What is Cryptography?
Cryptography is a method to secure communication from unauthorized party.
Cryptography allows the following 3 goals to be achieved:
Cryptography protects the secrecy of information. Even if the transmission or storage medium has been compromised, the encrypted information will be render useless to unauthorized person.
Cryptography ensures the information has not been tampered with using hashing method.
Cryptography ensures the information sent is from intended and not fake sender. This done using digital certificate, digital signature and Public Key Infrastructure (PKI).
Cryptography can be further divided into:
- Symmetric (or Secret Key) Cryptography
- Asymmetric (or Public Key) Cryptography
What is Symmetric Cryptography?
In symmetric cryptography, both sender and receiver uses the same secret key to encrypt and decrypt a message.
Some of the algorithms includes Blowfish, AES, RC4, DES, RC5, and RC6. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256. All AES algorithms uses the block size of 128-bit but different size of key lengths (128, 192, 256).
What is Asymmetric Cryptography?
Asymmetric cryptography uses a key pairs – public and private key. It works in a way, message encrypted with either public or private key can only be decrypted using the other key of the pair. That is public key to encrypt, private key to decrypt and private key to encrypt, public key to decrypt. Public keys are disseminated in public network whereas private keys are only known to the owners. This key pair cryptography differs from symmetric cryptography which uses one secret key.
Some of the algortihms includes RSA, ELC, Diffie-Helman key exchange, etc.
Asymmetric Cryptography has 2 usages, data encryption and digital signature.
For data encryption, a sender encryptes an information with receiver’s public key. The message can only be decrypted using receiver’s private key which is only known to the receiver.
Encrypting a Message
- Sender encrypts a document with one time symmetric key. This is typically AES or DES Session Key.
- Sender encrypts the symmetric key with receiver’s public key
- Sender sends both encrypted document and key.
Decrypting a Message
- Receiver decrypts the session key using own private key.
- Receiver uses decrypted session key to decrypt the message.
Digital Signature is simply encryption of hash of a message using private key
Performing a Digital Signature
- Sender hashes the original message.
- Sender ciphers the hashed message with own private key to produce a signature.
- Sender sends the original message together with signature.
Verifying a Digital Signature
- Receiver uses the sender public key to decrypt the signature. The outcome is the hashed message.
- Receiver hashes the original message.
- Receiver compares the hashes from step 1 and 2.
What is hashing?
Hashing converts input data to output random data of fixed size (digest). This is a one way function, hence the original input data cannot be derive dfrom the output. One usage of hashing is instead of storing password in clear text, we store the hashed password. Even if the hashed passwords were to be compromised, the nature of hashing makes it difficult to retrieve the clear password.
Some of the commonly used hashing algorithms include MD5, SHA-1, bcrypt, Whirlpool, SHA-2 and SHA-3.
Enhance hash flavor with Salt and Pepper?
Even hashing can be cracked if one build a rainbow table. This is because the hashes generated for the same input will always be the same. Hence we can generate a list of hashes on several possible passwords which we call rainbow table. All we need is access to stored hashed password and find a match in rainbow table to get the corresponding clear password.
Salt is a random string that is added into the clear password before being hashed altogether. The salt can then be stored (either in clear or encrypted) together with hashed password in the database. Even if the attacker obtains the hashed password together with salt, the exisiting rainbow table will be render useless, as they have to regenerate a new one with added salt (well, provided they know at which position in the clear password to add the salt).
Pepper works in quite similar fashion as salt that is random string being added to clear password before being hashed. The difference is the pepper is not store at all. Hence, when users tries to login, their password will be hashed with cycles of known possible peppers in effort to find a match.
What is Public Key Infrastructure (PKI)?
PKI is a framework that uses public key cryptography to provide authentication and confidentiality.
It has 2 cores concepts which are data encryption and digital signature which has been covered previously.
Public key are usually stored in a form of digital certificate which follows the X.509 standard. This certificate is issued, distributed and revoked by Certificate Authority (CA). These are often trusted third party organization such as DigiCert and VeriSign.
So here is the overall flow.
- Sender requests for receiver’s digital certificate from CA.
- Sender extracts the public key from receiver’s digital certificate and uses it to encrypt the message and sends it.
- Receiver decrypts the message using own private key.
PKI is used in Hypertext Transfer Protocol Secure (HTTPS). HTTPS uses Transport Layer Security (TLS) or Secure Socket Layer (SSL) to ensure secure communication between client-server or server-server.
So imagine you are going to checkout your cart at ecommerce website.
- Before you key in sensitive information such as credit card details, your web browser requests a SSL certificate from ecommerce website (server).
- The browser receives the SSL certificate and checks if it was issued any trusted CA. It also extracts the server public key from certificate.
- Once the browser determines the certificate is trustable, it sends a message to server.
- The server digitally signed acknowledgement to start SSL encrypted session.
- You proceed to send your information which is then encrypted with ecommerce’s (server) public key.
- Server then decrypts the message with its own private key and complete the purchase.