Cryptography Basics

Question 1

Cryptography or cryptology

Answer 1

is the practice and study of techniques for secure
communication in the presence of third parties called adversaries. More generally,
cryptography is about constructing and analyzing protocols that prevent third
parties or the public from reading private messages; various aspects
in information security such as data confidentiality, data integrity, authentication,
and non-repudiation, are central to modern cryptography.
Corey Says:
The transformation of data into a format that is unreadable or unusable
one except the intended target.

Question 2

Encoding

Answer 2

Not a cryptography topic by default
Encoding is simply the transformation of data
om one format to another.
o Different categories of cryptography fall into
different forms of encoding data with the goal
hide information.

Question 3

Steganography

Answer 3

Hiding a message in plain sight.
The plain text acts as the Cipher Text
Hi, Elaines Looking Playful!
Hi, Elaines Looking Playful!

Question 4

Encryption

Answer 4

Hiding a message using the power of Math.
Used for communication between parties where secrecy
is of the utmost importance.
The hidden message, cipher, should be able to be shown
to anyone without revealing the actual encryption.
Encryption is a reversible process

Question 5

Encryption

Answer 5

• plaintext
• scheme
• ciphertext

Question 6

Types of Encryption

Answer 6

1. Symmetric Encryption: Both Parties have
   a copy of the same Icey
   
   2. Asymmetric (Public) Key Encryption:
      There is one key for locking the safe and
      one key for opening it.

Question 7

Hashing

Answer 7

o Hiding a message using the power of Math.
o Used for storage or verification of data
o Finding a particular hash should tell you nothing
about the original data.
o Hashing is an irreversible process

Question 8

GOOD HASH KEY FUNCTION

Answer 8

Should be slow
Ultimately, this will hurt would-be attackers more than it will hurt you.
Should have a low collision frequency
Fewest possible duplicates. Or else two inputs could be indistinguishable.

Question 9

Plaintext

Answer 9

—An unencrypted message (in the clear)

Question 10

Ciphertext

Answer 10

An encrypted message

Question 11

Cipher

Answer 11

The algorithm used to encrypt and/or decrypt

Question 12

Cryptanalysis

Answer 12

—The art of cracking encryption
—Researchers are constantly trying to find weaknesses in ciphers
• A mathematically flawed cipher is bad for everyone

Question 13

Cryptographic keys

Answer 13

• Keys 
—Add the key to the cypher to encrypt 
— Larger keys are generally more secure 
• Some encryption methods 
use one key 
—Some use more than one key 
—Every method is a bit different

Question 14

Confusion

Answer 14

• Encryption is based on 
confusion and diffusion 
—You need both 
• Confusion 
—The encrypted data is 
drastically different than the plaintext 
—The process should be non-linear, 
with no discernible patterns

Question 15

Diffusion

Answer 15

• Change one character of the input, and many characters change of the output

Question 16

Security through obscurity

Answer 16

• Security should exist, even if
the attacker knows everything about the system
—Secrecy of the design shouldn’t be the main method of security
—Encryption key would be the only unknown
• Substitution Cipher (Caesar cipher)
—Substitute one letter with another
-ROT13 - “URYYB” is “HELLO”
• If you know how the “security” is designed,
you can circumvent it
—SSID broadcast suppression, MAC filtering
—Security through obscurity

Question 17

Random numbers

Answer 17

• Cryptography relies on randomness
—Used to generate keys, salt hashes, and much more
• Random number generation
—It’s very difficult to create true randomness with a program
—Usually includes some type of natural input
—Mouse movements, atmospheric noise, lava lamp
• Pseudo-randomness doesn’t rely
on the natural world
—Approximate true randomness
—Based on a starting seed

Question 18

App development and cryptography

Answer 18

• Developers don’t need to be cryptographers
—They write to an API (application programming interface)
—Crypto modules
•The API library does all of the heavy lifting
—Send plaintext into the box, get ciphertext back
—No extra programming required
•The Windows software library is the
Cryptographic Service Provider (CSP)
—The Microsoft CryptoAPl is the bridge
between the application and the CSP

Question 19

Symmetric encryption

Answer 19

•A single, shared key 
— Encrypt with the key 
— Decrypt with the same key 
Esc to exit full screen 
—If it gets out, you'll need another key 
• Secret key algorithm 
—A shared secret 
• Doesn't scale very well 
—Can be challenging to distribute 
• Very fast to use 
— Less overhead than asymmetric encryption 
—Often combined with asymmetric encryption

Question 20

Asymmetric encryption

Answer 20

• Public key cryptography
—Two (or more) mathematically related keys
• Private key
—Keep this private
• Public key
—Anyone can see this key
—Give it away
•The private key is the only key that can decrypt
data encrypted with the public key
—You can’t derive the private key from the public key

Question 21

The key pair

Answer 21

• Asymmetric encryption 
— Public Key Cryptography 
• Key generation 
—Build both the public and private key 
at the same time 
— Lots of randomization 
—Large prime numbers 
—Lots and lots of math 
• Everyone can have the public key 
—Only Alice has the private key

Question 22

Symmetric key from asymmetric keys

Answer 22

• Use public and private key cryptography
to create a symmetric key
—Math is powerful

Question 23

Elliptic curve cryptography (ECC)

Answer 23

• Asymmetric encryption 
—Need large integers composed of 
two or more large prime factors 
• Instead of numbers, 
use curves! 
—Uses smaller keys than 
non-ECC asymmetric encryption 
—Smaller storage and 
transmission requirements 
— Perfect for mobile devices

Question 24

Hashes

Answer 24

• Represent data as a short string of text
—A message digest
• One-way trip
— Impossible to recover the original message from the digest
— Used to store passwords / confidentiality
• Verify a downloaded document is the same as the original
— Integrity
• Can be a digital signature
—Authentication, non-repudiation, and integrity
• Will not have a collision (hopefully)
— Different messages will not have the same hash

Question 25

A hash example

Answer 25

• SHA256 hash 
— 256 bits / 64 hexadecimal characters 
• My name is Professor Messer. 
-SHA256 hash: 
19da9a2e26f3bff67f0522f962851c42542b8659333ac53397c8d65aa7a3f871 
• My name is Professor Messer! 
-SHA256 hash: 
54381cae1eea10892d81c8688d06d1928b4ee8495061a792864f83092b033aea 

19da9a2e26f3bff67f0522f962851c42542b8659333ac53397c8d65aa7a3f871
54381cae1eea10892d81c8688d06d1928b4ee8495061a792864f83092b033aea

Question 26

Collision

Answer 26

• Hash functions 
—Take an input of any size 
—Create a fixed size string 
—Message digest, checksum 
•The hash should be unique 
—Different inputs should 
never create the same hash 
—If they do, it's a collision 
• MD5 has a collision problem 
—Found in 1996 
—Don't use MD5 
MD5 hash:  79054025255fb1a26e4bc422aef54eb4

Question 27

Practical hashing

Answer 27

• Verify a downloaded file
—Hashes may be provided on the download site
—Compare the downloaded file hash with the posted hash value
E47df00b078b5f9daed0871f0e90d33faf906ba5d5f13b4b02b98351a819e3a7.iso
63177ed9a01f2116671655bf06266e5d *ubuntu-17.10-beta2-server-i386.iso
• Password storage
—Instead of storing the pa sword, store a salted hash
—Compare hashes during t e authentication process
—Nobody ever knows your actual password

Question 28

Digital signatures

Answer 28

• Prove the message was not changed 
— Integrity 
• Prove the source of the message 
— Authentication 
• Make sure the signature isn't fake 
— Non-repudiation 
• Sign with the private key 
—The message doesn't need to be encrypted 
— Nobody else can sign this (obviously) 
• Verify with the public key 
—Any change in the message will invalidate the signature

Question 29

Cryptographic nonce

Answer 29

• Arbitrary number
—Used once
—”For the nonce” - For the time being
•A random or pseudo-random number
—Something that can’t be reasonably guessed
—Can also be a counter
• Use a nonce during the login process
—Server gives you a nonce
—Calculate your password hash using the nonce
—Each password hash sent to the host
will be different, so a replay won’t work

Question 30

Initialization Vectors

Answer 30

•A type of nonce
—Used for randomizing an encryption scheme
—The more random the better
• Used in encryption ciphers, WEP, and older SSL implementations

Question 31

Salt

Answer 31

• A nonce most commonly associated 
with password randomization 
—Make the password hash unpredictable 
• Password storage should always be salted 
—Each user gets a different salt 
• If the password database is breached, 
you can't correlate any passwords 
—Even users with the same password 
have different hashes stored

Question 32

The strength of encryption

Answer 32

• Strong cryptography vs. weak cryptography
—It’s all relative
• Practically everything can be brute forced
—Try every possible key
• Strong algorithms have been around for a while
—That’s part of the reason that they are strong
—Wired Equivalent Privacy (WEP) had design flaws
• Strong algorithms
—PGP (Pretty Good Privacy), AES (Advanced Encryption Standard)
• Weak algorithms
— WEP (design flaw), DES (Data Encryption Standard - 56-bit keys)

Question 33

Give weak keys a workout

Answer 33

•A weak key is a weak key
—By itself, it’s not very secure
• Make a weak key stronger by performing multiple processes
—Hash a password. Hash the hash of the password. And continue…
— Key stretching, key strengthening
• Brute force attacks would require reversing each of those hashes
—The attacker has to spend much more time, even though the key is small

Question 34

Cryptographic keys

Answer 34

•There’s very little that isn’t known
about the cryptographic process
—The algorithm is usually a known entity
—The only thing you don’t know is the key
•The key determines the output
—Encrypted data
—Hash value
—Digital signature
• Keep your key private!
—It’s the only thing protecting your data

Question 35

Key strength’

Answer 35

• Larger keys tend to be more secure
— Prevent brute-force attacks
—Attackers can try every possible key combination
• Symmetric encryption
— 128-bit or larger symmetric keys are common
—These numbers get larger as time goes on
• Asymmetric encryption
—Complex calculations of prime numbers
— Larger keys than symmetric encryption
—Common to see key lengths of 3,072 bits or larger

Question 36

Key exchange

Answer 36

•A logistical challenge
—How do you transfer an encryption key
across an insecure medium
without having an encryption key?
• Out-of-band key exchange
—Don’t send the symmetric key over the ‘net
—Telephone, courier, in-person, etc.
• In-band key exchange
—It’s on the network
—Protect the key with additional encryption
—Use asymmetric encryption to deliver a symmetric key

Question 37

Real-time encryption/decryption

Answer 37

•There’s a need for fast security
—Without compromising the security part
• Share a symmetric session key using
asymmetric encryption
—Client encrypts a random (symmetric) key with a server’s public key
—The server decrypts this shared key and uses it to encrypt data
—This is the session key
• Implement session keys carefully
—Need to be changed often (ephemeral keys)
—Need to be unpredictable

Question 38

Finding the balance

Answer 38

• Low power devices 
—Mobile devices, portable systems 
—Smaller symmetric key sizes 
— Use elliptic curve cryptography (ECC) for asymmetric encryption 
• Low latency 
— Fast computation time 
—Symmetric encryption, smaller key sizes 
• High resiliency 
— Larger key sizes 
—Encryption algorithm quality 
—Hashing provides data integrity

Question 39

Use cases

Answer 39

• Confidentiality
—Secrecy and privacy
—Encryption (file-level, drive-level, email)
• Integrity
—Prevent modification of data
—Validate the contents with hashes
—File downloads, password storage
• Obfuscation
—Modern malware
—Encrypted data hides the active malware code
—Decryption occurs during execution
• Authentication
—Password hashing
—Protect the original password
—Add salts to randomize the stored password hash
• Non-Repudiation
—Confirm the authenticity of data
—Digital signature provides both integrity and non-repudiation
• Resource vs. security constraints
—An ongoing battle
— Browser support vs. supported encryption
—VPN software support vs. supported algorithms