Part 1: Cryptography Fundamentals
Defining Cryptography
Cryptography is all about protecting data, usually in the form of messages or files. It does this by taking data and transforming it into unreadable formats that we refer to as ciphertext. Ciphertext is a method of cryptography in which units of information, known as plaintext, is replaced by substitution as part of an algorithm. The only way to transform ciphertext back into readable data is with a special key, which only the sender and recipient of messages have access to. This process is called, obviously, encryption, and it’s the basis of how cryptography works.
Encryption Algorithms
There are only two types.
Symmetric cryptography is all about using the same key for both encryption and decryption. So, what we have is the sender and recipient, and they’re going to use the same key to encrypt the message they want to send back and forth. It’s very fast, it’s very efficient. Draw back will be if you lose the key, then you’ve lost all access information that’s been encrypted.
Asymmetric cryptography. This is just about as opposite to symmetric cryptography as you can get. Rather than using one key to do both the encryption and decryption, it uses two keys, a public key and a private key. The first key, the public key, is a key that anybody can have access to. The second key, private, is meant to be only known by the owner. It should never be given to anybody else. The great thing about this is that if you want to use public keys to encrypt information, the only way to decrypt it is by using the corresponding private key.
So even if somebody were to intercept the message, they wouldn’t be able to do anything with it because they don’t have access to the private key. It doesn’t require a secure initial exchange of keys like symmetric cryptography does. Asymmetric also utilizes digital signatures.
When studying cryptographic algorithms, it’s important to know about the key ones, including DES, 3DES, AES, and other ciphers. DES, or Data Encryption Standard, was created by IBM in the 1970s. It uses a 64-bit block and a 56-bit key, which was found to be insecure after it was cracked in 1999. In response to this, 3DES was developed, which applies the DES algorithm three times with three different keys to improve security. The Advanced Encryption Standard (AES) is now widely used, especially by government agencies, to encrypt unclassified data. AES uses a 128-bit block size and key lengths of 128, 192, or 256 bits, making it efficient for both hardware and software.
Another group of algorithms is the Rivest ciphers, which include RC4, RC5, and RC6. RC4 is a stream cipher that has known weaknesses, particularly because it was used in WEP, which is easily hacked. RC5 and RC6 offer more flexibility with variable block sizes and rounds, making them more secure. [2] I also learned about the “fish” algorithms: Blowfish, Twofish, and Threefish. Blowfish, created in 1993, is a fast symmetric block cipher that uses a 64-bit block and allows variable key sizes. Twofish, introduced in 1998, encrypts data in 128-bit blocks and supports several key sizes, while Threefish, developed in 2008, is known for being both fast and secure. Lastly, Serpent and TEA (Tiny Encryption Algorithm) are also important. Serpent was a finalist in the AES competition and has a 128-bit block size, while TEA is designed for easy use and is fast but has some vulnerabilities. Overall, knowing the strengths and weaknesses of these algorithms is key to choosing the right one for secure data encryption in different situations.
When we talk about cryptography, it’s important to understand something called a message digest, or hash value. A message digest takes a piece of data and creates a unique fingerprint for it. This is super important for ensuring that the data hasn’t been changed. For example, when you download software, a hash value can help you confirm that the file is exactly what the developer intended and hasn’t been tampered with.
There are different types of message digests, like MD2, MD4, MD5, and MD6. MD5 is one of the most common ones; it produces a 128-bit hash from any size of data. It’s often used to check if files are intact or to securely store passwords. However, MD5 isn’t the safest option anymore, so newer algorithms like SHA-2 or SHA-3 are recommended.
SHA (Secure Hash Algorithm) has several versions, starting with SHA-1, which creates a 160-bit hash. SHA-1 is often used with security protocols like SSL for secure websites. However, SHA-0 was so flawed that it was never used. Then we got SHA-2, which is stronger and offers different sizes like SHA-256, and SHA-512.
SHA-3 is unique because it uses a different method called sponge construction. Instead of just changing the input into a hash, it absorbs the data and squeezes out the output, making it tougher against attacks.
Another important concept is CHAP (Challenge Handshake Authentication Protocol). It’s used in online connections to make sure the person on the other end is who they say they are. For instance, when you connect to a Wi-Fi network and enter a password, CHAP helps verify your identity. However, it requires both the client and server to know a shared secret, which can be a drawback.
EAP (Extensible Authentication Protocol) is another method that’s more secure than CHAP. It’s commonly used in Wi-Fi networks and supports different ways to prove your identity, like using one-time passwords or smart tokens. For example, when logging into a bank app, EAP can help keep your information safe by confirming it’s really you trying to access your account.
Cryptographic Hash Functions
A cryptographic hash function is a one-way process that takes data and converts it into a fixed-length string of characters, called a hash. Each time the same input is processed, it will always generate the same hash. However, you can’t easily reverse the hash to get the original data. Hash functions are important for ensuring data integrity and are commonly used in digital signatures and systems involving certificates.
I came across some interesting hash generator tools, like the MD6 Hash Generator and the All-Hash Generator. One tool that really caught my attention is HashMyFiles. It’s pretty cool because it lets me calculate the MD5 and SHA‑1 hashes for multiple files at once. I can even browse through my system files and copy the hash list to my clipboard or save it as a text file. This way, I can compare the hashes later to see if anything has changed.
There are also plenty of tools available for mobile devices. For instance, I found BCTextEncoder, which allows me to type in regular text and encode it with a password. It then gives me the encrypted version of that text. I found a sample of this encoded text message, which was about a certain superhero. It’s pretty fascinating to see how these tools work. Let me show you a demo so you can see them in action!
Cryptographic Attacks:
Cryptographic attacks try to find weaknesses in encryption to break it. Some examples are[9]:
- Brute-force attacks: Trying every possible key combination until the correct one is found.
- Man-in-the-middle attacks: Intercepting messages between two people to steal or change information.
- Side-channel attacks: Exploiting flaws in how the encryption system is built to gather information about the encryption key.
To stop attacks on cryptography, we need a strong system. Here are some ways to do that[8]:
- Keep updating cryptographic algorithms and protocols so they don’t become outdated.
- Make sure data is properly encrypted so that if someone steals it, they can’t read it.
- Use strong and unique keys for encrypting data.
- Store the encryption keys in a safe place.
- Make sure the cryptographic system is set up the right way.
- Test the system regularly for weaknesses.
- Teach employees about cryptography attacks and how to avoid them.
Today’s cryptographic attacks are becoming more advanced, sometimes even getting past very strong defenses. Attackers can reverse-engineer hashed data and uncover sensitive information by exploiting weaknesses in outdated or weak hash algorithms. As more organizations use cryptography to protect their data and communications, it’s crucial to secure encryption keys properly. A single mistake can lead to legal issues, fines, damage to reputation, and loss of clients and investments. Attackers can use these weaknesses to bypass encryption, change data, or get unauthorized access. Some common weaknesses include:
- Weak keys
- Incorrect key usage
- Reusing keys
- Insider threats
- Not rotating keys
- Poor key storage
- Lack of resilience
- Weak encryption algorithms
- Moving keys insecurely
- No audit logs
- Incorrect implementation of cryptographic protocols
- Managing keys manually
Part 2: Advanced Cryptography and PKI
Public Key Infrastructure
PKI stands for Public Key Infrastructure. It’s a system that helps keep information safe when it’s sent over the internet. PKI includes things like hardware, software, and rules to create and manage digital certificates, which help identify users and secure their information. PKI is a system that helps manage digital certificates and public-key encryption. It involves both hardware and software, along with rules and processes, to create, manage, and use these certificates. These certificates make sure that communication over the internet is secure. [6]
Example: Websites that use HTTPS rely on PKI to make sure that your connection is secure and that you’re really connecting to the website you think you are.
In PKI, there are two keys: a public key that anyone can see and a private key that only the user has. This way, only the right people can read the information.
Here are some important parts of PKI:
- Certificate Authority (CA): This is the organization that issues and checks digital certificates.
- Digital Certificate: This is like a digital ID card that proves who you are online.
- Validation Authority (VA): This checks if the certificates are valid.
Registration Authority (RA): This verifies the identity of the users before they get their certificates.
HOW IT WORKS?
Let’s imagine a user named Krish, who wants to send an email to JD. To ensure that this email is secure and can’t be read by anyone else, he needs to use some cryptographic keys. In this scenario, JD is part of a PKI system, which means he has both a public key and a private key. While these keys are usually managed by a validation authority (VA), we’ll simplify things by saying they’re associated directly with him.
Krish starts by requesting a copy of JD’s public key. He uses this key to encrypt the email because the public key can only encrypt data, not decrypt it. Even if someone like Oswald Cobblepot gets a hold of JD’s public key, it won’t help him read the email.
Once Krish sends the encrypted email to JD, JD uses his private key to decrypt and read the message. This same PKI system can be applied not just to emails but also to files and online transactions. For example, when I interact with my bank, I can download their public key to create a secure, encrypted session between us. Pretty neat, right? Now let’s talk about how trust plays a role in this process.
For another example, when you use an online banking app, PKI helps to keep your information secure. Your bank uses a digital certificate to show that it’s really them, and when you send your account information, it gets encrypted with a public key so that only the bank can read it. This way, your personal information stays private and safe!
Digital Certificates and Their Lifecycle
Digital certificates are like electronic ID cards used to verify the identity of people, devices, or organizations. Their lifecycle involves creation (issuing), distribution, use (authentication), renewal, and revocation (canceling them when they expire or are no longer valid).
Example: When you visit a website, your browser checks its digital certificate to make sure it’s trustworthy before allowing access.
A digital certificate is an electronic document that uses a digital signature to link a public key to an identity, like a person, organization, or device. Here’s what a digital certificate includes:
- Subject Name: The name of the person or entity that owns the certificate.
- Public Key: The public key that belongs to the entity.
- Issuer: The Certificate Authority (CA) that created the certificate.
- Validity Period: The dates when the certificate is valid (when it starts and ends).
- Serial Number: A unique number that identifies the certificate.
- Signature Algorithm: The method the CA used to sign the certificate.
- Digital Signature: The CA’s signature that proves the certificate is authentic.
In my study of Public Key Infrastructure (PKI), I’ve learned how it solves the problems of the web of trust by using certificate authorities (CAs). Instead of relying on direct trust between users, PKI depends on trusted centralized providers known as CAs. These authorities verify the identities of individuals and organizations and issue digital certificates, which confirm that a public key belongs to a specific entity.
To compare, getting a government ID, like a driver’s license, involves proving your identity at the Department of Motor Vehicles (DMV). You provide several forms of identification and proof of residence. Once verified, the DMV issues your driver’s license, a card that shows your identity.
Digital certificates work similarly. Instead of a DMV, you have a certificate authority, and instead of a driver’s license, you get a digital certificate. When you want a digital certificate, you approach a CA and prove your identity, which might involve verifying a domain name or providing physical ID. Once the CA confirms your identity, they receive your public key securely and create a digital certificate with your identity and public key, signing it digitally.
You can share your digital certificate with anyone for communication. Since it doesn’t contain sensitive information, there’s no worry about how you send it. The person receiving it just needs to check if the CA’s signature is valid. If it is, they can trust that the public key belongs to you and can securely send encrypted messages.
One concern is if someone else gets a copy of my digital certificate and pretends to be me. While this is possible, it’s not a big problem because the certificate is meant to be shared. The only thing they could do is encrypt messages with my public key. As long as I keep my private key secure, they can’t decrypt those messages, so my confidentiality is protected.
Source 1: https://cheapsslsecurity.com/blog/digital-signature-vs-digital-certificate-the-difference-explained/
Securing Data with Cryptographic Protocols
Cryptographic protocols like SSL/TLS, IPsec, and SSH keep data safe while it’s being sent over the internet. They ensure that no one can read or tamper with the data during transmission.
Example: When you shop online, SSL/TLS encrypts your credit card details, making sure they’re safe as they travel to the retailer.
[7] Past Years I made IPsec Tunnel using python, my project focuses on building a protocol similar to IPsec to protect the data exchanged between two hosts over a TCP tunnel. By encrypting the IP payload before sending it, I can stop anyone from intercepting or changing the data. I used Wireshark to analyze the packets and see how well the encryption works. My implementation includes both transport and tunnel modes of IPsec, which shows how putting the original packets inside new IP headers helps protect sensitive information. This project demonstrates how important cryptographic techniques are for keeping our online communications safe and secure. The project is uploaded in GitHub https://github.com/Jadhusan24/Python-IPsecTunnelEncryption/Decryption of IP Payload:
I focused on encrypting and decrypting the IP payload before sending it through a TCP tunnel. This is a fundamental aspect of cryptographic protocols, which aim to protect data confidentiality and integrity during transmission
PKI in Cloud Environments
In the cloud, PKI helps protect data and ensures that only authorized users, devices, or services can access sensitive information. It is important for making sure cloud services like AWS or Azure meet security standards.[4]
Example: When companies store sensitive data in the cloud, PKI helps verify the identity of the users accessing that data, ensuring it’s secure and only available to authorized people.
Cloud PKI is a service model where a provider hosts and manages the infrastructure in the cloud, while the customer is in charge of the certificate authority (CA) and the PKI environment for creating and managing certificates.
On the other hand, self-managed PKI means that the organization handles everything themselves. This can be done either in a cloud environment or a traditional on-premises data center. With this approach, the organization is responsible for keeping the PKI infrastructure and operations running smoothly.
Part 4: References
[2] Alabdulrazzaq, Haneen & Alenezi, Mohammed. (2022). Performance Analysis and Evaluation of Cryptographic Algorithms: DES, 3DES, Blowfish, Twofish, and Threefish. International Journal of Communication Networks and Information Security. 14. 10.17762/ijcnis.v14i1.5262. [4] Cloud-Based PKI Architecture | AWS | GCP | Microsoft Azure. 10 Oct. 2020, www.encryptionconsulting.com/cloud-based-public-key-infrastructure-architecture/. [6] Stallings, W. (2017). CRYPTOGRAPHY AND NETWORK SECURITY PRINCIPLES AND PRACTICE SEVENTH EDITION GLOBAL EDITION. [online] Available at: https://www.cs.vsb.cz/ochodkova/courses/kpb/cryptography-and-network-security_-principles-and-practice-7th-global-edition.pdf. [7] Jadhusan (2020). Implementation of IPsec Tunneling – Tech with JD. [online] Tech with JD. Available at: https://blog.jadhusan.com/ipsec-tunneling/ [Accessed 5 Oct. 2024]. [8] Packetlabs (2022). Cryptography Attacks: 6 Types & Prevention. [online] Packetlabs. Available at: https://www.packetlabs.net/posts/cryptography-attacks/. [9] What Are Cryptographic Attacks? | Complete Guide of 2024. [online] GoAllSecure. Available at: https://www.goallsecure.com/blog/cryptographic-attacks-complete-guide/ [Accessed 5 Oct. 2024].