A very basic introduction to cryptography

It has got to the point where I want to start learning more about digital security, so lately i've started learning a bit about cryptography. Cryptography is described as the art of writing or solving codes. It is of course only one segment of the giant security pie, but without cryptography security systems would be a lot less... well... secure.

Cryptography can get extremely deep and complex especially when you start looking into cryptology (the maths behind it) so being my first dive into learning about crypto this post will be more of an overview of the basic concepts, but I am aiming to work through the Matsano crypto challenges so hopefully there will be posts about more specific ways to decrypt cipher texts in blogs to come... and you will have a better idea as to what I am going on about.

What is Cryptography?

Cryptography is used to encrypt information. Once information is encrypted it is transformed into a scrambled up, unreadable format. The only way to unscramble it is to use a secret key. This is known as 'deciphering' or 'decrypting' a message.

Sometimes an attacker will manage to unscramble the encrypted message without the secret key. This is known as cryptanalysis or code breaking.

Here are the guarantees that cryptography makes when it comes to securing a communication:

Integrity - guarantees that a message hasn't been modified in a way it shouldn't have

Confidentiality - the message is kept secret

Authenticity - guarantees that a message comes from where it was supposed to

What is it used for?

Some modern day applications of cryptography include email encryption, hard drive encryption, encrypting mobile phone data, passwords for logging into sites, bank cards, electronic passports, online banking, GSM (mobile!) voice encryption and iTunes & Kindles (digital rights management stuff). As far as communications and data transfer is concerned it is pretty much everywhere, though the idea of cryptography has been around for a very long time - as far back as 2000bc and hieroglyphics.

Symmetric encryption

Symmetric encryption is a subset of cryptography and is probably the most basic example to use for explaining how a message may be secured. Here a key is used to encrypt a message and then the same key is used to decrypt it at the other end. Here the encryption will only get you confidentiality and perhaps a weak guarantee about authentication.

Two people are communicating over a channel that may not be secure. They are called Alice and Bob. Examples of insecure channels could be GSM & wifi/internet which can be open channels. The attacker (Oscar) wants to listen in on Alice and Bob to find out some top secret information.

OSCAR! (attacking!!)

ALICE ------------------------------------> Insecure channel! -----------------------------------> BOB

-------- = top secret message (Not encrypted!)

Cryptography can be used to encrypt the message sent from Alice to Bob so that Oscar can only see random characters.

OSCAR!

(Can't understand the message and use for evil)

ALICE ------------------------------------> Insecure channel! -----------------------------------> BOB

(Encrypts) (Decrypts)

An encryption algorithm will be used at Alice's end to generate the cipher text. Encryption algorithms are also referred to as ciphers and the string of jumbled up characters produced is knows as 'cipher text'. Bob will have a key which tells the decryption to change the cipher text into a message that makes sense. Bob needs to have the corresponding key to Alice to unlock the message. A key is basically a parameter that defines what the output of the cipher would be. So a key might tell the cipher to change plain text into cipher text and vice versa when it is decrypted.

What are these encryption algorithms?

There are many well known encryption algorithms (some common examples being AES, DES, Blowfish... if you google you will find long lists). It is very unlikely that a programmer would ever need to write their own encryption algorithms, in fact, it is recommended that rather than try and make your own, that you use something that has been tried and tested for many years. This is basically because it is very difficult to create a secure encryption algorithm.

Until the 1970s people kept these algorithms secret (a long time to go down the path of secrecy considering crypto started way way back). It was then realised that this was a bad idea, and for an encryption algorithm to be truly secure it should be openly available to everyone... and still for no one to be able to decipher it. Everything is pretty open in cryptography, everything other than the actual keys generated, in the hope that people will try and break the codes. When they can't after years and years then the algorithm is proved to be pretty solid.

Cryptanalysis

Some cryptanalysis methods include brute force, pattern matching and social engineering. The brute force approach basically involves working out every possible key combination and trying each one out until the cipher text is de-ciphered. This generally takes ages and the algorithms are often future-proofed to ensure that even as machine speeds advance, the decipher key would still take forever to find. Pattern matching is a really basic way of me saying that mathematics and logic are used to find patterns in cipher text. Examples of this could be the probability of certain letters appearing in a sentence and using that logic to figure out which character they could have been replaced with, or patterns in what plain text generated hashes are known to represent. Social engineering involves physically going to a place where secret information is stored and obtaining it.

Encryption Gems in Ruby

Luckily we don't have to manually write out these algorithms to encrypt our code. Ruby gems (and of course libraries in other languages) allow us to easily insert the functionality into our own projects.

There are numerous ruby gems that can be added to your codebase to secure data. A useful gem for password hashing is Bcrypt Ruby. Hashing is actually a different thing altogether to encryption. This is because hash functions are designed to be non-reversible and generate a fixed length signature that is always the same for the same input. There should never be an easy way to reverse a hash. Bcrypt is a really good thing to use because it means that a password can be easily hashed and this password hash can be stored in your database in a 'password digest' row. So a password could look something sort of like this in a database: $2a$10$zbMs7mLoTF/4iz9FvBNgcONBwxsbdeIyYK8Ig.L8HQ3t..." which is way safer that storing the actual password string a user entered. You can then use a method called has_secure_password which will be able to validate the password a user enters with the password hash stored in the database using a password_confirmation field. This is the Railscast that I used to learn how to set that up: http://railscasts.com/episodes/270-authentication-in-rails-3-1

So there you have the absolute basics of crypto. This seems like a really exciting, historically intriguing and very important area to explore within the realms of technology so I am looking forward to sharing more in this blog, the further I delve into it.