On Boxes With Locks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With fear of alienating what few readers I have, I'll jump right in on a big topic: Encryption.  I'll start this one by telling the story I try to tell everybody when I'm talking about encryption:

Before the internet, there were two spies who needed to trade information in a hostile country.  Since the two were operating in different regions, they couldn't simply meet up in a coffee shop and swap notes.  Since it's a hostile country, there are no established lines of communication that they can trust.  Instead, each spy had a notepad, a good padlock and the only key for it, and a lockbox with a latch big enough to attach several padlocks, but even one lock will jam the box completely shut.  They used the country's own public mail system (which was known for digging through mail, reading whatever they wanted, and stealing anything that wasn't firmly attached to said mail).  How did they trade messages without getting caught?

The first problem comes up when when you realize attaching a padlock to a box means the recipient can't open it.  Putting the key inside the box doesn't help because the recipient can't open the box (not even a crack!).  If the sender tries to mail the key separately, the public mail couriers will steal it, and use it to open the box.  The problem is that anything the recipient can do, the couriers can do.  So what gives?

The trick to the story is that you can attach more than one padlock.  The first spy writes a message and puts it inside the box, snaps the lock on the box while keeping the key, and mails it to the second spy.  The second spy can't do anything with this locked box, but they snap their own padlock on it anyways, keeping the key, then mails it back.  Now neither spy can get into the box!  However, the magic happens when the first spy takes off his padlock.  They still can't get into it, as they don't have the second spy's key, but that's okay.  They send it back anyways.

When the second spy receives the box, surprise!  The only lock left on it is the one that uses their key!  They pop off the lock, and read the first spy's note.  Then the same process happens, but the first and second spy have traded roles.

Gosh, that's a lot of work to send a message, and it must take an awfully long time!  However, it does satisfy all the needs the spies had:

    * The mail couriers are never able to open the box
    * The mail couriers are never able to get a key, even though they can see the lock
    * Things inside the box still go from one party to the other
    * All the spies need are their own padlock, and their own key

 This is essentially how symmetric cryptography works.  You take a bunch of data (the box), apply your encryption key (padlock) to it, then send it to a third party.  This turns the data into a bunch of gibberish that neither party can really get meaning from.  The third party applies their own encryption key, making it even MORE garbled, and sends it back to you.  You reverse your original encryption (removing your padlock), still can't read the mess of bits, and send it back to the third party.  The third party reverses their original encryption, and *poof* the original message appears.  Technically, it's possible to break encryption, but if it's done correctly, it's possible in the same way that our sun going supernova is possible.

Why does this even matter to a normal, non-super-computer-nerd person?  If you've ever bought something online, you put your credit card numbers into one of these boxes.  Some kinds of logging in (not usually web sites, but game logins and such) put your password into a box (this is a lie, but it's close enough!).  It's also the reason that surfing the internet on public wifi at a coffee shop is pretty much the same as announcing out loud what you're looking at (including forums that you're reading, images you're downloading, anything that isn't encrypted really).  Sites are a little better about securing things these days, but even a couple months ago Facebook would tell your login details to everybody listening to your connection (the firesheep addon was made to elaborate this point).

And now you know a little bit more about why some things are safe online, and some things are not.  I'll be talking about public key encryption, too, because it's fantastic and incredible and everybody should use it, but that's another post's worth of details.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQBNkoYkdzdg8zBNoIARAldIAJ91MS41XLbLgUaq/VRqFpmHsUwI9gCcDCiN
tI06M2e8M1JTcucd6kBxphU=
=ieod 
-----END PGP SIGNATURE-----