Today we invite you to a comprehensive and in-depth series on cryptography. We'll try to explain this subject from the beginning, so that both IT professionals can gain something from our articles, as well as people without experience in the field. Enjoy reading!
Cryptography, Cryptology - Why?
In the 1970s, cryptology was a science mainly understood by people associated with the military or universities. Today, everyone unknowingly uses it, and the market often implements cryptographic solutions to create secure IT products. The concept of encryption and decryption itself dates back to ancient times.
The goal of solutions proposed by cryptography is, among other things, to enable the secure transmission of messages through an insecure communication channel, like the Internet, or the secure storage of data in a file.
What Problems Does Cryptography Seek to Solve?
First, let's look at the problems that can arise with classical message transmission using postal mail. In our assessment, these are the fundamental threats an average recipient might face when wanting to securely deliver a message to someone:
- The sent message must be unreadable to anyone intercepting the letter. If someone opens the letter, the message they find should be a jumble of unintelligible characters that cannot be restored to the original content without knowledge of a certain key.
- The message cannot be changed, and we must be certain it hasn't. If the letter contained certain strikethroughs, corrections with a pen, we might suspect that the message has been modified.
- The identity of the sender and/or recipient must be known.
- Identity must be confirmable.
- The exchange of keys used for encrypting letters can happen through an insecure medium (mail, courier delivering the message).
Although the last two points may seem somewhat abstract when applied to letters, we need to adopt such a perspective to understand the cryptographic processes that occur in computers/Internet. These requirements in cryptography have their counterparts and are illustrated through requirements for transmitted data. It looks as follows:
- Confidentiality: Information should only be accessible to the intended recipient, and no other person should be able to obtain it.
- Integrity: Information must not be modified during storage or transmission between sender and intended recipient.
- Authentication: The identities of the sender and/or recipient are verified.
- Non-repudiation: The sender of the message cannot deny sending a specific piece of information.
The above requirements are a more formalized version of those presented in the previous listing. However, they are not one-to-one mappings but rather comparisons intended to build a certain intuition for the user. In general, we will fulfill the above requirements using concepts such as hash functions, symmetric cryptography, asymmetric cryptography, digital signatures, certificates, and passwords.
But actually, why these abstract concepts?
In order to achieve a specific effect and level of security, we will blend various cryptographic techniques to attain the desired outcome. The desired outcome depends on the specific requirements of a given system. However, there are many situations that are quite repetitive, and through which each of us goes unconsciously every day while using a computer. Examples of cryptography applications include scenarios like:
- User-provided passwords, which we'll use to authenticate them on our website.
- Storing passwords in a database as a hash.
- To prove that a specific document comes from a certain user, we'll need to use both a digital signature mechanism and a certificate.
- When connecting to a server, we might need to use the SSH protocol, which leverages mechanisms like challenge-response or the Diffie-Hellman key exchange protocol.
- A user's web browser interacting with an online store receives a certificate that the website/server uses to confirm it's a legitimate, verified store, not a scam. Simultaneously, the user provides a login and password to prove ownership of their account.
These are just some examples of how we use cryptography in modern-day computing. In our series, we'll attempt to cover as many cryptographic mechanisms as possible, showing their contemporary applications and implementations in a simple and clear manner.
Definitions - Encryption vs. Encoding
Starting the conversation about cryptography, we can't avoid introducing certain concepts that we will use throughout this series?
Plaintext, Cleartext - The message to be hidden.
Ciphertext, Cryptogram - The encrypted plaintext.
Encryption is a frequently encountered process in the field of cryptography and general cybersecurity. It's an operation through which human-readable text (plaintext) is transformed into an encrypted form (ciphertext) through a series of operations and substitutions. Encrypted text cannot be read or decrypted without the appropriate encryption key.
Encoding is the process of transforming the structure of text presentation, achieved by applying a known and reversible set of substitutions. This process does not rely on the use of a key, and therefore, encoded text can be decoded, provided that the applied encoding is known. An example of a simple encoding in computer technologies is Base64. Encoding does not provide any protection, as it is known, reversible, and does not involve the use of a key (a key is not used in the encoding process).
Decryption is the reverse operation of encryption, which means converting a ciphertext back to plaintext.
Encrypting/decrypting algorithm, also known as a cipher, is a set of rules and steps used for encrypting/decrypting information.
Encrypting/decrypting key, usually kept secret, is required to process ciphertext into plaintext using an algorithm.
If you would like to delve into the definitions in more detail, we recommend the following article from geeks4geeks.
Other concepts often confused with encryption or other cryptographic terms are:
Steganography is the practice of embedding information within another message or physical object in such a way that the presence of the information is not obvious upon human inspection. Steganography attempts to hide the fact of communication, in contrast to encryption. In a computer context, the message is hidden within another file, message, image, or video. In the classical understanding of steganography, no keys are used.
Hashing is the process of mathematically transforming arbitrarily long data (such as a file or text) into a fixed-length string, e.g., 256 bits, known as a "digest." It is generated using a special mathematical function called a hash function or hashing algorithm. The key feature of this function is that even a tiny change in the input data results in a substantial and unpredictable change in the resulting digest, meaning that if we modify the input text by just one letter, our hash result will completely change.
Understanding the basic concepts, goals, and principles of cryptography is crucial to grasp its deeper secrets and more abstract notions. We'll discuss passwords and hashing functions in more detail next week, so make sure you have a good understanding of this topic. We also encourage you to explore the sources we've used ourselves. Until next time!
- Nowoczesna kryptografia - Jean-Philippe Aumasson