guide to cryptography terms
Cryptography is the cornerstone of modern cybersecurity. It provides the basis for protecting sensitive information from unauthorized access, modification, and disclosure.
Why is it so important?
confidentiality through encryption- Cryptography scrambles data into an unreadable format, ensuring only authorized people with the correct decryption key can access it. This protects information like credit details, personal records, and communication.
integrity through hashing- Cryptographic hashes create unique digital fingerprints of data. Any alteration to the data results in a different hash, making it impossible to tamper with data without detection, an example of the would be SHA-2 hashing
Authentication through digital signatures- Cryptography enables the creation of digital signatures, verifying the authenticity of messages and documents. This prevents impersonation and ensures data originates from the original sender/user.
symmetric and asymmetric encryption
Whats the difference between symmetric and assymetic encryption? why do we have two types of encryption anyway?
symmetric encryption requires only one key for both encryption and decryption. While assymetric encryption requires a public key for encryption and a private key for decryption.
Assymetric encryption, generally is used for data in transit. If you think about sending a message through whatsapp or facebook messenger, the data you are sending is encrypted so nobody else can read it. Only the person you are sharing data with has the decryption key to unlock it.
Symmetric encryption is used for data at rest, as it is faster than assymetric encryption. Its generally used for data saved on servers and hard drives.
Symmetric and Assymetric encryption can be used in conjunction. For example HTTPS, in this case, each party (client and server) generates a pair of keys (public and private). The servers public key is publicly available embedded in a digital certificate, while the client generates the session key which encrypts the actual data being transmitted. This connection is known as the TLS connection/handshake.
pki- public key infrastructure
PKI infrastructure manages digital certificates and and public key encryption, kind of like a framework for managing digital identities and securing electronic communications. PKI works through assymetric cryptography, which uses a pair of keys, a public key and a private key. When you visit a website, the website presents its digital certificate. Your browser verifies the certificate with the CA to ensure it's legitimate. If verified, the browser uses the website's public key to encrypt data you send, and the website uses its private key to decrypt it.
Types of Public Key infrastructure:
(CA) Certificate Authority- Trusted third party that issues, revokes, and manages digital certificates.
(RA) Registration Authority- verifies the identity of the party requesting certificates
This is applied to the real world through SSL certificates which verify and protect website data. SSL (secure socket layer) is a cryptographic protocol that ensures data being transmitted over a network is secure. When web pages are transferred from a server to a client the protocol used is HTTPS (hyper-text transfer protocol secure), HTTPS uses SSL to encrypt data when its being transferred.
Public key infrastructure escrow
Public Key infrastructure escrow is essentially like insurance for your encryption keys. A key enscrow will ensure that in certain circumstances the data that has lost can be recovered.
Encryption keys are held in a secure location by a trusted third party, in the case that the encryption keys are lost, stolen, or inaccessible.
obfuscation
Obfuscation is a technique used to make code or data more difficult to understand or analyze. It involves transforming or disguising information to make it harder for unauthorized parties to steal or modify data.
essentially Obfuscation prevents data from being stolen or tampered with, how is this achieved?
Transforming Data- This can be achieved via encryption, using algorithms to jumble up data making it unreadable. Or steganography/tokenization which is hiding data within other data such as audio or image files or random tokens.
Transforming Code- Some examples are Control Flow Obfuscation which involves randomising the control flow of code making it harder to follow, Constant Folding which is replacing constant expressions with their calculated values making the code harder to read, and Dead Code Insertion which is just added useless code to make the program appear more confusing.
Transforming Runtime- This can include Dynamic Code Generation which generates code at runtime to make static analysis more difficult and code that modifies itself at runtime to prevent analysis.
salting
Salting is used in conjunction with hashing to enhance security. It involves adding a random string (known as the "salt") to the input before hashing. This salt is then stored alongside the hash. When verifying the hash, the same salt is used to recreate the salted input, which is then hashed and compared to the stored hash.
Why do we salt passwords when hashing already protects data? Salting prevents attacks such as Rainbow Table Attacks which uses precomupted tables of hashes to crack common passwords, salting these hashes ensures that the hash is too unique and is resistant to these attacks. Dictionary attacks is a similar attack where attackers guess common passwords or phrases and compare them to hashed values.
key stretching algorithms
Key stretching is the process of applying cryptographic algorithms multiple times to enhance the security of passwords or cryptographic keys. This has many uses, for example applying key stretching functions to passwords before hashing makes them more resistant to brute-force attacks, or applying key stretching functions to symmetric encryption can generate stronger encryption keys. Some common key stretching algorithms include:
PBKDF2- Password Based Key Derivation Function 2, this is a really interesting algorithm that has five input parameters (Password, Salt, C (number of iterations the function is applied), dkLen (number of output bits in hash), and PRF. PRF is the output of each iteration that is used for the input of the next iteration as shown in the diagram below. The most common PRF’s used are from the SHA function either HMAC SHA-256 or HMAC SHA1.
If DK= Derived key then DK=PBKDF2(PRF, Password, Salt, C, dkLen)
Bcrypt- uses a variation of the blowfish cipher. It was presented in 1999 at USENIX by Niels Provos and David Mazieres. Bcrypt incorporates a salt to protect against rainbow attacks. The Bcrypt function can accept a password string up to 576 bits (72 bytes) and a salt value of 128 bits (16 bytes). The bcrypt function will generate a 192 bit hash. The blowfish cipher works by expanding the input key into a 16-round subkey array which contains 18 subkeys each of which is 32 bits long. The plaintext is divided into 64 bit blocks, each block is processed through 16 rounds of encryption. The diagram below shows how each round of encryption works.
Each round (Ri) takes input from the plaintext from the previous round along with the corresponding subkey from the 32 bit ones. The F function in bold divides the 32 bit input into four 8 bit blocks and each block is used as an index to look up corresponding s boxes which is normally found in the blowfish algorithm. This algorithm takes up a lot of computing resources and makes it more secure.
digital signatures
Digital Signatures are a cryptographic technique used to verify the authenticity and integrity of digital data. They are essentially the electronic equivalent of a handwritten signature. Just as a handwritten signature proves the identity of the signer and the authenticity of the document, a digital signature ensures that a digital message or document originated from a specific sender and hasn't been altered during transmission.
To generate a digital signature a pair of cryptographic keys is generated: a public key and a private key. The public key is freely distributed, while the private key remains secret. To sign a digital message, the sender uses their private key to create a cryptographic hash of the message. This hash, along with the private key, is used to generate a digital signature. The receiver uses the sender's public key to verify the digital signature. If the signature matches the hash of the message, it confirms that the message originated from the sender.
blockchain
you’ve probably heard the term ‘Blockchain’ when people talk about cryptocurrency. A blockchain is a distributed database that stores data in a way that makes it difficult to steal or tamper with. The key components in blockchain technology include hashing, public and private keys, and digital signatures.
Cyptography is used to secure it, what is blockchain securing exactly?
cryptocurrency
NFTs (non fungible tokens)
DeFi (decentralised finance) applications
Hashing ensures that any alteration of data on the blockchain can be detected immediately, maintaining integrity. Public-Key cryptography makes sure that the network communication between participants is secure, protecting sensitive information. Digital signatures make sure that users stay accountable for their transactions as they cannot deny involvement when it cannot be tampered with.
open public ledger
Open Public Ledgers are decentralized databases that record transactions in a transparent and immutable manner. Unlike traditional databases, which are controlled by a central authority, open public ledgers are distributed across a network of computers, making them resistant to censorship and manipulation.
Open public ledgers are not controlled by a single entity. Instead, they are maintained by a network of nodes (computers) that collectively verify and validate transactions. Once a transaction is recorded on an open public ledger, it cannot be altered or deleted. This ensures that the data is tamper-proof and provides a high level of trust. All transactions on an open public ledger are publicly visible. This transparency promotes accountability and reduces the risk of fraud
certificates
(CA) Certificate Authorities- trusted third parties that issue digital certificates, which verify the identity of individuals, organizations, or devices. The CA verifies the identity of the entity requesting the certificate through various means, such as checking identification documents or performing background checks. If the verification process is successful, the CA issues a digital certificate to the entity.
(CRLS) Certificate Revocation Lists- databases that list digital certificates that have been revoked or invalidated. They serve as a mechanism to ensure that entities (such as websites, users, or devices) using revoked certificates are not trusted.
(OSCP) Online Certificate Status Protocol- is a protocol designed to provide real-time verification of the validity of digital certificates. It offers a more efficient alternative to Certificate Revocation Lists (CRLs), which can be large and slow to download.