RITx: Cybersecurity Fundamentals, Unit 3 — Course notes

Cryptography & Digital Certificate

Xavier Briand
Feb 6 · 3 min read

Definitions

Cryptography: Writing or reading secret messages or codes. Practice and study of secret code.
Cryptoanalysis: analysis and cracking of codes
Cryptology: synonym of cryptography. Can also be an umbrella term for cryptography and cryptoanalysis.

Encryption

Encryption is used to protect the confidentiality of our data while it’s being transmitted and stored.

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge
Kerckhoffs’ principle

Relying on the secrecy of the design is called security through obscurity.

It is easier to switch keys than algorithm in case one is compromised. Switching keys over time intervals can also be implemented for risk mitigation.

Encryption types

Symmetric encryption

Only use one key for encryption and decryption.
It is very fast but has a key distribution security problem.

Data Encryption Standard (DES), Triple DES (TDES, 3DES) and Rivest Cipher 4 (RC4 , ARCFOUR) (eg. WEP, WPA) are old symmetric encryption algorithm.

Advanced Encryption Standard (AES, Rijndael) is a NIST, NSA approved, symmetric encryption algorithm widely used today.
It’s used by archiving and compression tools (eg. 7z, RAR, WinZio), file systems and disk encryption (eg. NTFS, FileVault), signal protocol (eg. WhatsApp, Facebook Messenger), WPA2, IPSec, GPG.

Asymmetric encryption

Uses two keys: a public key and a private key. Doesn’t have key distribution problem. Much slower than symmetric encryption.

Encryption: plaintext + public/private key → ciphertext
Decryption: ciphertext + private/public key → plaintext

Public key cryptography — Diffie-Hellman Key Exchange (full version) — YoutTube

Rivest-Shamir-Adleman (RSA) is the most widely used asymmetric encryption algorithm (eg. SSL/TLS).

Hashing

Hashing algorithms are use to ensure data integrity. They are one way functions meaning going from cipher text to plaintext is not possible. It should also be computationally infeasible to find two distinct plaintext which hash to the same value, aka collision resistance.

Variable size input, fixed size output (called digest).

MD5 (Message Digest algorithm) and SHA-1 (Secure Hash Algorithms) are old hashing algorithm, collisions have been produced.

SHA-2s (eg. SHA-256, SHA-512) and SHA-3s are fast hashing algorithms.

For password hashing, slower hashing algorithms are required to prevent brute force attacks. Example are: PBKDF2 (Password-Based Key Derivation Function 2), bcrypt, scrypt and Argon2.

Digital Certificate and Certificate Authority (CA)

Are trusted third party, to encrypt communication between two other parties.

Issue public key certificate/digital certificate/identity certificate. Certificates are electronic document used to prove the ownership of a public key.
The commonly used standard X.509 dictates that the certificate must include a unique id, information about the public key, information about the owner (the subject), a validity period, and the digital signature (or fingerprint) of the issuer.

The CA hash the owner’s public key and then encrypt it with its own private key. This ciphertext, the digital certificate’s signature, is one part of the digital certificate.
When a client visits the owner’s website, it downloads its certificate, decrypts its signature with the issuer’s (the CA) public key (stored locally), hash the certificate’s public key and compare this hash with the decrypted signature. If it’s a match and the client trusts the CA, we can trust that the public key.

Then, the certificate’s public key is used to encrypt a pseudo-randomly key generated by the client. The server then decrypt the key with the certificate owner’s private key. Now, both client and server have the same key, and can use it to securely communicate over a public network using a fast symmetric encryption algorithm.


My journey into Cybersecurity

My experience trailblazing the practice of Cybersecurity

Xavier Briand

Written by

50% solution finder at @ExperiencePoint / 50% endurance cyclist. Will train for food and burn it for adventures.

My journey into Cybersecurity

My experience trailblazing the practice of Cybersecurity

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade