Security, it is said, is a process, not a product. For every method of securing information from unauthorized eyes, there is (or will be) a counter measure. There are two aspects of security: authentication and authorization. Authentication is concerned with determining the identity of user wishing access to a secured resource through the use of some kind of credentials. Authorization is the set of rights a user has over a secured resource. In Unix terms, a user’s account name and password as stored in the file /etc/passwd are the authorization credentials needed to log into the system. The permissions on files and directories represent the authorization mechanism.

In the world of web services, the need for authentication and authorization is clear. For example, twitter.com allows a user to update his status through a public API. However, only the owner of that account should be allowed to make updates. Reusing an existing authentication/authorization mechanism, Twitter’s API expects account credentials to be passed through the basic authorization method of HTTP.

An even more secure authentication/authorization mechanism is X.509 PKI standard in which clients and servers exchange encrypted credentials that identify themselves to each other. Each certificate has a “web of trust” or chain of authorizing servers that can be consulted to establish the validity of its origin. Setting up this web of trust, however, can be a daunting task.

Some applications may simply wish to hide information from authorized eyes without the complexity of a full PKI implementation. One old cryptographic technique to do this is the Vigenere cipher, whose origins date back to sixteenth century (although the name come from a nineteenth century diplomat). The Vigenere cipher is a novel twist on the very ancient caesar cipher.

A caesar cipher works by substitution a letter of the plain text message with a different letter of the alphabet. The substition is not random, but represents a constant “shift.” To understand a shift, image an ordered list of the capital letters from ‘A’ to ‘Z’, where ‘A’ occupies position 0 and ‘Z’ is at position 25. A shift is a function that takes a plain text letter, adds a fixed amount of position and returns the letter at the new position. For example, shift(‘A’,1) would produce ‘B’ and shift(‘Z’, 1) would produce ‘A’. To decrypt a caesar encrypted message easily, you need to know the alphabet used and the shift amount.

Caesar ciphers were used heavily for centuries, but are not particularly secure because they do not change the frequency of occurence of letters. In languages with alphabets, some letters occur more frequently than others. In English, the most common letter is ‘e’. If caesar-encypted text is long enough, whatever letter presents ‘e’ will also appear often. One can then workout the shift and from there the rest of the message in a process that resembles “Wheel of Fortune.”

For the curious, here’s a snippet of Perl that represents the shift function:

sub encode {
    my ($s, $shift) = @_;
    my @parts = split //, $s;

    my $t = "";
    for my $p (@parts) {
    $t .= chr(ord('A') + ((ord($p) + $shift) % 26));
    }
    return $t;
}

To decode a caesar inciphered message, the following function will work:

sub decode {
    my ($s, $shift) = @_;
    my @parts = split //, $s;

    my $t = "";
    for my $p (@parts) {
    $t .= chr(ord('A') + ((ord($p) - $shift) % 26));
    }
    return $t;

}

Next time, we’ll look at how to implement a Vigenere cipher in Perl.