Cryptography Basics

What is Cryptography?

Wikipedia defines cryptography as “the practice and study of secure communication techniques.” In cyberspace, we are primarily concerned with encrypting data to make it incomprehensible to everyone except its intended recipients (confidentiality) (3). Encryption requires a cipher (algorithm) and a secret key, which is required to decrypt the encrypted data. 

The process can be diagrammed as such:

Decrypting is the opposite:

Cryptography in History

A very early example of cryptography is what is known as the Caesar Cipher, used by Julius Caesar to encrypt military and political secrets. The Caesar cipher took letters of the alphabet and shifted them a certain number of positions. The key to decrypt was the “size of the shift” (2). By modern standards, this was very simplistic, but it worked well enough at the time.  

Mary, Queen of Scots used a similar cipher in her plot against Elizabeth I.  Unfortunately for Mary, Elizabeth’s intelligence agents were able to crack the cipher, and Mary was captured and executed.  

Modern Cryptographic Methods

Modern cryptography is divided into two methodologies. The first is known as symmetric cryptography.  In symmetric cryptography, both the sending and receiving parties have the same key, which is used to encrypt and then decrypt the ciphertext. The biggest challenge with this method is how to send the key. If someone can intercept the key, they can decrypt the text. There has to be a pre-shared key, or the key has to be sent encrypted with the data. In-band key exchange is when the key is shared with the data. Out-of-band key exchange means another, separate communication method is used. 

Examples of symmetric encryption

• Data Encryption Standard (DES) Used a 56-bit algorithm to encrypt data, Not considered secure by newer standards
• Blowfish An algorithm with 1- to 448-bit encryption
• Triple DES (3DES) Uses 168 bit encryption and improves upon DES
• Advanced Encryption Standard (AES) Replaced 3DES, and uses 128-, 192-, or 256-bit encryption. AES is considered unbreakable

All of the above are considered block ciphers. In a block cipher, data is encrypted in a block of x size until all data is encrypted. Alternatively, a stream cipher encrypts data one bit at a time. Rivest Cipher 4 (RC4) is an example of a stream cipher. 

The other main cryptographic method is known as asymmetric encryption. In this methodology, two separate keys are generated: one public, one private. The sender encrypts the data with the receiver’s public key. The receiver has a private key, known only to them, used to decrypt the data. Examples include

• Rivest Shamir Adleman (RSA)  Used for both signing and encryption. 
• Diffie-Hellman   Actually a key-exchange protocol  
• Elliptic Curve  Used for signing messages, based on Diffie-Hellman

Ensuring the Integrity of Data

When we send data, is there a way to ensure the data hasn’t been tampered with in some way?  There is, and it is done by hashing.  A hash is a one-way transformation that is generated when a hash algorithm is applied to a piece of data.  It works because no two chunks of data generate the same hash value. If one byte of data is changed, ideally a completely different hash is generated. A common use of hashing would be using MD5 or SHA-1 to verify the integrity of a downloaded program. More secure versions of SHA, SHA-256 and SHA-512 are much less susceptible to attacks (1).  

Public Key Infrastructure

Public Key Infrastructure (PKI) is a term used to describe the infrastructure in which public and private keys are managed. PKI is based on the use of certificates. Glen E. Clarke describes a certificate as “an electronic file that is used to store the public key (and sometimes the private key) and associates the public key with an entity such as a person or company” (1). 

There are many types of certificates, but the most well-known are the certificates stored on web servers that tell your browser you have accessed a legitimate site.  If you want to see the certificates stored on Firefox, go to Settings–>Privacy and Security–>Certificates–>View Certificates. 

The idea of certificates begs the question: who issues the certificate? You could make your own self-signed certificate which is fine for a network that never accesses the internet, but for a web server, you need a certificate issued by a Certificate Authority (CA). The first certificate is signed and issued by the Root CA. Intermediate CA’s issue certificates to users. 

Another example of a methodology that uses PKI is Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG). PGP and GPG are used, among other things, to encrypt emails. Like other forms of asymmetric cryptography, PGP and GPG require the generation of a public and private key pair. Thunderbird by Mozilla is an email client that has the ability to generate key pairs for PGP. 

Other Uses of Cryptography

From a security standpoint, there are two other very important uses of cryptography:

• SSL/TLS  Secure Sockets Layer, and it’s successor Transport Layer Security, is used to encrypt web traffic. When you use HTTPS instead of HTTP, you are using SSL/TLS
• WEP, WPA, and WPA2  Used to secure the connection to your router. When available, always use WPA2. WEP is trivial to hack, and WPA2 has an advantage over WPA in that is uses AES encryption

Conclusion

This has been a very high-level introduction to cryptography, aimed primarily at the novice. An in-depth cryptography text makes for some very difficult reading, to say the least. Hopefully, though, this post can give you a place to start in your study of cryptography.

Sources and Additional Reading

1. Clarke, Glen E. CompTIA Security+ Certification Study Guide 3rd Edition. 2018, MCGraw-Hill.
2. Martin, Keith. Cryptography, The Key to Digital Security, How It Works, And Why It Matters. 2020, Norton.
3. Aumasson, Jean-Philippe. Serious Cryptography A practical Introduction to Modern Encryption. 2018, No Starch Press.
4. CompTIA Security+ Certification (SY0-501): The Total Course. Mike Meyers Total Seminars.