians: It is certainly true that most cryptographic mechanisms rely on mathematical ideas. However, we hope we have made the case that understanding what cryptography does and how it can be used does not require extensive mathematical knowledge.

• Cryptography must be handled with care: Cryptography is not a subject for ‘do-it-yourself’ amateurs, even well-informed ones. The best advice is to always listen to the experts, consult the standards, and pursue a policy of safely following the knowledgeable crowd. Cryptographic standards are normally painstakingly prepared and scrutinized. It is generally wise to follow them.