Cryptography: Writing or reading secret messages or codes. Practice and study of secret code.
Cryptoanalysis: analysis and cracking of codes
Cryptology: synonym of cryptography. Can also be an umbrella term for cryptography and cryptoanalysis.
Encryption is used to protect the confidentiality of our data while it’s being transmitted and stored.
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge
— Kerckhoffs’ principle
one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them
— Shannon’s maxim
Relying on the secrecy of the design is called security through obscurity.
It is easier to switch keys than algorithm in case one is compromised. Switching keys over time intervals can also be implemented for risk mitigation.
Only use one key for encryption and decryption.
It is very fast but has a key distribution security problem.
Advanced Encryption Standard (AES, Rijndael) is a NIST, NSA approved, symmetric encryption algorithm widely used today.
It’s used by archiving and compression tools (eg. 7z, RAR, WinZio), file systems and disk encryption (eg. NTFS, FileVault), signal protocol (eg. WhatsApp, Facebook Messenger), WPA2, IPSec, GPG.
Uses two keys: a public key and a private key. Doesn’t have key distribution problem. Much slower than symmetric encryption.
Encryption: plaintext + public/private key → ciphertext
Decryption: ciphertext + private/public key → plaintext
Rivest-Shamir-Adleman (RSA) is the most widely used asymmetric encryption algorithm (eg. SSL/TLS).
Hashing algorithms are use to ensure data integrity. They are one way functions meaning going from cipher text to plaintext is not possible. It should also be computationally infeasible to find two distinct plaintext which hash to the same value, aka collision resistance.
Variable size input, fixed size output (called digest).
SHA-2s (eg. SHA-256, SHA-512) and SHA-3s are fast hashing algorithms.
Digital Certificate and Certificate Authority (CA)
Are trusted third party, to encrypt communication between two other parties.
Issue public key certificate/digital certificate/identity certificate. Certificates are electronic document used to prove the ownership of a public key.
The commonly used standard X.509 dictates that the certificate must include a unique id, information about the public key, information about the owner (the subject), a validity period, and the digital signature (or fingerprint) of the issuer.
The CA hash the owner’s public key and then encrypt it with its own private key. This ciphertext, the digital certificate’s signature, is one part of the digital certificate.
When a client visits the owner’s website, it downloads its certificate, decrypts its signature with the issuer’s (the CA) public key (stored locally), hash the certificate’s public key and compare this hash with the decrypted signature. If it’s a match and the client trusts the CA, we can trust that the public key.
Then, the certificate’s public key is used to encrypt a pseudo-randomly key generated by the client. The server then decrypt the key with the certificate owner’s private key. Now, both client and server have the same key, and can use it to securely communicate over a public network using a fast symmetric encryption algorithm.