Naive Ciphers : Suppose we want to hide a name: We might think to innovate a different rule for each letter. We might say: "First we have 'T', but 't' is the 3rd letter in 'bottle' so we write '3.'" We can continue this way, and such a cipher could be very difficult to break. So why is this sort of thing not done? There are several reasons:

• First, any cipher construction must be decipherable, and it is all too easy, when choosing rules at random, to make a rule that depends upon plaintext, which will of course not be present until after the ciphertext is deciphered.
• The next problem is remembering the rules, since the rules constitute the key. If we choose from among many rules, in no pattern at all, we may have a strong cipher, but be unable to remember the key. And if we write the key down, all someone has to do is read that and properly interpret it (which may be another encryption issue). So we might choose among few rules, in some pattern, which will make a weaker cipher.
• Another problem is the question of what we do for longer messages. This sort of scheme seems to want a different key, or perhaps just more key, for a longer message, which is certainly inconvenient. What often happens in practice is that the key is re-used repeatedly, and that will be very, very weak.
• Yet another problem is the observation that describing the rule selection may take more information than the message itself. To send the message to someone else, we must somehow transport the key securely to the other end. But if we can transfer this amount of data securely in the first place, we wonder why we cannot securely transfer the smaller message itself.

Modern ciphering is about constructions which attempt to solve these problems. A modern cipher has a large keyspace, which might well be controlled by a hashing computation on a language phrase we can remember. A modern cipher system can handle a wide range of message sizes, with exactly the same key, and normally provides a way to securely re-use keys. And the key can be much, much smaller than a long message. Moreover, in a modern cipher, we expect the key to not be exposed, even if The Opponent has both the plaintext and the associated ciphertext for many messages (a known-plaintext attack). In fact, we normally assume that The Opponent knows the full construction of the cipher, and has lots of known plaintext, and still cannot find the key. Such designs are not trivial.  

Naive Challenges : Sometimes a novice gives us 40 or 50 random-looking characters and says, "Bet you can't break this!" But that is not very realistic. In actual use, we normally assume that a cipher will be widely distributed, and thus somewhat available. So we assume The Opponent will somehow acquire either the cipher machine or its complete design. We also assume a cipher will be widely used, so a lot of ciphered material will be around somewhere. We assume The Opponent will somehow acquire some amount of plaintext and the associated ciphertext. And even in this situation, we still expect the cipher to hide the key and other messages.  

What Cryptography Can Do : Potentially, cryptography can hide information while it is in transit or storage. In general, cryptography can:

• Provide secrecy.
• Authenticate that a message has not changed in transit.
• Implicitly authenticate the sender.

Cryptography hides words: At most, it can only hide talking about contraband or illegal actions. But in a country with "freedom of speech," we normally expect crimes to be more than just "talk." Cryptography can kill in the sense that boots can kill; that is, as a part of some other process, but that does not make cryptography like a rifle or a tank. Cryptography is defensive, and can protect ordinary commerce and ordinary people. Cryptography may be to our private information as our home is to our private property, and our home is our "castle." Potentially, cryptography can hide secrets, either from others, or during communication. There are many good and non-criminal reasons to have secrets: Certainly, those engaged in commercial research and development (R&D) have "secrets" they must keep. Professors and writers may want to keep their work private, until an appropriate time. Negotiations for new jobs are generally secret, and romance often is as well, or at least we might prefer that detailed discussions not be exposed. One possible application for cryptography is to secure on-line communications between work and home, perhaps leading to a society-wide reduction in driving, something we could all appreciate.  

What Cryptography Can Not Do : Cryptography can only hide information after it is encrypted and while it remains encrypted. But secret information generally does not start out encrypted, so there is normally an original period during which the secret is not protected. And secret information generally is not used in encrypted form, so it is again outside the cryptographic envelope every time the secret is used. Secrets are often related to public information, and subsequent activities based on the secret can indicate what that secret is. And while cryptography can hide words, it cannot hide:

• Physical contraband,
• Cash,
• Physical meetings and training,
• Movement to and from a central location,
• An extravagant lifestyle with no visible means of support, or
• Actions.

And cryptography simply cannot protect against:

• Informants,
• Undercover spying,
• Bugs,
• Photographic evidence, or
• Testimony.

It is a joke to imagine that cryptography alone could protect most information against Government investigation. Cryptography is only a small part of the protection needed for "absolute" secrecy.  

Cryptography with Keys : Usually, we arrange to select among a huge number of possible intermediate forms by using some sort of "pass phrase" or key. Normally, this is some moderately-long language phrase which we can remember, instead of something we have to write down (which someone else could then find). Those who have one of the original keys can expose the information hidden in the message. This reduces the problem of protecting information to:

• Performing transformations, and
• Protecting the keys.

This is similar to locking our possessions in our house and keeping the keys in our pocket.  

Problems with Keys : The physical key model reminds us of various things that can go wrong with keys:

• We can lose our keys.
• We can forget which key is which.
• We can give a key to the wrong person.
• Somebody can steal a key.
• Somebody can pick the lock.
• Somebody can go through a window.
• Somebody can break down the door.
• Somebody can ask for entry, and unwisely be let in.
• Somebody can get a warrant, then legally do whatever is required.
• Somebody can burn down the house, thus making everything irrelevant.

Even absolutely perfect keys cannot solve all problems, nor can they guarantee privacy. Indeed, when cryptography is used for communications, generally at least two people know what is being communicated. So either party could reveal a secret:

• By accident.
• To someone else.
• Through third-party eavesdropping.
• As revenge, for actions real or imagined.
• For payment.
• Under duress.
• In testimony.

When it is substantially less costly to acquire the secret by means other then a technical attack on the cipher, cryptography has pretty much succeeded in doing what it can do.  

Cryptography without Keys : It is fairly easy to design a complex cipher program to produce a single complex, intermediate form. In this case, the program itself becomes the "key." But this means that the deciphering program must be kept available to access protected information. So if someone steals your laptop, they probably will also get the deciphering program, which -- if it does not use keys -- will immediately expose all of your carefully protected data. This is why cryptography generally depends upon at least one remembered key, and why we need ciphers which can produce a multitude of different ciphertexts.  

Keyspace : Cryptography deliberately creates the situation of "a needle in a haystack." That is, of all possible keys, only one should recover the correct message, and that one key is hidden among all possible keys. Of course, The Opponent might get lucky, but probably will have to perform about half of the possible decipherings to find the message. To keep messages secret, it is important that a cipher be able to produce a multitude of different intermediate forms or ciphertexts. Clearly, no cipher can possibly be stronger than requiring The Opponent to check every possible deciphering. If such a brute force search is practical, the cipher is weak. The number of possible ciphertexts is the "design strength" of a cipher. Each different ciphertext requires a different key. So the number of different ciphertexts which we can produce is limited to the number of different keys we can use. We describe the keyspace by the length in bits of the binary value required to represent the number of possible ciphertexts or keys.

It is not particularly difficult to design ciphers which may have a design strength of hundreds or thousands of bits, and these can operate just as fast as our current ciphers. However, the U.S. Government generally does not allow the export of data ciphers with a keyspace larger than about 40 bits, which is a very searchable value. Recently, a 56-bit keyspace was searched (with special hardware) and the correct key found in about 56 hours. Note that a 56-bit key represents 2¹⁶ times as many transformations as a 40-bit key. So, all things being equal, similar equipment might find a 40-bit key in about 3 seconds. But at the same rate, an 80-bit key (which is presumably 2²⁴ times as strong as a 56-bit key) would take over 100,000 years.  

Strength : Keyspace alone only sets an upper limit to cipher strength; a cipher can be much weaker than it appears. An in-depth understanding or analysis of the design may lead to "shortcuts" in the solution. Perhaps a few tests can be designed, each of which eliminates vast numbers of keys, thus in the end leaving a searchable keyspace; this is cryptanalysis. We understand strength as the ability to resist cryptanalysis. But this makes "strength" a negative quality (the lack of any practical attack), which we cannot measure. We can infer the "strength" of a cipher from the best known attack. We can only hope that The Opponent does not know of something much better. Every user of cryptography should understand that all known ciphers (including the one time pad) are at least potentially vulnerable to some unknown technical attack. And if such a break does occur, there is absolutely no reason that we would find out about it. However, a direct technical attack may be one of the least likely avenues of exposure.  

System Design and Strength : Cryptographic design may seem as easy as selecting a cipher from a book of ciphers. But ciphers, per se, are only part of a secure encryption system. It is common for a cipher system to require cryptographic design beyond simply selecting a cipher, and such design is much trickier than it looks.

The use of an unbreakable cipher does not mean that the encryption system will be similarly unbreakable. A prime example of this is the man-in-the-middle attack on public-key ciphers. Public-key ciphers require that one use the correct key for the desired person. The correct key must be known to cryptographic levels of assurance, or this becomes the weak link in the system: Suppose an Opponent can get us to use his key instead of the right one (perhaps by sending a faked message saying "Here is my new key"). If he can do this to both ends, and also intercept all messages between them (which is conceivable, since Internet routing is not secure), The Opponent can sit "in the middle." He can decipher each message (now in one of his keys), then re-encipher that message in the correct user key, and send it along. So the users communicate, and no cipher has been broken, yet The Opponent is still reading the conversation. Such are the consequences of system design error.