Student Library

Cryptography Basics

7 min read

Part 1: Key Terms

This section is focused on defining key terms in cryptography

Cryptography, Cryptanalysis, and Cryptology

  • Cryptography: The art and science of hiding information. It focuses in creating methods to scramble information so that the intended recipient can only understand it.
  • Cryptanalysis: The opposite of cryptography; the art of science of decoding or reading hidden information. Cryptanalysts figure out how to read encrypted messages without having the key itself.
  • Cryptology: The umbrella term that covers both cryptography and cryptanalysis.

Plaintext, Ciphertext, Key, Algorithm

  • Plaintext
    • The original message before it was encrypted.
    • The information you want to keep secret.
    • Example: Meet me at the library at 3 pm.
  • Ciphertext
    • The scrambled, unreadable version of the message after it was encrypted.
    • Example: Xjhh gr dw wkh olexudub dw 3 sp
  • Key
    • A piece of hidden information used to encrypt or decrypt the message.
    • Analogous to a physical key of a lock.
    • The key allows you to unlock the ciphertext.
  • Algorithm:
    • The specific rules or steps used in the encryption and decryption process.
    • Analogous to the lock mechanism of a lock

Encryption, Decryption

  • Encryption: The process of converting a plaintext into a ciphertext using a key and an algorithm; the process of locking the message.
  • Decryption: The process of converting a ciphertext back into the plaintext using the correct key and the same algorithm; the process of unlocking the message.

Types of Cryptography

  • Symmetric-key cryptography
    • It uses the same key for encryption and decryption.
    • Analogous to the regular door lock (the same key locks and unlocks it).
    • Prone to the key distribution problem.
      • The problem goes, how do you and the recipient securely share the secret key in the first place?
    • Examples: Advanced Encryption Standard (AES)
  • Asymmetric-key cryptography (Public-key cryptography)
    • It uses two different keys, a public key and a private key.
    • The public key is shared with anyone and is used to encrypt messages
    • The private key is a secret key kept by the owner used to decrypt messages that were encrypted with a corresponding public key.
    • Examples: RSA algorithm
  • Hashing
    • A one-way process.
    • It takes an input and produces a fixed-size, unique fingerprint called a hash value (or a digest).
    • Unlike other types, you cannot get the original input back from the hash.
    • The same input always produces the same hash value.
    • Tiny changes in the input results in a different has.
    • It is computationally infeasible to find two different inputs that produce the same hash.
    • Often used in checking file integrity and in storing passwords.
    • Example: SHA-256

CIA Triad+

These outline the core goals of information security

  1. Confidentiality: Keeping information secret and only accessible to authorized individuals.
  2. Integrity: Ensure that information is accurate and has not been tampered with.
  3. Avaliability: Ensure that information and systems are accessible to authorized systems when they need them.
  4. Authenticity: Verifying the identity of the user or the origin of a message.
  5. Non-repudiation: Making sure that someone cannot deny that they performed an action.

Threat, Vulnerability, Risk, Attack

  • Threat: Anything that could potentially cause harm to a system or data.
  • Vulnerability: A weakness in the system that a threat could exploit.
  • Risk: The likelihood of a threat exploiting a vulnerability, and the potential impact of that happening.
  • Attack: The actual attempt to exploit a vulnerability.

Part 2: Historical Ciphers

This section explores the principles of classical ciphers.

Substitution Ciphers

Each letter of the plaintext is replaced with a different letter or symbol according to a specific rule.

  • Caesar Cipher
    • One of the most simplest substitution ciphers.
    • Each letter in the plaintext is shifted a fixed number of positions down the alphabet.
    • The key is the number of positions to shift.
  • Monoalphabetic Substitution Cipher
    • Instead of a simple shift, you create a random mapping of each letter of the alphabet to a different letter.
    • The key is the complete mapping or the substitution alphabet.
  • Polyalphabetic Substitution Cipher
    • Uses multiple substitution alphabets.
    • A keyword is used to determine which alphabet to use for each letter of the plaintext.
    • One good example is the Vigenère cipher.

Transposition Ciphers

The letters of the plaintext are rearranged and permuted according to a specific rule, but the letters themselves are not changed.

  • Rail Fence Cipher
    • The message is written in a zigzag pattern, using multiple rows.
  • Columnar Transposition Cipher
    • The plaintext is written in rows of a fixed length (determined by a keyword) then read out column by colum, with the columns being chosen in an order based on the keyword.

Reasons for Lack of Security

  1. Computers. What might have taken cryptanalysts days, months, or years to break can be done by a computer in seconds or minutes, with the added perk of cryptanalyst methods being automated
  2. Limited Key Space. Some ciphers have a relatively small number of possible keys, which a computer can simply try all of them quickly.
  3. Statistical Analysis. Methods that leverage statistics can reveal patterns in the ciphertext that betray the underlying plaintext.
  4. Known-plaintext Attacks. If an attacker might know or guess a small part of the plaintext, the process of breaking the cipher can be much easier.
  5. Lack of Diffusion and Confusion: These are the key properties of modern ciphers:
    • Diffusion: Changing a single bit in the plaintext should change many bits of the ciphertext; the spread of information throughout the ciphertext.
    • Confusion: The relationship between the key and the ciphertext should be as complex and nonlinear as possible.

Part 3: Basic Security Principles

This section focuses on common security principles.

  • Defense in Depth
    • It relies on multiple, overlapping security protocols to protect and secure information.
    • It is important as security measures are not always perfect and redundancy can provide protection even if one safety control fails.
      • Example: A sensitive database might have a:
        • firewall for network access control
        • intrusion detection/prevention systems for monitoring malicious activity.
        • strong authentication to verify user identities
        • encryption to protect data at rest and transit.
        • regular security audits and penetration tests.
  • Principle of Least Privilege (PoLP)
    • Users should be given only the minimum necessary access rights to perform their tasks.
    • Do not give someone more privileges than they absolutely need.
    • It is important as it reduces the potential damage from a successful attack.
  • Zero Trust (ZT)
    • “Never trust, always verify.”
    • It assumes that no user or device from inside or outside the network should be automatically trusted.
    • Every access request must be verified.
    • Here are some of its core principles:
      • Verify Explicitly: Authenticate and authorize every user, device, or application before granting access.
      • Assume Breach: Design your security as if an attacker is already inside your network.
      • Microsegmentation: Dividing security parameters for refined access control.
  • Security through Obscurity
    • Relying on the secrecy of the design or implementation of a system as the main method of security.
    • Generally bad as attackers will eventually discover the hidden details through reverse engineering or other techniques.
    • It also prevents the design up for scrutiny, which allows vulnerabilities less likely to be discovered and fixed.
  • Kerchoffs’ Principle
    • It states that a cryptographic system should be secure even if everyting about the system, except the key, is public knowledge.
    • This allows open design systems to be peer reviewed by cryptographers and security researchers.
    • Since a design is public, it also builds more trust.
    • This means that open design cryptographic systems are better than closed design systems

Graph View