The importance of cryptography goes beyond just understanding why it's cool, but also can be the difference between you being a good or bad dev in the long run. Any respectable system, especially those dealing with user data, will need some type of security, and often it’s in your hands as a dev.
So I decided to write this series of articles about cryptography, so you can understand a bit more about the concepts and how everything works! Let’s start with a simple article on the main terms and how they work, and then we'll increase the difficulty with more details and information, maybe even implementing some of the algorithms!
This is the first article in the series. Here we’ll just have a chat about the main concepts and ideas you need to know to follow the rest of the articles in the series! So let’s go!
❗A warning!
I am not a cryptologist, nor have I formally studied cryptography. The concepts here are purely the result of my personal research. While this article can be used for study, it should not be used as a basis for sensitive applications.
Cryptography
This is a concept I have already explained on my channel:
The idea of cryptography is basically to transmit a message from one side to the other so that only the sender and the receiver of the message know its content. To encrypt means "to write in secret" in Greek.
All cryptographic mechanisms depend on 3 parts:
- The message that will be transmitted
- The method we will use to encrypt the message. Or the Schema that will be applied. This is the algorithm or the step-by-step process we will use to generate the encrypted text, one of the oldest methods is the Caesar Cipher.
- The key that will be used to encrypt the message
Every method needs to have a way to encrypt data and optionally a way to decrypt that data. Some methods do not have a way to decrypt, such as hashes. Reversible cryptography is when we can decrypt, irreversible is when we cannot extract the original text.
In the end, the application of the method on the message using the key gives us a cipher or ciphertext which is the encrypted text that will be transmitted.
Keys
Keys are the means we use to keep a message secure; your computer password is a key, for example. Keys can have various classifications:
- Symmetric: Encrypt and decrypt at the same time
- Asymmetric: Either encrypt or decrypt a message
- Composite: Symmetric or Asymmetric, composed of several parts to form a whole; for example, the Enigma had several properties that formed a key
- Simple: Only one key is sufficient to decrypt the message
- Physical: The most common concept of a key, the physical key... Your house key is a physical key, it exists in the real world
- Virtual: The opposite, a key formed of bits and does not exist physically
- Mixed: A physical key that contains a virtual key (Yubikeys are an example)
The pillars of security
When we talk about security and cryptography, there are some main concepts that most algorithms need to implement:
- Availability: The information must be present and available when needed (performance is important)
- Integrity: The data can only be accessed by authorized users
- Non-Repudiation: Ensures that someone cannot deny an action because the system itself has proof that the action was performed by a specific user (guarantee of origin)
Symmetric Cryptography
We'll talk more about this in upcoming articles, but symmetric cryptography is a type of cryptography where we have only one key that serves both to encrypt and decrypt data.
The Caesar Cipher, for example, is a symmetric cryptographic cipher because only one key is used to encrypt the message for sending and decrypt it upon receiving.
However, symmetric cryptography does not need to have only one key. The Enigma (see the video below) was a reversible machine that used a series of keys that, when composed, made it possible to decrypt the message.
Asymmetric Cryptography
Unlike symmetric cryptography, an asymmetric scheme always has more than one key, usually a key pair (RSA is the most well-known). The two keys are connected in some way, either mathematically (through Modular Exponentiation for example) or physically in the case of hardware.
Usually, one part or both parts are private; one part is made to encrypt a message that can only be decrypted by the other part, which is a way to prove that the first part (the sender) is really who they say they are (non-repudiation, the user cannot deny who they are).
Block or stream ciphers
Cryptographic algorithms can encrypt data by block or in a data stream:
- Block Ciphers: Encrypt data block by block, that is, take an entire block of information and encrypt it all at once. Usually, block sizes are fixed (64~1024 bits); often these sizes are pre-determined and the output always has the same size (like hashes)
- Stream Ciphers: Instead of taking an entire block of information, encrypt the data bit by bit; the advantage is that you don't need as much processing power and it's relatively fast, but they require a bit more setup, like having an Initialization Vector.
Hash functions
Irreversible cryptographic functions that receive input data and generate a fixed-size output block, widely used to ensure integrity. Hashes have 3 very important properties:
- Entropy: any small change in the input generates a completely different result
- Predictability: The same input always generates the same output
- Non-collision: two hashes generated for different values cannot have the same output (see the example with SHA1)
XOR Encryption
XOR encryption is a way to apply a key to a cipher. Stream algorithms often use this type of application to encrypt the message.
The idea is to apply the XOR operation (e*Xclusive **OR*) bit by bit on the message using the key. XOR returns 1 only if both bits are different, for example:
A | B | A XOR B |
0 | 0 | 0 |
0 | 1 | 1 |
1 | 0 | 1 |
1 | 1 | 0 |
All digital text is a sequence of 0 or 1 bits; when we generate a key, it is also a sequence of 0 or 1 bits. If we use key XOR text
, we will get an encrypted text, and if we apply the operation again on the encrypted text with the same key, the text returns to normal.
Ephemeral Keys
A type of key that is generated only to execute a particular step of an algorithm, or as part of encrypting another key through Key Wrapping (when we encrypt a key with another key).
These keys are used once and discarded, and they have no connection to the original data, hence ephemeral.
Rainbow Table
When talking about hashes, each hash can only have a unique output for each input. One way to attack and discover hashes is by computing ALL hashes for ALL possible letter combinations. These computation tables are known as Rainbow Tables.
Hackers often use encrypted database passwords to check if the original values are in the table; for example, 123456
encrypted with the MD5
hash is f447b20a7fcbf53a5d5be013ea0b15af
. If a database with passwords leaks, any f447b20a7fcbf53a5d5be013ea0b15af
that appears can be compared in a rainbow table to obtain the result 123456
.
Salt
A salt is a random sequence of bytes (usually 16 or more) that is added to the end of a text
to be encrypted as a hash to increase entropy and reduce the chance of attacks by Rainbow Tables since 123456
is different from 123456A96!@#$F@f
.
Salts are included at the end of user passwords when creating an account and saved in the database alongside the hashed password. When we compare if the password is the same, we just add the password to the salt to check if it produces the same saved hash.
Other acronyms
- Integrated Encryption Schemes (IES): Encryption models that apply both symmetric and asymmetric encryption to create a secure communication method. HTTPS is based on such a model.
- Elliptic Curve Cryptography (ECC): Instead of using very large prime numbers, this model uses an elliptic curve function to create a number that can be used as a key.
- Key Wrapping (Key Encapsulation Mechanism [KEM]): Encapsulating a key with another key, essentially encrypting one key with another.
- Message Authentication Code (MAC): Used with an algorithm and a password to produce an authentication value that can be validated by the receiver to ensure the message has not been altered.
- Hash MAC (HMAC): The same as MAC, but applied to hashes.
- Public-key encryption (PKE): Another name for asymmetric encryption.
- Key-Derivation Functions (KDFs): Functions that can derive a key to another key, which can be chained.
- RSA: Asymmetric encryption algorithm that generates key pairs.
- AES: Symmetric encryption algorithm (also known as Rijndael).
- MD5, SHA, Argon2, PBKDF2, Blake2: Hashing algorithms.
Conclusion
A lot of content and a lot to see, right? You don't need to memorize all these names; save this page in your favorites and refer to it whenever you want! I hope you enjoyed the journey so far! Stay with me because there's much more to come!
Share with your friends if you liked it and follow me on my social media; if you have any questions, just send me a message there!