A Crash Course in Cryptography

A Crash Course in Cryptography

There are many fascinating topics in the universe of Information Security, but if I had to place one above all others (this being a purely personal opinion), Cryptography would occupy the highest level.

This topic has its deepest roots in pure mathematics, but now touches many areas of technology in the daily lives of thousands of people… so much so that in many cases its presence is taken for granted. It is present on multiple levels and is the key that guards our electronic secrets.

But…What is cryptography?

Symmetric and Asymmetric Cryptography

Cryptography is a method to encode content in a format that is impossible to read for those who are not authorized to do so. It is composed of a series of technologies that, together, keep data safe. The term encryption is roughly synonymous with cryptography.

The original text, which is readable by anyone, is called clear text or plain text. Encryption produces encrypted text.

When using unprotected connections, without a proper encryption protocol, it is relatively easy for a snooper to steal personal information by seeing data in transit in the clear. For instance, if you sit in a café and send email over a connection that is not protected by cryptography, the person on a computer at another table could pick up your traffic and ready your email.

We can categorize the various types of cryptography as either symmetric or asymmetric.

Symmetric cryptography uses the same, single secret key to encrypt the clear information and to decrypt it. If the text is being transmitted between people both the sender and the receiver use the same key.

In practice, the sender encrypts the message with a secret key, then transmits the message through a communication channel. The recipient receives the message and decrypts it with the secret key. The recipient normally receives the key from the sender through a predefined, safe transmission channel–not the same channel used for the message, because by definition that channel is assumed to be viewable by attackers.

The keys represent a shared secret between the parties, which can be used to maintain a private link of information.

Symmetric cryptography is relatively simple (although the mathematics used to create the key is very sophisticated), easy to implement, and has good overall performance.

Among the algorithms that support symmetric cryptography we find:

  • DES
  • 3DES
  • AES

Among these, AES is currently the most modern and robust, and is commonly used for very sensitive information, even by government bodies.

Asymmetric cryptography, also known as public key cryptography, encrypts and decrypts data using two distinct keys. These two keys are named the «public key» and the «private key.» The public key can be distributed wherever the sender wants a message to be readable, whereas the private key must be kept, of course, secret.

If either of the two keys encrypts the message, it can be decrypted only with the other key.

Asymmetric cryptography is significantly slower than its symmetric counterpart, because the keys are longer and the related calculations to be performed are much more complex.

The exceptionally long length of the keys in use makes it practically impossible to derive private keys from the associated public keys, even though they are mathematically linked by the calculation that produced them both.

Because the public key can be safely transmitted over a channel where attackers can grab it, asymmetric cryptography is often used to exchange the secret key used later for symmetric cryptography.

Some of the algorithms that support asymmetric cryptography are:

  • El Gamal
  • Diffie Hellman
  • RSA

RSA, given its ease of use and its intrinsic robustness, which stems from computational entropy, is the preferred algorithm for encrypting and signing messages.

Public Key Infrastructure (PKI)

Asymmetric keys introduce another fundamental infrastructural concept in the matter of encryption: Public Key Infrastructure (PKI).

PKI is a sequence of processes and tools that allow authoritative third parties «in trust» to determine the identity of a user and to verify that a public key legitimately belongs to that user.

The impetus behind PKI is that, when users make initial contact online—such as by logging into a retail web site—they don’t know whether they are reaching the real person or company they want. A malicious “man in the middle” attacker could claim to be a major retail site, and an encryption key by itself cannot guarantee that the legitimate site is the one sending the key.

To provide the trust necessary for Internet communication among parties who don’t previously know each other, PKI registers identity of at least one party.

Identities are defined in a digital public key certificate with a standard called X.509.
A site called a Certification Authority (CA), which is recognized and trusted by both side, creates digital certificates that securely tie sites to their public keys. Web users generally trust CAs because the CAs’ identities are hardcoded into the user’s browser.

The implementation of PKI can be found, for example, in contexts such as:

  • Certificates for websites
  • Private networks and VPNs
  • Cloud applications and services
  • Email security
  • User and device authentication
  • Signing of documents and messages

Uses for Cryptography

You should now have a rough idea of cryptography and its value. Here we’ll look at different contexts for using cryptography:

  • Email
  • Web browsing
  • Data storage

Email

The main email encryption protocols are S/MIME and PGP/MIME.

S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions, is integrated into most devices and uses a centralized CA to determine the encryption algorithm and keys to be used. S/MIME is primarily used in large Web-based email platforms.

PGP/MIME, which stands for Pretty Good Privacy/Multipurpose Internet Mail Extensions uses a decentralized authority model. In contrast to S/MIME, key management is not governed by a CA, but is more the responsibility of the user. Users rely on a «web of trust» to establish the authenticity of the user on the other side of the communication.This protocol depends on of third-party encryption software.

PGP/MIME is proprietary. A free re-implementation, GnuPG (also called GPG), performs the same task without major differences.

Web browsing

A user establishes an encrypted connection to a website by entering or clicking on a URL starting with HTTPS instead of HTTP. HTTPS is a hypertext transmission protocol that additionally is secure because all traffic sent over the Internet is encrypted. Therefore, when a connection is based on HTTPS, privacy and integrity of data are guaranteed.

HTTPS is the successor to HTTP, which transmits date in plain text and has been gradually deprecated (except for a few rare use cases).

The HTTPS protocol integrates HTTP with the TLS cryptographic protocol (a successor to another protocol for web encryption, SSL), adding a valid digital certificate. SSL and TLS are essentially the same protocol that has evolved over time, with TLS being the most modern format and now in version 1.3.

Browsers that send and receive data over secure HTTPS often display a green lock.

Data storage

Data can be encrypted at multiple levels: not just in transmission when email or the Web are used, but also locally on storage devices such as hard drives, USB drives,and tape drives.

The use of storage-side or file-side encryption greatly offsets the risk of data loss. Like encryption used on the network, storage-side encryption is a very powerful tool that protects all data on every device, regardless of the type of physical media, interface, or data privacy class.
Storage-side encryption is a great way to ensure data security, especially if the device is stolen.

Linux users can keep data safe through Linux Unified Key Setup (LUKS). It employs a brute force encryption algorithm and totally secures data if a strong password is used. LUKS is currently in version 2.

Newer Linux distributions also offer full disk encryption (FDE) at the end of operating system installation, setting a strong password to control access to the contents of the disk. But be careful and don’t forget your password: When data is encrypted on the disk using full disk encryption, if the password is lost the data inside will be very difficult to recover.

Absolute security is a pipe dream, but to paraphrase J. W. von Goethe, «He who wants to take sure steps must walk slowly.»

 

<< Read the previous part of this series | Read the next part of this series >>

 

If you want to learn more about cybersecurity and how to protect your data and reputation, take a look at Linux Professional Institute Security Essentials.

About Simone Bertulli:

Simone "Simo" Bertulli is a Cyber Security Expert and a Linux Enterprise Specialist; he started working on Linux systems since 2012, then extending his interest to the whole open source world, also creating a community in the Italian reality. Discovering the potential of open source software and the new opportunities they can create in the workplace is a stimulus for this passion, which brings with it the sustainability of technical solutions and professional skills. In the Cyber Security field he works in a SOC and has collaborated with the Packt publisher on the technical reviews of some video courses about blue team activities. In his spare time he takes technical certifications on various IT topics ("never stop learning" is his motto) and he likes to experiment with new technologies about security and virtualization for SOHO & Enterprise environments.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *