In this post, we will take a look at some essential concepts of cryptography such as encryption, decryption, symmetric and asymmetric encryption, hashing and etc.
This is a series blog posts that explores the core concepts in modern cryptography:
Cryptography Basics - Part I: Encryption and Hashing
Cryptography Basics - Part II: Digital Signature and Digital Certificates
Cryptography Basics - Part III: CA, PKI and TLS
Cryptography is the practice of securing communication from unauthorized access or manipulation, typically by converting plaintext (unencrypted) information into a coded form called cipher-text (encrypted) using mathematical algorithms and techniques. The primary goal of cryptography is to provide confidentiality, integrity, authentication, and non-repudiation to data being transmitted over a communication channel or stored in a digital form. These concepts are achieved through various cryptographic techniques, including encryption, decryption, digital signatures, and hash functions.
Cryptography has been long. The oldest application of cryptography is military secrets protection. One of the best know cipher is the Caesar Cipher, attributed to Julius Caesar. It is used to send confidential information to his commanders and soldiers in the field.
A massive use of cryptography in the modern world is on the Internet. HTTPS use cryptographic ciphers to protect information flowing between client and servers. Passwords are stored in encrypted format to protect from hackers. Other sensitive commercial information are encrypted to avoid disclosing to public.
1. Encryption and Decryption
Cryptography is achieved by converting data into a different form called cipher-text or code which is often incomprehensible. This process is called encryption. The reverse process, which converts cipher-text into original data, is called decryption.
To perform encryption and decryption, we will need Algorithm and Keys. The algorithm here can be considered as a mathematical procedure needed to convert data into cipher-text or recover from it. The key here is a piece of information used with algorithm to fulfill that process.
Encryption VS Encoding
You probably have heard about encoding, which is a different process from encryption. The purpose of encoding is to transform data so that it can be properly stored or consumed by a different type of system.
For example, a message encoded by Morse Code does not have privacy protection, as anyone knows the Morse code standard can understand it; yet, the encoded message can be transferred from one place to another through telecommunication.
On the other hand, encryption is to transform data in order to keep it secret from others.
2. Key Length and Encryption Strength
The strength of encryption is related to the difficulty of discovering the key, which in turn depends on both the cipher and the length of the key. Key length is measured in bits.
Generally speaking, longer keys provide stronger encryption. Then the question comes: should we always use a very long key? A longer key may be stronger for encryption; yet, it will also require more calculation during encrypting and decrypting. Thus, a proper key length helps finding a balance between encryption strength and its operability.
Furthermore, different algorithms have different compute procedures. Given the same key length, different algorithms will have different encryption strength. In other words, to achieve the same level of encryption strength, different algorithms might need to use different key lengths.
3. Symmetric Key Encryption
Symmetric Key Encryption is a type of encryption where only one key is used to both encrypt and decrypt data. This is in contrast to Asymmetric Key Encryption, where two different keys are used: one for encryption and the other for decryption. The entities communicating via symmetric encryption must exchange the key in a secretive way.
The secret key being used can be a specific password/code or just a random string. Besides the secret key, an encrypting algorithm is needed as well. This algorithmic procedure includes ways of both encryption and decryption.
Some examples of symmetric encryption algorithms include:
AES (Advanced Encryption Standard), this is the most popular one used today
DES (Data Encryption Standard)
IDEA (International Data Encryption Algorithm)
Blowfish (Drop-in replacement for DES or IDEA)
RC4 (Rivest Cipher 4)
RC5 (Rivest Cipher 5)
RC6 (Rivest Cipher 6)
AES, DES, IDEA, Blowfish, RC5 and RC6 are block ciphers. RC4 is stream ciphers.
Block cipher uses block algorithm, where original data is divided into blocks and encrypted with the secret key. During the encrypting process, data will be held in memory before the entire encryption process is done.
Stream cipher uses stream algorithm, where data is encrypted as streams instead of blocks being retained in system memory.
AES is the symmetric encryption choice for most applications today. It is very widely used, mostly with 128-bit or 256-bit keys. 256-bit keys are considered strong enough to protect military top-secret data.
4. Asymmetric Key Encryption
Asymmetric key encryption, also known as Public-Key Encryption, uses a pair of keys (Public Key and Private Key) for encryption/decryption in contrast to just one key in Symmetric Key encryption.
A public key is a key used by any person to encrypt a message so that it can only be decrypted by the intended recipient with the related private key. An encrypted message with a public key can Only be decrypted by the related private key when the pair of keys were initiated. A private key is usually held by the key initiator and is kept from public.
Public key is usually published online for users to download. In this case, when a user wants to send an encrypted message to a recipient, he can download the public key and encrypt the message with it and then send the encrypted message to the recipient. As the encrypted message can only be decrypted by the related private key, which is held by the recipient. The information contained will be protected from external access.
On the other hand, if a private key holder encrypts the message with the private key, any user with a public key can decrypt it. A scenario for this use case is to authenticate the message is really sent by the private key holder.
As the one-way nature of the encryption function, a sender is unable to read the message of another sender, even though they have the same public key. In other words, a public key cannot decrypt a message which is encrypted by that public key.
Asymmetric Key Encryption is widely used today and many protocols rely on it, such as TLS (Transport Layer Security) and SSL (Secure Sockets Layer, NOT used anymore today) which makes HTTPS possible. The encryption process is also used when a secure network connection needs to be established. Besides, Asymmetric Encryption can also be used to authenticate data using digital signatures.
RSA (Rivest-Shamir-Adleman) Algorithm is usually used for Asymmetric encryption and it has become pretty much an industry standard, which also offers choices of key size and digest algorithm.
5. Symmetric VS Asymmetric Encryption
Asymmetric encryption was developed to replace Symmetric encryption in some scenarios, as Symmetric encryption has an inconvenient drawback – the need to share the symmetric key between sender and receiver.
For example, suppose we have a service provider who is also a message receiver. He will be communicating with various service users. Specifically, those users will be sending messages to the receiver and those messages need to be encrypted.
In this case, using Symmetric Key encryption requires that key to be shared among users. This is not a secure way to do it. If one user compromises the key, the encryption could be compromised. As more users are starting to use the service, risk of compromising the key will increase as well. Furthermore, if a user who possesses the symmetric key is a hacker and intercepts the encrypted message, he will be able to decrypt the message as well.
On the other hand, a lot of times, it is not practical for service provider to use different symmetric keys for different users, e.g. 1000 users will result in 1000 different keys, and that would be difficult to manage.
Asymmetric encryption resolves this issue. First, a public key is published to all the users, any user can download the public key, so there is no such thing as ‘compromising the public key’. Second, when a user encrypts a message using the public key, it can’t be decrypted with that public key. In other words, other users possessing this public key can’t decrypt the message. Only the private key holder can decrypt the message. Third, regarding user scaling, since the public key is already published, increasing user number is not an issue.
As Asymmetric encryption involves two keys, the processing time is increased. That is, Asymmetric encryption usually takes longer time than Symmetric encryption.
Factor | Symmetric Encryption | Asymmetric Encryption |
---|---|---|
Number of Keys | One Key | Two Keys - Public and Private Keys |
Complexity | Simple technique as only one key is used to carry out both operations | Contribution from separate keys for encryption and decryption makes it a fairly more complex process |
Swiftness of Execution | Fast | Relatively slow |
Algorithms | AES | RSA |
6. Hashing
Hashing in the cryptographic context usually refers to the process of generating a fixed-size output from an input of variable size. This is done via the use of hash functions, which are mathematical algorithms.
Hashing is a one-way method. In other words, an input value through a hash function will generate a hashed string, but the hashed string can’t be reversed to recover the original input value. This is different from Symmetric/Asymmetric encryption and is designed on purpose.
Besides one-way feature, there are two important features regarding hashing:
Whether it’s a giant file or a small amount of input, the output hash string is fixed length
Even if it is a huge file, a tiny change will result in a very different hash string
Here are some examples:
Adding a dot to “hello world” string will result in a very different string. The hash string of a downloaded Ubuntu ISO file is still 64 characters.
Seeing those features of hashing, now the question becomes where we should use hashing. While Symmetric/Asymmetric encryption is to protect the information from being accessed from others, the purpose of hashing is to verify the integrity of the data received.
For example, when a user receives a data pack from a sender, how does he know the received data is not missing fragments or tampered?
To help with that, the sender can generate a hashed value of the data and send both data and generated hash string to the receiver. Once the receiver receives the data and hashed value, the receiver can do the same as what the sender has done – generate the hashed value from the original data and then compared the two hashed strings. If the data received has changed, the newly generated hash string will be different from the original hash string, and hence the receiver knows the data is missing fragments or tampered. He can then inform the sender and find another way to send the data.
Real world applications
Some examples of real world applications for hashing:
Password Verification – Storing password in a plain text is insecure, so nearly all passwords are stored as hashes. When a user input a password, it is hashed and the result is compared to the stored hash value to authenticate the user.
Signature Generation and Verification – Verifying signatures is a process to verify the authenticity of a digital document or message. A valid digital signature gives its receiver strong proof that the message was created by a known sender and that message was not altered in transit. We will look at digital signature and verification later.
Verify File and Message Integrity – Hashes can be used to make sure messages and files transmitted from sender to receiver are not tampered with during transit. This practice builds a “chain of trust”.
7. Sum Up
In this post, we started with the basic concepts of encryption and decryption. Then we looked at symmetric encryption and asymmetric encryption, the two most popular encryption types nowadays. Then we listed out their pros and cons. After that, we took a peek at hashing as well.
We will continue our exploration in Cryptography Basics - Part II.