1. What's encryption?
Encryption is the process of transforming a message into ciphertext, a character string that appears random and meaningless. You can read an encrypted message only if you can unscramble, or decrypt, the ciphertext to expose the original message. Math is the key to a good cryptographic system; mathematical algorithms that perform encryption are called ciphers.

Cryptography uses hashing algorithms and mathematical functions that employ a key to transform data. When you use a mathematical function that employs one or more keys to encrypt data, you need to have the keys to decipher the message. However, when you use a hash function to transform data, you can't mathematically reverse the function and convert the hash value back into the original message.

2. What's the difference between secret-key and public-key ciphers?
Secret-key ciphers. A secret-key cipher uses the same key to encrypt and decrypt data. The oldest, most widely used secret-key algorithm is Data Encryption Standard (DES), which uses a 56-bit key. After several companies demonstrated the weaknesses of 56-bit DES, the US government introduced Triple DES (3DES), an extended algorithm that uses one, two, or three keys and three calculation steps. RSA Security's secret-key ciphers for RC2 and RC4 also employ algorithms that are more secure (i.e., more difficult to break) than 56-bit DES.

Secret-key ciphers calculate quickly, but the disadvantage of the secret-key method is that the sender and receiver must agree on and exchange the key they'll use to secure their communication. Developing a technique to securely exchange a secret key is difficult; key-management protocols can help you securely exchange keys between systems connected by an unsecured network.

Public-key ciphers. Public-key ciphers use two keys: a public key to encrypt data and a private key that's mathematically related to the public key to decrypt data. The private key is the only number the algorithm can use to decrypt the message; unless security is compromised, only the intended recipient of the message knows the private key. Public-key encryption's main disadvantage is that it's computationally intensive.

The fastest and most secure cryptographic implementations combine public-key and secret-key ciphers. Computationally intensive public-key algorithms exchange keys and verify the identity of the sender, and the much faster private-key algorithms encrypt data and authenticate the sender and receiver (sender and receiver exchange and employ the same secret key).

3. Why are key lengths important?
The longer a key is in bits, the longer it takes an intruder to try all combinations to discover the key that will decrypt a message. Someone who uses a large array of computers working in parallel can break a 56-bit key encrypted message in minutes. When a key is 128 bits long, a similar attack needs to try as many as 4.7 sextillion (4.7 x 10 21) combinations to discover the successful key.

When an intruder cracks a key, the key can expose only messages that are encrypted with that key. To limit the amount of data that a stolen or cracked key can compromise, most cryptographic implementations support key lifetimes that users can define. In a high-security environment, a key might work for only one message exchange; in a less demanding environment, a key might expire an hour after the most recent message exchange.

4. How do hash functions work?
Hash functions perform a one-way transformation of data. You can't invert or reverse a good hash to reproduce the original data, as you can when you use key-based ciphers. Cryptographic systems commonly employ hash functions that produce a fixed-length output, regardless of the size of the input. This feature lets a hash value represent any piece of data, from a simple password to a large document, in as few as 16 bytes. For this reason, hash values frequently serve as a digital checksum or a message digest.

When you apply a hash function to a document, the fixed-length output uniquely identifies the original document. When the hashed value of the received document is identical to that of the sent document, the receiver knows that the document wasn't modified in transit. When the hash values aren't identical, the document is suspect.

Hash functions also help keep passwords secure. Instead of storing a clear-text password, most OSs store a derivative of the password's hashed value. When a user tries to authenticate, the OS compares the password derivative value with similarly transformed logon credentials. When the derivatives match, the OS authenticates the user.