Week 10: Cryptography 101

February 25, 2022

Intro to Crypto

Definitions

encryption: process of modifying a message or informationto prevent authorized access; plaintext to ciphertext w/ key

encoding: digital to binary; publicly available schemes for different circumstances

cypher: method of designing secret or hidden messages

Binary Encoding

8 bits = 1 byte
1 byte: 00000000 to 11111111
each byte can represent a number called a decimal

ASCII Encoding

convert decimal numbers to text encoding
Example: 84 = T, 118 = v, etc

Hex Encoding

numeric system made up of 16 symbols of A-F and 0-9
example: 52 = R, 7A = z

Octal Encoding

digits zero through seven.
octal value 042 represents the decimal 34.

https://www.rapidtables.com/

Goals of Cryptography

PAIN Model: Privacy, Authentication, Integrity, Non-Repudiation

privacy at rest & in motions
authentication: confirm the identities of the sender and receiver of data
integrity: not altering message
non-repudiation: cannot change history

Cryptography Cyphers

Stream cipher: algorithmn applied one bit (char) at a time

enigma
caesar cypher: shifting letters a set of number of positions from the original letter

Block cipher: applied in blocks of characters

transposition cypher: break input message into equal-sized blocks, rearrange letters of each block

OpenSSL: generate a random key and IV (init vector) to encrypt/decrypt terminal commands

create the key and initialization vector (IV) aka randomness
openssl enc -pbkdf2 -nosalt -aes-256-cbc -k mypassword -P > key_and_IV
enc stands for encryption.
-pbkdf2 specifies the encryption key type.
-nosalt specifies that salting will not be applied.
(Salting, which will be covered in more depth later, adds a random value.)
-aes-256-cbc is the name of the cipher used.
-k PASSWORD creates a key, with the password mypassword.
-P > key_and_IV prints out the key and IV to a file called key_and_IV.
For example:
key=89E01536AC207279409D4DE1E5253E01F4A1769E696DB0D6062CA9B8F56767C8 iv =EE99333010B23C01E6364E035E97275C

decrypt
openssl enc -pbkdf2 -nosalt -aes-256-cbc -in plainmessage.txt.enc -d -base64 -K 89E01536AC207279409D4DE1E5253E01F4A1769E696DB0D6062CA9B8F56767C8 -iv EE99333010B23C01E6364E035E97275C

The syntax is the same as the encryption except for -d

Modern Cryptography

key space = 2^bit size

key space: the possible range of numbers that can be used as a key for the encryption algo that is defined by the number of binary bits used in the key called bit size

Symmetric Key algos: single shared key

DES Data Encryption Standard – 56-bit from 70s
3DES
AES Advanced Encryption Standard: 128, 192, 256-bits

Issues with SKE

offline exchange: you have to somehow exchange key yo
key management when too many

Asymmetric Key Encryptions

two-key pair: public & private
RSA from 70s = factorization of the product of two prime numbers to deliver encryption of 1024-bits and up to 2048-bit key length

GPG: GNU Privacy Guard

CLI tool to simplify creation, encryption, decryption of asymmetric key cryptography
see day 2

Hashing: SHA, SHA2, MD, LM, NTLM

irreversible/ one way
fixed lengths
used to store passwords verified against hash
see day 2

Encryption

bitlocker for Windows – symmetric disk encryption
Filevault for mac
S/MIME and PGP for emails
SSL Secure Socket Layer for web = public key cryp

Stenagraphy: hidden messages within files, images, or videos

SSL Certificates: X.509 is standard

data files that use public key cryp to secure connections between browser and web server
certificate authority (CA) to issue
__ Steps to Issue SSL Cert__
(1) company documents to validate application authentic
(2) unique IP address
(3) CSR Certificate Signing Request: a block of encrypted data that is created on the web server where the SSL cert will be installed
when generating CSR, public key is sent to CA, private is on web server

root store: per-established list of trusted CAs for browsers;
– root cert authorities top of trust chain, typically not org that issue SSL cert
– intermediate cert authirities – issue cert, report to root auth

Steps to Access Web Traffic:
(1) access a secure website, browser asks for cert details
(2) server responds with copy of SSL cert and public key
(3) browser validates cert by checking expiry and root CA
(4) browser uses servers public key to create, encrypt and send a session key
(5) server decrypts key, sends acknowledge, starts an encrypted session
(6) secure web traffic begins w/ session key

Crytographic Attacks

Statistical Attack: exploits weakness in crypto algo by attemoting to determine in “random” values produced are actually predictable
– mitigation: be sure algos use random values

Brute Force Attack: no shit

Birthday/Collision/Hashing Collusion Attack: exploit probability that two separate plaintexts that use the same hash algo will product the same ciphertext
– based on probability theory called Birthday Paradox: for any given number of people, there will always be two that share a bday
– mitigation: stronger hashing algo limit possibilities

Frequency Analysis for cracking substitution algos
– analyze most frequently used letters and infer
– mitigation: use a stronger encryption

Replay Attacks: attacker intercepts an encrypted message and replays it to the receiving party to get access, i.e. signal for garage door
– mitigation: add an expiration time for data so it cant be used later