Anyhow, let’s look at your question. All of us are essentially security consumers. It might help to generalize two broad ways in which we “consume” cryptography in a cryptographic context; sometimes these overlap. In other words, some scenarios are more “active” while others are more “passive.” However, I’ll emphasize only the transparent cases, where you, as the consumer, may have very little to no indication of cryptography actually being used.

One of the more transparent scenarios is when you’re at an ATM machine, where your transaction may be encrypted, without any visual indication to you, the consumer. Another example is when you login to Amazon to make a secure purchase on a book. You initiate a cryptographically-secure channel, basically, of which your browser provides an indication of doing so. The little lock icon, in reality, is more-or-less an aesthetically-pleasing indicator that makes the consumer feel safe. Ultimately, the actual security of the process is delegated, by the consumer, to the cryptographers who designed the cryptography, and the developers who implemented it. Okay, so many folks don’t go to an ATM everyday, nor do they purchase books from Amazon on a daily basis, but here’s a commonplace example that I’m sure a plethora of folks are subjected to - Gmail. (Using SSL is often optional.) These are more “active” scenarios, in that we initiate the process by something we do. I bank online often, and this is one of those overlapping areas. I initiate a cryptographically-secure transaction on my own, when I bank online, but I expect the bank to apply similar security measures with the information they retain “offline.”

You also have the more “passive” scenarios, although, in many cases, these probably affect us on a larger scale than many of the “active” scenarios. Aside from “initiating” the process by putting your John Hancock on obscure authorization forms, many institutions (i.e., financial, health) are expected to comply to certain standards for ensuring the confidentiality and integrity of your information; of course, this is subjective to where you live, the type of information in question, et cetera. In practice, I feel the compliance is often a failure because security decisions are delegated to individuals who have no business making security decisions in the first place. For example, some compliance policies state that, in some cases, cryptographic security is optional, and may be omitted entirely, if an assessment shows that the cost of securing the information outweighs the actual value of the information itself. “Trade-off” is what practical security equates to, essentially, but you run into problems when incompetent, security-clueless individuals are conducting assessments and making these security trade-offs. This may result in cryptography not being used when it really should have been. Pardon me for going off on a rabbit trail here.

Of course, all of these scenarios are context-specific; they also, as aforementioned, depend on where you are. Even then, not all ATM machines provide the same security. Not all websites that should use cryptography (i.e., SSL) actually do. Not all web-mail sites do either. Some institutions take security more seriously than others, while others don’t comply at all. (I’ve seen some that do a good job at getting security right, so I’m still optimistic.) If you think about it, almost everyone is affected by cryptography on a daily basis. While they may not actively be using it, someone else may be applying it to their personal information. So, not only do we actively use cryptography that’s so transparent that we don’t realize it (which is usually a good thing), information pertaining to us may be subject to cryptography without us actually initiating the process (the latter often being on a much larger scale.) I’ve been pretty general with these comments, of course, but I’m sure you get the idea. The “active” and “passive” analogy isn’t so black and white, but it helps to separate situations where we have a more active role in the process, as opposed to other situations, where we don’t.

I’ll be glad to elaborate, but until then, I hope that shed some light!

Cheers,
Justin

Can you relate cryptography in its many forms to a couple of ways the everyday person can relate to? By that I mean does the average schmoe like myself use cryptography daily without really realizing it, or giving it much thought?

Like we used to say in the Army, Tanks!