What is Cryptography? Why do we need?
Throughout history, people have encrypted data using various encryption methods. They stored/sent the encrypted version of the data. Thus, encrypted data could only be read by people who could decrypt it. What this means is that if you don’t have the right key, you can’t decrypt it.
Encryption and exposing an encrypted information is very important. It can even have a decisive influence on the outcome of a war. A recent example is the Enigma encryption machine used by Germany during World War II to encrypt and decrypt military messages. Enigma had a significant effect on Germany gaining the upper hand. Alan Turing, a British mathematician, computer scientist, and cryptologist, deciphered the Nazis’ encrypted messages. He played a major role in changing the course of the war. Nazi Germany used a cipher machine named Lorenz SZ 40/42, which had stronger encryption methods. Colossus computers developed by the Allies deciphered these ciphers, which brought defeat to the Nazis.
Encryption isn’t just necessary for messaging in wars, of course. We use cryptography everywhere in our daily life. For example, online shopping transactions, banking transactions, e-mail and message exchange, communication between the wireless modem and the device we connect are encrypted.
It would not be wrong to say that if all cryptographic functions did not work for a day, life would stop. Bank transactions do not take place, internet traffic stops and mobile phones no longer work. All of our important information is exposed, and it does great harm to all of us. Cryptography is a basic way of preventing this from happening.
In today’s modern communication, as in the past, there is a need for cryptography since privacy is in question. One of the well-known methods of traveling through history is the Caesar Cipher used by Julius Caesar 100–44 BC.
Caesar used this encryption method to communicate with Cicero when he conquered Europe. When each letter in the message was shifted 3 steps to the right in the alphabet, cipher text was obtained. In the decoding process, each letter was shifted 3 steps to the left.
In the example in the figure, the key is 19 and each letter is shifted forward 19 for encryption.
No matter how simple this system was, nobody encrypted their messages that way. Anyone who intercepted these messages (possibly by hijacking the courier) thought it was garbage or some other language. As time goes on, this and similar encryption methods, letter density analysis and so on. broken by methods and lost its credibility.
The encryption method, which is mentioned as the theoretically safest method, is One Time Pad. Requires an identical large set of keys on the receiver and sender. XOR the key with the text to be ciphered and the ciphertext is obtained.
For example, when we are going to send an encrypted message, we choose a key equal to the length of our clear text from the set of keys and tell the other party which key is the key in the set. The selected key is used once and discarded. Thus, even if we send the same message, the ciphertext changes because the message will be encrypted with a different key. This can never be broken.
A printed one time password booklet can be seen in the image above.
However, one of the problems here is the need for a text-sized key to be encrypted each time. Another is how to securely transmit keys to the other party. In addition, the sent keys must be kept securely. Although it was used in the past, it has no place in today’s practice.
Today we use more complex algorithms, such as AES-256, which try to provide a high level of privacy. These algorithms are publicly available and full details of how they work are available on the internet. Some people think of it as a vulnerability, because according to them, for true privacy, the algorithm and key must be secret. A larger group believes that making a system public helps power algorithms.
Kirchoff’s principle says that stronger security is achieved when the algorithm protecting the data is publicly known, because that way, cryptanalysts can find vulnerabilities that need patching and ultimately make the algorithm stronger.
If you hide the algorithm from the public, you have complete anonymity at first because no one knows how to start cracking the code, but a hacker could hijack this algorithm and find a vulnerability.
The basic principle of a modern cryptographic system is that we rely on the secrecy of the keys, not the secrecy of the algorithm used. A modern encryption system has four main purposes.
• Confidentiality: Only authorized persons should be able to access the information.
• Integrity: Information should not be changed during storage or transport, any changes should be detectable.
• Authentication: Both the sender and receiver must be identified and then authorized before any information can be exchanged.
• Non-Rejection: A mechanism that proves that the sender did indeed send this message and the receiver actually received it, non-repudiation. This ensures the “digital” legitimacy and traceability of a transaction.
Performing encryption and decryption requires confidential information such as algorithms and keys. The science of cryptography is divided into cryptography and cryptanalysis.
Cryptography deals with converting (encrypting) data into a different format that is unintelligible (often called ciphertext). Cryptanalysis, on the other hand, deals with revealing encrypted data and finding the secret key. Some of the methods used in cryptanalysis can be said to be trying all passwords, minimizing the key space, repetition, monitoring traffic, and exploiting algorithm weaknesses.
To briefly talk about some of these methods, we need 10,000 different attempts to crack a 4-digit password. This is called a brute force attack. Another example is shrinking the key space.
Another is, for example, if we have the ciphertext and the plaintext of this ciphertext, we can find the key from here with known plaintext attacks. So we can expose all the data encrypted with the same key.
Changing the ciphertext by intervening (the man in the middle) is one of the dangerous attacks. The goal here is not to decipher the entire ciphertext or to obtain the key, but to change the value by intervening in the ciphertext. For example, if there is an order to send 1 million TL in a bank transfer, which is sent in encrypted form, the attacker changes some bit values in the encrypted text to send 5 million TL. Although it is difficult, this is one of the attack types.
An example of a repeat attack is cards that can be loaded with money and do not have an ID. In the past, such cards were used by soldiers or by students on campuses. You load money on the card, when you want to buy something, you have the card read and the relevant amount is drawn from it. The reader is currently focused only on the balance on the card and there are no other controls. In this case, if you copy a card full of money as it is, you will have a new card loaded with money since there is no control other than the balance.
Cryptography can be divided into three groups as symmetric encryption, asymmetric encryption and hash functions.
Symmetric encryption
Symmetric key encryption (also known as private key encryption) uses the same key to encrypt and decrypt data. It is primarily used for privacy and confidentiality. The key we use to lock and unlock the door of the house is the same, and this example is often used to describe the symmetrical key. Data encryption keys used today work with bits, not letters.
Examples of symmetric encryption are AES-256, Triple-DES, or Blowfish. Here each algorithm runs its own complex mathematical tasks with a provided key to both encrypt and decrypt the message.
Symmetric encryption is a good encryption method for bulk data (eg hard drives or unused data), but there are some flaws:
Exchange of keys between parties creates a problem in symmetric encryption. If the key is not sent securely, an attacker could attempt to obtain the plaintext key with a “man-in-the-middle” attack. Keys must be exchanged securely.
As mentioned above, encryption algorithms with symmetric keys use the same secret key for encryption and decryption, so that the “receiver” of a message can compose it, claiming that the “sender” sent it, and it may be impossible to determine who is telling the truth.
Symmetric ciphers are divided into block ciphers and stream ciphers.
In block cipher, the text to be encrypted is divided into blocks of the size requested by the encryption type in bits. Each block goes through some operations with the symmetric encryption key, and the ciphertext equals the block length in the input size is obtained. The same operations are repeated until all plaintext is encrypted. Data Encryption Standard (DES) (NIST FIPS PUB 46) and Advanced Encryption Standard (AES) (NIST FIPS PUB 197) are two popular encryption types, but there are many other types of symmetric block ciphers. After using DES for about 30 years, it was broken due to small key size. AES, the winner of one of the symmetric encryption competitions and launched in 2001, is one of the most popular encryption algorithms today and is used in many applications, including Whatsapp application and Wi-Fi systems.
In stream encryption, after the key is enlarged to the size of the text to be encrypted by some methods, the text to be encrypted and the key are subjected to bitwise XOR operation. Thus, the ciphertext is obtained. Generated keys should not be interrelated and keys should be unpredictable. NIST PUB 800–22 tests are used for this. Using two or more of the same key can reveal hidden text. RC4 stream encryption is used in applications such as WEP, WPA, Microsoft Office XP. RC4 encryption is considered insecure today.
Asymmetric encryption
Asymmetric encryption algorithms use different keys for encryption and decryption. It is primarily used for authentication, non-repudiation, and key exchange. Also, it is numerically impossible to determine the encryption (“private”) key from the decryption (“public”) key. For example, someone who wants to send me an encrypted message encrypts the message with the key that I have publicly provided. After the encryption process, even himself cannot open this message anymore. The message can only be opened with the private key.
In asymmetric encryption, the public key is already public, so it is not necessary to secure it. The asymmetric key has much better power in securing the information transmitted during communication. Asymmetric encryption is used in daily communication channels, mostly over the internet. One of the popular asymmetric key encryption algorithms is RSA.
Hash Functions
It uses a mathematical transformation to irreversibly “encrypt” information and provides a digital fingerprint. It is primarily used for message integrity. There is no key usage in this algorithm. A fixed-length hash value is calculated based on the plaintext, making it impossible to revert from the hashed value to the plaintext. Many operating systems use hash functions to encrypt passwords.
For example, the password we use to login to the gmail account is kept encrypted with hash on Google servers. Thus, someone who reaches the password database cannot reach our open password, but reaches the data encrypted with the hash. Since the hash structure is irreversible, our open password is not revealed.
In some applications, salt or pepper is added to the plain text to make the hash information more complex. For example, if some users choose the same password, the same hash information will be obtained, but if salt is added, the hash output will be different. In this case, the salt information used for each user must also be stored.
However, there is a situation here. The hash algorithm used to encrypt a fixed text always gives the same result. So if we set our password as Pass1234qw, its md5 hash will always be 9dab3f356bf53e3ce3f86f54f4dfffa4.
The so-called Rainbow Tables are the tables that contain the most commonly used passwords and hash values. These tables can contain billions of passwords and hashes. These tables lower the brute force attack surface. The attack takes much less time than expected to succeed. Therefore, it is necessary to stay away from the most frequently used and generally preferred passwords. For example, values such as country name, province name, district name, name, surname, football team, date of birth, current year, car brand, company name, 123456, qwerty, etc. should not be included in the password.
Encoding and Decoding
Encoding is the process of converting data from one format to another so that it can be used in different systems and environments. Media files such as audio and video use encoding to reduce their file size. Every audio and video file format has an encoder — decoder program that is used to encode it to the appropriate format and then decode it for playback. For example, convert .mp4 to .avi, .flv to .mp3, etc. encoding is required to convert. Someone who encodes the data can reverse it using the same algorithm. No keys are used in encoding and encoding is not used for privacy. The reverse of the operation is called decoding.
Public Key Infrastructure (PKI)
We talked about public key and private key in asymmetric encryption. Here is a problem and solution. Since my public key is public, how will they know that it really belongs to me? Can someone else post a public key on my behalf as if it were coming from me? The X509 standard explains this. There is a digital certificate with a service we call notary. This confirms that the public key really belongs to me. Certificates contain some information such as the issuing body, the lifetime of the certificate, its subject, public key information, and the digital signature of the certificate issuing organization.
Certificate Authority performs operations such as certificate creation, key generation, certificate revocation, backup and recovery of keys in the organization that approves the certificate.
The verification that I am really me is done by the Registration Authority RA, which is responsible for validating the certificate issuing body.
So how does the process work? The requester creates a Certificate Signing Request CSR file on his/her side. Creating this file is an easy process. This file contains information such as domain name, institution name, relevant e-mail address, and the public key that will be included in the certificate. The created file is sent to the institution to be certified, the institution may request other documents if necessary. If everything is ok, the institution that will issue the certificate signs the sent CSR code and creates a certificate file and makes it available to the requester.
Self Sign Certificate, on the other hand, is a structure in which we are the ones who request the certificate and who approve and issue it. However, this build only works internally because the certificate validation was not issued by a trusted authority.
Many applications use a combination of asymmetric and symmetric encryption. The most well-known examples are TLS and SSL protocols.
Conclusion
Today, data storage and transmission is child’s play and not a day goes by without doing one of them. We connect to the Internet, use mobile phones, computers, tablets, smart watches, USB memory sticks, messaging applications, social media applications, shop and many more. Cryptology is in the middle of all these processes.
Without exception, we have to know more about the science of cryptology we are in every day. Using an incomplete or misconfigured, insecure, outdated system puts our data at risk, which we do not want to be exposed or corrupted. Therefore, we should try to understand cryptology better, be aware of the capabilities of the systems we use and take the necessary precautions.
Do you think we should pay more attention to cryptology?
References
https://pdfdergi.com/12673/kriptoloji-nedir-neden-ihtiyac-duyariz/
https://theworld.com/~cme/html/timeline.html
https://www.linkedin.com/pulse/kriptolojinin-tarih%25C3%25A7esi-nihal-kindap/
https://csrc.nist.gov/CSRC/media/Publications/fips/46/archive/1977-01-15/documents/NBS.FIPS.46.pdf
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf
https://devnot.com/2020/kullanici-parola-guvenligi-icin-hashing-ve-salting-kullanimi/
https://www.encryptionconsulting.com/education-center/what-is-cryptography/
https://www.garykessler.net/library/crypto.html
