A 5-Minute Refresher to Cryptography

 (featuring Alice and Bob)

by Rajvi Shroff

It’s an age-old question. Alice wants to send a message to Bob. But how can Alice send it to Bob without Eve, the snoopy eavesdropper, looking into their conversations or perhaps even tampering with them? Cryptography is the answer, and in this article we’ll have a quick refresher on how cryptography underpins the virtual world.

Overview: Where and How Cryptography is used

Cryptography was and is everywhere – in history and in the present. What began as Caesar Cipher evolved into the Vigenère Cipher, and now includes Public-Key Cryptography and more.

Cryptography techniques can be broken down into two: symmetric and asymmetric algorithms. Cryptography plays a role in all aspects of our digital life, from the password hashing and salts used to sign into accounts, the HTTPS and TLS/SSL encryption used on websites while we surf online, the encryption and decryption associated with openPGP and S/MIME while we check our emails, or even end-to-end encryption when sending text messages. Our main goals involve confidentiality, integrity, and authenticity (the “A” here is different from CIA Triad). Confidentiality would mean that only the people who are supposed to be reading your message can read it, whereas integrity of the message indicates that the message hasn’t been tampered with. Authenticity, on the other hand, is the notion that the sender of the message shown to the recipient isn’t different from the original sender.

(A)Symmetric

As cryptography has advanced, concepts such as SSL certificates and checksums have come into play. For this, let’s turn to symmetric and asymmetric encryption, the two possible kinds of encryption.

Symmetric Key Encryption

A key is a string of random characters used to alter data.

This kind of encryption uses one key for both processes, encryption and decryption. In this technique, the encryption process is very fast. However the drawback is that symmetric key encryption only provides confidentiality. Examples of encryption algorithms include AES and DES.

Asymmetric Key Encryption

This kind of encryption instead uses 2 keys, one is private and another is public. It is safer compared to symmetric encryption though the encryption process takes time. The majority of our modern cryptography system is based on asymmetric key encryption. For example, we have the RSA, Diffie-Hellman, DSA, and ECC.

Public Key Infrastructure (PKI)

This is a kind of a Two Key Asymmetric Cryptosystem. Cryptosystem is what the encryption algorithms typically entails; components include the encryption and decryption algorithms,

encryption and decryption keys, and plaintext and ciphertext. The cryptosystem uses both a public and a private key. How does the PKI ensure the principles of confidentiality, integrity, and authenticity?

Let’s take a look:

Confidentiality – All transactions remain private because of how encryption works in this framework

Integrity – PKI ensures that alteration can be detected hence a breach can be detected

Authenticity – PKI is what enables digital certificates, which in turn help us ensure authenticity.

Cryptographic hashes and Applications

Let’s look at another common scenario: downloading online files. How can you make sure that the file you’re downloading is legitimate, and in fact not a piece of malware? Hashes are  one-way cryptographic algorithms which map plaintext into ciphertext. Hashing is meant to verify that a piece of data hasn’t been altered and is authentic. Hashing is also sometimes referred to as “one-way encryption” as it’s supposed to only encrypt and is not meant to be easily reversed.

When used, it will produce a unique value based on the input. If the input changes even slightly, the hash produced will also change. Its applications include checking file and software integrity, password hashing and more.

Hash applications in file integrity checks

For example, a hash (checksum) is used to verify the integrity of the download. Checksums are a sequence of numbers and letters which are generated by algorithms. One of the most popular algorithms to generate these is the SHA-256, a hashing algorithm from the “Secure Hash Algorithm” family. The checksum will be given from the download source, and after downloading the document locally, the hash of the download file can also be generated and compared against the source. If the hash is not the same, then it is a cause of concern, as it is evidence of tampering.

Hash applications in password hashing

Another use of hashing is in password hashing.

Salting is a concept associated with passwords and their hashes. The process goes like this: the salt and hashing algorithm are added to the password which yields the hashed salted password. Usually this is stored in a database along with the salt. The salt can be appended either at the beginning or the end of the password, though the salting happens before the hashing.

When a user attempts to access their account, the password they enter is hashed and then checked with the hash stored in the internal file system, and both must match for a successful log-in. The site stores the passwords for all users in a database. If the site is being secure about it, instead of the passwords being stored in plaintext (so if anyone malicious accesses the database they would have easy read access), the passwords will be salted and hashed and then stored. This is sometimes the cause of breaches where hackers gain access to systems because of passwords only being stored in plaintext such as the Evite breach in 2019.

Diffie-Hellman Key Exchange

The Diffie-Hellman protocol is for sharing keys, instead of exchanging information. Its usage spans from SSL encryption to SSH (secure shell protocol) to PKI. It relies on the complexity of the discrete logarithm problem. The sophistication of the key exchange lies in the fact that Alice and Bob can share a secret key over a medium that is inherently insecure and susceptible to Eve listening in, and the key allows future communications between Alice and Bob to be encrypted.

RSA Algorithm

The RSA (Rivest–Shamir–Adleman) algorithm is an asymmetric key encryption that is based on the idea that factoring large prime numbers is cumbersome and time-consuming. RSA is a modern algorithm currently used in digital certificates such as SSL and in digital signatures.

Cryptography and Everyday Cybersecurity

Cryptography makes the world go round – literally! It’s a fundamental part of our digital world, without which we could not stay connected to each other and access the wealth of resources on the internet.

About the Author

Rajvi Shroff is an award-winning woman in cybersecurity, reporter for Cyber Defense Magazine and is a first year college student majoring in computer science. She is a 4-time CTF national winner and 2-time National Cyber Scholar with Honors in national cybersecurity competitions, including Girls Go Cyberstart and CyberStart America, having placed in the top 34 in the US. She is a cybersecurity public speaker, and has spoken at various SANS conferences and for the Linux Foundation about technologies such as quantum computers and topics such as cryptography, including keynoting at the SANS Pen Test Hackfest Summit. She has the GIAC GSEC and GIAC GFACT cybersecurity certifications and was invited to and is currently on the GIAC Advisory Board for scoring higher than 90% on the GSEC certification. She is the founder of Cyber Student Crew (previously Project Cyber), a global platform for cybersecurity-minded teens to write articles about digital security. She also served on the Youth Advisory Board for KQED, a public media broadcasting organization affiliated with NPR, where she co-produced a live radio talk show segment on cybersecurity to increase public awareness, for KQED Forum. For her efforts in cybersecurity she was named one of the 2023 Aspirations in Computing National Award Winners by NCWIT, the National Center for Women & Information Technology.

Rajvi can be reached online at https://www.linkedin.com/in/rajvi-khanjan-shroff-791007261 or via email  at [email protected]