Confidentiality in cryptography

This article is an addon to my previous article that explains the complete high-level overview of network security in web applications using cryptography. In this article let's discuss the details on how to achieve confidentiality for the data that’s exchanged between the sender and receiver typically a client & a web server. Encryption and Hashing are ways to achieve data confidentiality.

Encryption:

In simple terms, encryption is the process of converting the data from plain text into a format that only the sender and receiver can understand. The data/message that’s encrypted is also known as ciphertext.

Image Credits: https://ecomputernotes.com/images/Data-Encryption.jpg

Encryption is done using encryption algorithms. An encryption algorithm is basically a sequence of steps that are performed on the plain text to get the ciphertext. Similarly, decryption is the process of converting ciphertext to plain text. The process of encryption is done using Keys which is technically a sequence of characters.

Types of encryption:

Encryption can be done in 2 ways.

1. Symmetric Key encryption
2. Asymmetric Key encryption (a.k.a. Public Key encryption)

1. Encryption using Symmetric Key:

Image Credits: https://www.researchgate.net/profile/Muhammad-Javed-78/publication/4365726/figure/fig2/AS:670041485889559@1536761747773/Symmetric-Key-Encryption.png

In symmetric-key encryption, the process of encryption at the sender side & decryption at the receiver side is performed using the same key that’s share b/w the sender & receiver. To explain this concept in simple terms, let us construct our own encryption algorithm.

Example: Let's say our plain text that the client wants to send to the webserver is as “Hi Server. My password is I_AM_A_PROGRAMMER”.

Note: Let's assume the client and web server agree on using our algorithm to encrypt and decrypt the message.

Encryption algorithm usage: For every character in the message we replace the character with the kth(let's take k=1 for this example) next character and wrapped around a circle(i.e., for character ‘z’ the next character would be ‘a’). Let’s give it an apt name “THE INCREMENTAL ALGORITHM” (TIA).

Decryption algorithm usage: For every character in the message we replace the character with the kth(as mentioned earlier k=1) previous character and wrapped around a circle(i.e., for the character ‘a’ the previous character would be ‘z’).

Using this algorithm on the plain text given above would give “Ij_Tfswfs. Nz qbttxpse jt J_BN_B_QSPHSBNNFS” which would be sent to the server. The server would then use the decryption algorithm to decrypt the ciphertext back to the plain text i.e., “Hi Server. My password is I_AM_A_PROGRAMMER”.

This is not a very strong encryption algorithm as attackers could easily reverse engineer the algorithm.

The key in this algorithm is ‘k’ which we considered to be 1 in this example. Technically it can be any value that’s shared between sender & receiver.

Note: There is a small problem that’s left out in this article i.e., how to securely exchange the symmetric key between both parties(client & server). There is a commonly used algorithm that works using Asymmetric Key encryption known as Diffie-Hellman key exchange. That is a really simple and interesting algorithm that is widely adopted and used. I would highly recommend reading this article to understand it and most importantly remember it with ease.

2. Encryption using Asymmetric Keys:

Image Credits: https://blog.systoolsgroup.com/wp-content/uploads/2013/12/Asymmetric-encryption.png

As the name suggests, in this type of encryption we have 2 different keys with different purposes. There is a public key that can be shared with anyone on the internet, and there is a private key that is only known to the party that generated it. For our example, the client & server generate their own public and private key pairs i.e., Client generates its own public key which it can share with anyone, and its own private key which it keeps confidential & similarly server generates its own public and private keys. Both keys are 50% powerful.

Note: Using the same key(either public/private) to encrypt & decrypt doesn’t work in Asymmetric key encryption.

Example: An analogy I like to use to explain Asymmetric key encryption and the concept of public and private keys is. Think of a Facebook account, everyone who wants to communicate with their friends, family or anyone on the internet will have to create a Facebook account. With the account we get 2 things, a username & a password. If someone wants to communicate with you on Facebook we give them our username so that they can send us messages. We know that the messages can only be read by us because only we have the password for our account. Similarly, if we want to send messages to someone we get their username and send messages.

Hashing

In simple terms, hashing is the process of converting data using hash functions.

Image Credits: https://networkencyclopedia.com/wp-content/uploads/2019/08/hashing-algorithm.png

Properties of hash functions:

1. Same input gives same output everytime.
2. No matter the input size we get a fixed output size.
3. Even if the input is changed just by a single character, the output becomes totally unpredictable.
4. This process is irreversible i.e., there is no way to get the Plain text back from the Hashed text

There are a lot of industry-wide popular strong encryption & hashing algorithms that are widely used such as RSA, AES, MD5, etc. These algorithms are proven to be resistant to malicious attacks and are hard/impossible to decrypt. Using 1 of the above types of encryption/hashing we can achieve confidentiality which is the main motto of this article. In the next articles, we will discuss how to achieve integrity and authenticity.