Advanced Cryptography - Total Guide
Hello people again, I wrote my last post about crypto about 10 months ago, now I will introduce something not fresh for the science, but fresh for the people who wants to learn. In my https://null-byte.wonderhowto.com/forum/cryptography-0161538/ post of crypto concepts, there is just basics, today we will see something that targets wide concepts like Symmetric crypto, Public Key Cryptography, Hashing, Keys etc...
- From the look of the science, cryptography is a child of cryptology.
Cryptology is divided to:
- Cryptography - science which is in place with one purpose, to protect information from sordid eyes.
- Cryptoanalysis - this child of cryptology attempts to beat cryptography by breaking hers strong cyphers, with analysis of hers algorithms,keys and finding original plaintext behind the cyphers.
- Basics cryptography is science with two general goals,
- Confidentiality - It cyphers plaintext so only appropriate people can see real words behind the scenes(scrumbled text), we achive this goal with encryption.
- Integrity - Crypto is attempting to provide to us assurance that data in transit, or data in place is not modified, we achieve this goal with digital signatures.
- Cryptography is divided to
- Symmetric Cryptography - this branch of science is simple, every message that is encrypted with one, can be only decrypted with that same key, yo're using symmetric cryptography in your house, only one key would lock and unlock the door.
Symmetric crypto encrypts data in two ways.
1.Stream cyphers - data is encrypted in bit-by-bit method.
2.Block cyphers - data is divided into 64 or 128bit blocks and after that it is encrypted.
- Some of the symmetric algorithms:
- AES, DES, 3DES, BLOWFISH, TWOFISH, RC4
- In the next phase of text base is on symmetric concepts, and now we will examine all of the components.
1.Plaintext(Text that is not cyphered)
- Algorithm(Mathematical formula that defines what would be done with plaintext, we can think about algorithm like door lock)
- Key back to the algorithm, it's always the same(there is many on the internet, but one algorithm never changes), so I said we can think about algorithm like about door lock, so now Key will show to the door lock how to be locked.
- Entropy - Cryptographyc goal is to take maximal randomization of the numbers, computer represents dynamical machine that would accept from us like users(manipulators) some known input, and based on it computer will derivate something else, so we can summarize that there is nothing random, because we know input. Entrophy defines maximal vagueness or randomization of the possible bits in the one string.
Putting it all together Let's take a look at one example that will clarify some things..
If I want to encrypt message, first I need to wrote message - this represents a plaintext, next i want to encrypt it with my software and I will choose one of the public available algorithms, next I need key, key is random string of bits that has specific lenght, now it's time to present Key space concept, if you're not familiar with binar system, google for it and take some time with study on that theme.
Key space - I said every key has specific lenght, so if one key has lenght of 128bit, Key space represents every possible combination in the reon of 128bits, in this specific example all posible combination in the reon of 128bits is = 2 on the power(exponent) of 128 = 3,402823669×10³8... wow that is huge number.
Last mentioned is entrophy, or what we call it like vaguness, I said before that in computing we don't have anithing random, because we use known input and computer generates output based on that.
When we generates key, it's best for it to be totaly random, so we need solution, and we have it.
Initialization Vector - IV - In this phase we have to produce something random that would derives for us random number, in the scince under the hood, there is algorithm that produces for us "random" key, in more sophisticated software we need to do some movement like mouse gestures, or opening some program on the PC that will derive some random number based on time when we did that, or metrics.
IV is the number that is combined with our key, to produce something really random, or in some instances IV is just added to the key at it's front.
- Okay, this is so much info, but I'm here to provide knowledge, now let's take a look at some problems with symetric crypto.
- Alice wants to send to the Bob message, she generates key and ecrypts message with it, consider next situation, how can Alice sent to the Bob symmetric key that he needs to decrypt the message over the internet,from the angle of an attacker, if he can sniff the traffic, he can also sniff that key, and our crypto system is broken because there is no more confidentiality, 3rd. party have access to data that is dedicated only to the Alice and Bob.
- To solve this problem, we need to examine Asymmetric Cryptography
- Asymmetric crypto is more complex and it use multyple keys for encryption and decryption, some basics:
- Every user have Key Pair that consist of PUBLIC and PRIVATE key.
- This two keys are in mathematical relationship, so law of science says:
- Everything encrypted with PUBLIC key, can be only decrypted with PRIVATE key
- Everything encrypted with PRIVATE key, can be only decrypted with PUBLIC key
- Public keys need to be published to the public directory or address book, Private keys need to stay secret.
- Example, Alice generates pair of keys, she publish her public key on the internet and saves her private key on the secure place.
Bob wants to send message to the alice, he uses her public key to encrypt the message, now Alice can decrypt the message with her private key.
This concepts solves the problem of the key exchange, but asymmetric crypto is much more resource intensive than symmetric crypto.
Asymmetric crypto requires use of PKI - Public Key Infrastructure, that issues certificates.
- Certificate is a digital document that has embedded name of the certificate holder, public key, serial number, expiration date etc...
- INTERNET BASED INFORMATION EXCHANGE
- You may be wondering how we encrypt information on the internet, answer is simple, we use SSL or TLS ecryption, this two entities works in conjuction with HTTPS protocol to encrypt traffic, bassicly SSL or TLS is just a certificate issued by trusted party like VerySign.
If I host webiste that provide bank services, I need to give assurance to my clients that their information will stay confidetial, so I need some solution.
First step is shopping, I buy one certificate from the trusted source and I embedd it to the my website.
When client access my website, my server would sent to the client my certificate, client now produces symmetric key that will be used for all ecryption in this particular session, and encrypts it with public key from my cert, send it to my server. Server decrypts it with my private key and negotiation is done, we know symmetric key which will be used for encryption of all data.
- To this point we looked at the ecryption that addresses only confidentiality , now it's time to take a look at integrity.
- We achive Integrity with hashing.
- Hash is simple mathematical function that is used in conjuction with some information(file for example) to produce one static number, okay let's take a simple example, I have a file1 and I enter some math. fuction against it, that derives one static number like 123, and thats all.
While file is not changed, produced number that hash generates woud not be changed, but if one bit of the file changes, hash will be something totally different.
Hash is not reversible function, in other words i know that hash of the file is 123, but if i know only the hash, I don't know what information produces that hash, so hash is also called one way function.
- Alice sents message to the Bob, and sends hash(static number) of the message to the Bob, Bob generates the hash, if that number is the same like number that is received by Alice, message is not changed.
- Let's assume some problems, if attacker can intercept message, and changes it, Bob hash woud not be same like Alices, but if attacker have ability to change message, why he could not change a hash?
- This problem is solved with HMAC - Hash Based Message Authentication Code
- Alice and Bob knows symmetric key, Alice wants to send a message to the bob, she derives a hash and encrypts it with symmetric key that is known only to the her and the Bob, she sends it to the Bob, Bob decrypts hash and compares it with hash that he derives.
- From the angle of an attacker, if he intercept the message, and he changes the message and the hash, he don't know secret key, so the finall recepient will always know that message is changed, because hash would never match.
- Passwords Demystified - Many systems stores hashes of the password only, so when users wants to authenticate, he enters the password, client-side application hashes that password and sends it to the system, system compares it with the stored hash, if it mathes, users is granted appropriate permissions and access.
- We see one problem, if attacker sniffs that hash, he easyli can replay it and impersonate legitimate user, most of modern systems uses timestamps to prevent replay attacks.
- At this point if i know the hash only, and I can't replay it, I want to know input that will derive that hash.
- BIRTHDAY PARADOX - If we call 23 random persons from the town, there is 50% of possibility that two person would have birthday at the same day of the year, based on this paradox, attacker will try to produce input that will derive same hash as the original input.
At this point if we have two different inputs that derives same hash, we have a colission. Modern system uses salting techniques, something like IV to add the randomization to the original hash, this prevents colission.
- Digital Signatures - This branch of crypto addresses integrity and non-repudiation, for Digital singatures, we use assymetric crypto.
- If Alice sends message to the Bob, Bob needs assurance that message is originaly came from the Alice, cryptography at this point presents Digital Signatures, in real world if we sign document, it can't be changed and original is just one, in cryptography, there is much more under the hood, consider one example:
- Alice creates message and creates hash of the message, after that Alice encrypts that hash with her private key - back to the basics, Alice is only person that has her private key, so everything that is encrypted with her private key is derived by the Alices hand. She sends message to the bob, Bob uses Alices public key to decrypt the hash, derives his own and compares it, this gives a Bob assurance that message is came originally from the Alice and it is not changed.
This post is so long, so I will maybe create one more to add some knowledge.
PS: Sorry because of grammar errors because my English is not native, best regards !