Integrity in cryptography

This article is an addon to my earlier articles “Explain Cryptography as I’m 5” & “Confidentiality in cryptography” that explains the complete high-level picture of network security in web applications using cryptography. In this article let’s discuss the details on how to achieve integrity for the data that’s exchanged between the sender and receiver typically a client and a web server. Just to quickly recap Integrity deals with ensuring whether the data was tampered with during the process of information exchange or not.

Asymmetric Key encryption:

As we already know from the previous article asymmetric key encryption works using 2 different keys i.e., public key & private key.

There are 2 interesting properties of the public-private key pair:

• If the message is encrypted with a public key then only its corresponding private key can decrypt the generated ciphertext.
• If the message is encrypted with a private key then only its corresponding public key can decrypt the generated ciphertext.

Let me explain why those 2 properties are important that no one speaks about. *Really important, pay attention*. The 2nd property fits the puzzle piece for How to achieve integrity. You ask how? Simple, whenever the sender wants to send a message to the receiver, he sends a digital signature along with the data, which is verified by the receiver.

Image Credits: https://3.bp.blogspot.com/-8k0StDssrJc/W2m7wcw7DFI/AAAAAAAADXA/VZ_HWKRG-TUtzZMUNNpgD_pU9GPhmRKDACLcBGAs/w1200-h630-p-k-no-nu/digital_signature.jpg

Digital Signature: In simple terms, a digital signature is nothing but an encrypted version of the original data’s hash.

Explanation of preceding diagram: Sender sends the digital signature along with the data and the receiver upon receiving it decrypts the digital signature using the public key of the sender to get the hash, and compares it with the hash of the data(plaintext) received.

Let us understand why we do this and why it makes sense. Our end goal with Integrity is to ensure that the data has not been modified. We learned about hash functions in our earlier article about Confidentiality (if you didn’t, I highly recommend you to check it out to have a clear understanding). We could leverage this and use it to our advantage. The only thing stopping us from using hash functions is, what if someone changed data along with its hash that’s sent along. But since we know asymmetric key encryption what if we can encrypt this hash using the sender’s private key. Then anyone with the sender’s public key can verify that it's been encrypted by the sender and thereby verify its legitimacy. If we are not able to decrypt it using the public key of the sender that basically means the data has been modified. And that’s what digital signatures are. Woohoo!

Image Credits: https://louwrentius.com/static/images/maninthemiddleattack.png

Even though we achieved Confidentiality & Integrity, we are still having an issue i.e., Man in the middle attack. In such attacks, some malicious actor pretends to be the server we want to talk to and sniffs/modifies the entire message(data + digital signature). The missing puzzle piece i.e., Authenticity deals with this problem. Check out the next article in the series to understand the solution to this problem and How authenticity can be achieved.