Crytpography Overview

Understanding the Need for and Uses of Cryptography

Gregory M. Kapfhammer

September 9, 2024

Getting Started in Computer Security

Learn the Lingo

Abbreviations

  • AAA
  • CIA
  • PDR

Concepts

  • Authentication
  • Authorization
  • Cryptography

Think Like Hacker

Implementation

  • Look for vulnerabilities
  • Try to exploit them
  • Identify weakest links

Prevention

  • Use secure coding practices
  • Leverage security tools
  • Rethink everything!

What is a technology practice that you need to rethink from the perspective of computer security? Why? Next?

What is cryptography?

  • Establish secure and confidential communication channels
  • Supports creation of digital signatures
  • Allows us to support the “AAA principles”:
    • Authentication
    • Authorization
    • Accounting
  • Ensures that attackers cannot “listen in” to communication
  • Ensures non-repudiation of digital communication

Important Insight: cryptography is one of the key building blocks of computer security!

Key Reminder: it is deceptively difficult to deploy cryptographic algorithms correctly!

Admonition: avoid the temptation to “roll your own” cryptography algorithms! Problems!

When do you use cryptography?

  • Commit data to a GitHub repository
  • Access a website using HTTPS
  • Use a password manager
  • Send a message in chat app

Cryptography Terms

  • Plaintext: the original message
  • Ciphertext: the encrypted message
  • Cipher: the algorithm used to encrypt the message
  • Key: the secret used to encrypt the message
    • Symmetric Key: the same key to encrypt and decrypt
    • Asymmetric Key: different keys to encrypt and decrypt

Key Questions: What are the trade-offs between different types of keys? Ways to balance security, privacy, and performance? How?

Trapdoor Functions

  • One-way function: easy to compute, hard to invert
  • Examples: RSA, Diffie-Hellman, Digital Signatures
  • Insights about the RSA algorithm:
    • Easy to multiply two large prime numbers
      • Exponentiation
      • Multiplication
      • Modular arithmetic
    • Hard to factor the product of two large prime numbers
    • Encryption is “easy” and decryption is “hard”

Cryptographic Hash Functions

  • Input: any length of data
  • Output: fixed length of data
  • Example: SHA-256, SHA-512, MD5
  • Insights about the SHA-256 algorithm:
    • Fixed length output
    • Deterministic
    • Fast computation
    • Designed by NSA
    • Cannot generate input from output!

Symmetric Encryption

  • Single key used for encryption and decryption
  • Examples: AES, DES, 3DES
  • Insights about the AES algorithm:
    • Block-based cipher
    • Key sizes of 128, 192, or 256 bits
    • Performs multiple rounds of encryption
    • Designed by Joan Daemen and Vincent Rijmen
  • Wait, how do you exchange the key securely?

Asymmetric Encryption

  • Public key used for encryption
  • Private key used for decryption
  • Steps for receiving an encrypted message:
    • Generate a public/private key pair
    • Share the public key to a key server
    • Friend encrypts message with public key
    • You decrypt the message with the private key
  • Important trade-off: slower than symmetric encryption!

Steam and Block Ciphers

  • Stream Cipher: encrypts one byte at a time
  • Block Cipher: encrypts a block of bytes
  • Example: AES is a block cipher!
  • Modes of operation for block ciphers:
    • ECB: Electronic Codebook
    • CBC: Cipher Block Chaining
    • CFB: Cipher Feedback
    • OFB: Output Feedback
    • CTR: Counter

Combining Cryptography Algorithms

  • A virtual private network (VPN) works like this:
    • Use asymmetric encryption to exchange symmetric key
    • Use symmetric encryption for data transmission
  • Important Insights:
    • Fast because it mostly uses symmetric encryption
    • Using multiple algorithms can maintain/increase security
    • Yet, only as secure as the weakest link!
  • Whenever possible, limit manual human intervention in a secure process to avoid unexpected mistakes!

Case Study: Let’s Encrypt

  • Goal: Always encrypt packets sent to a web site!
  • Problem: How to make HTTPS more accessible?
  • Solution: Automated certificate authority system
  • Insights about the Let’s Encrypt system:
    • Uses the Automated Certificate Management Environment (ACME) protocol
    • Provides free SSL/TLS certificates
    • Automates the certificate renewal process
    • Requires a web server to support HTTPS

Cool, Let’s Encrypt is open source and free and supported by Netlify!

  • How do you get a certificate for your web site?
    • Customer generates a certificate signing request (CSR)
    • Customer sends CSR to Let’s Encrypt
    • Let’s Encrypt verifies the CSR
    • Let’s Encrypt issues a certificate
    • Customer installs the certificate on their web server
    • Direct integration with systems like Netlify
  • Reference: Let’s Encrypt: How it Works

Applications of Cryptography

  • Blockchain technology
  • Secure messaging apps
  • Secure payment systems
  • Hardware security modules
  • Trusted platform modules

Key Insight: Cryptographic algorithms underpin many of the applications that we use on a daily basis! Let’s try to program them for better understanding! Start by revisiting basics from last week!

Security Synapses

  • Use cryptography.fernet to encrypt a string and record
    • Automatically generate a symmetric key
    • Encrypted string generated by encrypt_string
  • Use recorded details to decrypt the string and display it
    • Define the encrypted_data byte-encoded string
    • Define the key as a byte-encoded string
  • Confirm that decrypted string matches the original one
  • Variables are shared across programming environments!

Revisiting Symmetric Encryption

Revisiting Symmetric Decryption

Recap on Symmetric Encryption

  • Key Benefit: symmetric encryption is fast and secure
  • Important Reminder: always securely exchange the key!
  • Review Questions:
    • What does a Fernet key look like?
    • What are the requirements for a Fernet key?
    • What if the Fernet key does not match?
    • What is the purpose of the b prefix?
    • How can you securely exchange the key’s contents?

Revisiting Content Hashing

Exploring Asymmetric Encryption

Exploring Asymmetric Decryption

  • You must correctly define ciphertext_input_asym!
  • The ciphertext must have the correct length and format

Recap on Asymmetric Encryption

  • Key Benefit: supports secure key exchange
  • Important Reminder: securely store the private key!
  • Review Questions:
    • What does an rsa private key look like?
    • How does key_size affect the rsa algorithm?
    • What is the purpose of padding.PKCS1v15()?
    • What if the rsa keys incorrectly?
    • How can you combine symmetric and asymmetric encryption?

Wrapping Up on Encryption

Key Concepts

Types of Encryption

  • Symmetric
  • Asymmetric
  • Hashing

Important Terms

  • Plaintext
  • Ciphertext
  • Key

Best Practices

Implementation

  • Use established libraries
  • Securely manage keys
  • Understand the trade-offs

Prevention

  • No “rolling your own”
  • Update and patch packages
  • Encrypt sensitive data

Security Synapse