# Cryptography

## The first cipher we’ll look at today is named after one famous early adopter: Julius Caesar. Attempts at cracking codes and ciphers are also nearly as old: the Vigenère cipher, which is at least 500 years old, was first cracked in 1863.

## Encryption

**Encryption** is the process of encoding information to keep it private. **Cryptography** is the practice or study of encryption techniques.

`encrypt(P) = C`

decrypt(C) = P

## Types of Encryption

- Simple Ciphers
- Symmetric-Key Algorithms
- Public-Key Cryptography
- Cryptographic Hash Algorithms
- Used as Checksums
- Used for Password Hashing

## Simple Ciphers

One of the simplest types of encryption is the Shift Cipher. The Shift Cipher is also called the “Caesar Cipher”, because Julius Caesar liked to use it for his personal correspondence. The most popular shift cipher is ROT13 (“ROT” = “rotates”). It shifts letters 13 positions. It is popular because 13 is half of the 26 letter alphabet.

PHP has a built in functio for ROT13 called

`str_rot13()`

.

## Substitution Cipher

A shift cipher is actually a primitive version of a Substitution Alphabet Cipher. A substitution cipher uses a translation map for characters. Each character in the text gets translated into another character. The substitution could be into letters, or into numbers or symbols. Substitution ciphers are easy to use, but also easy to decrypt.

In PHP, the function

`strtr()`

(short for "string translate") allows mapping one set of characters to another set.

## Symmetric Key Algorithms

A Symmetric-Key Algorithm uses a string of data to encrypt and decrypt information. This string of data acts like a real-world key which can lock and unlock a door. In fact, it is often called a “key” or a “password”. With symmetric-key algorithms, the same key is used for encrypting and for decrypting (that is what makes it “symmetric”).

There are three algorithms which are notable for their resistance to decryption and their wide-spread usage.

- The Data Encryption Standard (DES) algorithm now considered insecure. Modern computers can decrypt a DES encrypted message in less than a day.
- The Advanced Encryption Standard (AES) algorithm: It is also known as “Rijndael”. AES has not yet been broken is still considered strong enough to encrypt U.S. classified data.
- The Blowfish algorithm: It has not yet been broken, even though a few technical and theoretical weaknesses have been identified. It is also widely used in many encryption software products.

## Public Key Cryptography

Public-Key Cryptography is the common name for Asymmetric-Key Algorithms. Where symmetric-key algorithms used a single key for encrypting and decrypting, asymmetric-key algorithms use a pair of keys.

The reason it is called “Public-Key Cryptography” is because each person will share one of their keys widely (“public key”) so that anyone can use it. Then they will keep the other key private (“private key”) so that only they can use it.

Asymmetric algorithms take a relatively long time compared to symmetric algorithms, and they are limited in the amount of data which can be encrypted (for a 2048-bit RSA key it is 245 bytes/characters). For this reason, public-key cryptography is often used to send messages, such as to share a symmetric encryption key.

## Cryptographic Hash Algorithms

Cryptographic Hash Algorithms are one-way algorithms which are used when data does not need to be decrypted. Because there will be no decryption, there is no need for a key.

There are many hash algorithms but four stand out as popular choices.

- CRC32 (“Cyclic Redundancy Check”) returns a 32-bit integer hash.
- MD5 is a popular hash function. (“MD” = “Message Digest”). It returns a 128-bit hexadecimal string which is 32 characters long.
- SHA-1 is a hash function designed by the N.S.A. (“SHA” = “Secure Hash Algorithm”). It returns a 160-bit hexadecimal string which is 40 characters long.
- bcrypt is a hash algorithm which is based on the Blowfish Symmetric-Key Algorithm. Unlike Blowfish, bcrypt is a one-way hash and offers no decryption. It returns a 184-bit base-64 encoded string which is 31 characters long.

# Checksums

A checksum is the value returned from a one-way hash algorithms. The sender sends the checksum of data, then sends the data. The receiver can verify that received data is complete and accurate by deriving the checksum. There are three PHP functions which are suitable for checksums: `crc32()`

, `md5()`

, `sha1()`

.

The Git Version Control System uses SHA-1 checksums on the contents of all change commits.

# Password Hashing

Passwords should **NEVER** be stored in plain text. This is one of the worst security sins possible. Attackers can steal them through techniques like SQL Injection.

- One-way encryption algorithms are better for passwords than two-way encryption algorithms. They cannot be decrypted — not by an attacker, not by staff, not even by administrators.
- A slower algorithm provides a defense against rapid-fire password attempts in a Brute Force Attack.
**bcrypt**is a popular and secure choice for hashing passwords. It is based on Blowfish, but because it performs one-way encryption, it is more secure.- bcrypt also uses [salts|Salts] when hashing. Using a salt when hashing passwords is the best defense against the use of Rainbow Tables.