Introduction to cyber security: stay safe online
Introduction to cyber security: stay safe online

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Introduction to cyber security: stay safe online

1.3 The key distribution problem

Download this video clip.Video player: ou_futurelearn_cyber_security_vid_1019.mp4
Skip transcript


Alice and Bob want to form some kind of relationship. It might be business, it could even be romantic. But whatever else, it must be confidential. The third person in this relationship is Eve. And, as her name suggests, she's an eavesdropper who wants to know what's going on between Alice and Bob. To do that she has to intercept their information.
Alice and Bob might not even be aware that Eve exists, but she is a threat to their confidentiality. First of all, let's remind ourselves how messages are sent over the internet. So we have Alice's and Bob's computers here. Alice has created a document which she wants to send to Bob.
When you send a message across the internet, it may actually look like the message goes straight from one computer to the other. In reality, there's usually at least one more computer, such as a router or a file server in between. So now the message goes from Alice, to the computer in the middle, to Bob.
In fact, it can get even more complicated, and there may be a large number of different computers in between the two of them. Alice's message is routed from one computer to another until it reaches Bob.
We've drawn the computers in different colours because they don't belong to either Alice or Bob. They might belong to their internet service providers, their employers, or to a big telecom company. Some of the computers may be in a different country, where different laws apply. And some of them might not be trustworthy, which is where Eve comes in.
Here's the same network, except now Eve's going to join in. She will log on and then compromise one of the computers in the middle. One way she could do this is to use a packet sniffer, a piece of hardware or software that makes copies of any messages passing between Alice and Bob, and sends them to Eve. Alice and Bob won't even know these copies are being made, but Eve will have a full transcript of everything that's happening between the two of them.
Alice and Bob can protect themselves using encryption. The most obvious form of encryption is called symmetric encryption, which uses a single key to encrypt plaintext to ciphertext and decrypt ciphertext back into plaintext. Symmetric encryption has been around for thousands of years and is still important today in the form of technologies called DES, triple DES, and AES, which are widely used in financial transactions over the internet and within banks.
Let's go back to Alice and Bob. Aware that Eve wants to learn their secret, they choose to use symmetric encryption. The first thing for them to do is to generate a shared key and each to make their own copy. One way of doing this is to meet, discuss their secrets, and come up with a key. At the end of the meeting they'll each go away with their own copy of the key. Alice and Bob can now exchange secure messages, each using their own copies of the symmetric encryption key to encrypt and decrypt messages.
However, remember that Alice and Bob don't live locally. They have to travel a long distance, so meeting is not always possible. And it's entirely possible they're in a situation where it's dangerous to share a key.
An alternative is for Alice to generate a key and send it to Bob, perhaps through the post, perhaps over the internet. However, as we all know, things get lost in the post. And that could happen to our encryption key. Or perhaps Eve is waiting by Bob's post box and makes her own copy when it's delivered.
Alice might choose to generate the key herself, then give it to an armed guard, a bit like the way you might use a courier to send a valuable parcel from one part of the country to the other. Alice generates the key on her computer, hands it over to the armed guard, who then trundles across to Bob and hands the key over.
However, as you can imagine, armed guards are very expensive. Historically, the only people who could afford armed couriers to distribute encryption keys were governments and the very largest companies such as banks and international corporations. This meant that most people were completely unable to use cryptography.
Now you've seen some of the problems of symmetric cryptography, let's see how some of those problems apply to the internet.
Alice and Bob still want to share their secrets. Alice has generated a symmetric encryption key on her computer and needs to send it across the internet to Bob. There are a number of computers in between, one of which has been compromised by Eve. So when Alice sends the key across the network, it passes through the computer now belonging to Eve, who obtains a copy of the key, and so does Bob. Neither Alice or Bob know that the key has been copied. So they can carry on using it, thinking their messages are secure, but in reality Eve is reading each and every one of them.
This is called the key distribution problem. How do we keep keys in the hands of those who need them and not in the hands of criminals or those who would misuse them?
Until the early 1970s it was believed there was no solution to the key distribution problem, hence all those armed guards and couriers. The solution is called asymmetric encryption. Now there are two keys. The first key, called the public key, encrypts plaintext to ciphertext. The second key, known as the private key, decrypts ciphertext back to plaintext.
End transcript
Interactive feature not available in single page view (see it in standard view).

Traditionally, symmetric encryption suffered one enormous shortcoming – it was necessary for either the sender or the recipient to create a key and then send it to the other party. While the key was in transit, it could be stolen or copied by a third party who would then be able to decrypt any ciphertexts encrypted with that key.

Another problem is that a large number of key pairs are needed between communicating parties. This quickly becomes difficult to manage the more there are. This can be calculated as n(n-1)/2 where n is the number of communicating parties.

For example, if ten parties want to communicate with each other securely they would need 45 different key pairs: 10(10-1)/2 = 45. This would increase to 4,950 if there were 100 communicating parties!

This problem, called the key distribution problem, affected anyone wishing to use encryption until the 1970s when a method of distributing keys without actually sending the keys themselves was developed independently by GCHQ in the United Kingdom and Whitfield Diffie and Martin Hellman in the United States. The British discovery was kept secret for many years, so today the solution is known as the Diffie–Hellman key exchange method.

Symmetric encryption methods have the advantage that encryption and decryption is extremely fast, making them ideal for transmitting large amounts of secure data. In the video you saw how key distribution was achieved between two people, Alice and Bob.


Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371