In the upcoming section of this course, we will discuss what cryptography is and how it is used for security. This is a good opportunity to also introduce the concepts of authentication, authorization, and non-repudiation that complement the CIA (Confidentiality, Integrity, Availability) triad for information security.
Why Learn about Cryptography?
Cryptography is used almost everywhere online. In fact, you even used it to communicate with this website — the
https that comes before many domain names indicate that encryption is being used to exchange data between your browser and the server. That data could be your login credentials, whether you have visited this site already, your device type, or sensitive personal information. This is ALL data you want to keep private! We also pay attention to how cryptography is leveraged by hackers to lock systems.
You’ll learn some basics about encryption and hashing.
Authentication, Authorization, Non-Repudiation
According to CISA,
Authentication and authorization go hand in hand. Users must be authenticated before carrying out the activity they are authorized to perform. Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that [they] performed the activity. This is known as non-repudiation.
Practical Cryptography: Encryption
How do we use encryption to send and store data securely?
Cryptography is the science of hiding data and making it available again. In cryptography, hiding data is called encryption and unhiding it is called decryption. When data is securely exchanged, it is first encrypted by the sender, and then decrypted by the receiver using a special key.
One of the earliest well-known instances of cryptography was the use of coded messages between Julius Caesar and his military generals during Roman times. This is called the “Caesar cipher”. To use it first draw the alphabet in a circle like this:
If our key was the number “3”, we would take every letter of the message and rotate it (move it) three places to the right, so the letter “A” would become “D”. Using this method, the word “Hello” would become “Khoor”.
This is actually a very simple form of encryption, and as long as the person who receives your message knows that you used “3” as the “key” to encrypt your message, they can decrypt it as well.
How Do Computers Encrypt?
The Caesar cipher above is easily readable by a human. But how do computers, that interpret everything as binary
1s, encrypt and decrypt? The answer is the XOR operation, a key component of many complex algorithms used today, such as AES, the encryption algorithm used by the US government to protect classified information.
What is XOR? XOR is an operation that compares two bits and returns True (
1) if only one of the bits is
1, and returns False (
0), if the bits are the same value (both
0’s or both
XOR gives the same string back if you perform XOR on it twice. For example, if you XOR
1100 with the key
1001, it returns
0101, and if you XOR
0101 with the same key,
1001, you get
1100 again. This may seem confusing to you, a human, but this is how computers… compute!
XOR encryption takes advantage of this reflexive property, so whatever key we XOR with a binary sequence to encrypt it, we can use that same key to decrypt the sequence. XOR is the foundation of all the common encryption methods!
The following is a secret message that was XOR-encrypted with the key
cybersecurity. Try to decrypt it using this XOR Decryptor!
Types of Encryption
There are two main types of encryption: symmetric and asymmetric.
- Symmetric encryption uses the same key to both encrypt and decrypt data.
- Asymmetric encryption uses two different keys to encrypt and decrypt data.
Both of the examples we looked at, Caesar Cipher and basic XOR encryption, used the same key to encrypt and decrypt our data.
Symmetric encryption is the fastest way to encrypt data, and the most common for sending large chunks of data, however, it has one major vulnerability: if you send someone your key, then it’s in a form that any other person can read. That means your data is vulnerable to being stolen.
Asymmetric encryption differs from symmetric encryption in one way: Instead of one key, you have a key pair. A key pair is made up of a public key and a private key.
- The public key can be given to anyone and is only used to encrypt data.
- The private key is kept secret and is only used to decrypt data.
What’s the use of having two keys? Having two keys mean you are the only person who ever has access to the private key used to decrypt data, so it is impossible for someone to intercept and read your messages.
For example, if you want to receive an encrypted message from someone, you would first generate a key pair and give them the public key. Then, they would write a message and encrypt it using the public key you gave them. Finally, they would send you the message and you would decrypt it with your private key. You never share your private key with anyone, including the recipient, so it never has a chance to be stolen. Having two keys makes sure you are the only person who can decrypt and read those messages since you are the only one with the private key.
If you wanted to send a message back to the original sender they would generate a key pair as well, provide you with their public key, and you would repeat the process.
Asymmetric encryption is the most secure way to transmit data; however, it is slower and more complex than symmetric encryption. Therefore, it is primarily used to exchange smaller pieces of data.
There are a wide variety of asymmetric encryption algorithms. The most common is RSA, which is based on the factoring of prime numbers, and is functionally unbreakable if a large enough key is used (although quantum computing could change this). Another asymmetric approach is Elliptical Curve Cryptography (ECC).Multiple choice
How does symmetric encryption differ from asymmetric encryption?
Symmetric encryption is used for letters and numbers; asymmetric encryption is used for binary.
Symmetric encryption uses public key pairs; asymmetric encryption uses private key pairs.
Symmetric encryption encrypts and decrypts with the same key; asymmetric encryption uses a public/private key pair.
Symmetric encryption is used to receive data; asymmetric encryption is used to send data.
Conclusion & Further Reading
Encryption is used everywhere! Think this topic is fascinating and want to explore more? You can read up on what it takes to become a professional cryptographer!
- If you are running a UNIX based operating system such as Mac or Linux you can run basic encryption algorithms such as “Rot13” with a single command. Windows operating systems do not come preinstalled with an equivalent command; however, you can encrypt and decrypt messages with letter rotation by using the rot13 website.
- If you are interested in how cryptography can be used in programming, you can build your own Caesar Cipher program with Codecademy’s projects in Swift or Python
Practical Cryptography: Hashing
Learn about hashing and its practical applications!
In addition to using cryptography to keep things secret, you can also use cryptography to make sure your data matches what you expect. This is where hashing comes in.
Unlike the methods we’ve already looked at, which are designed to both encrypt and decrypt data, hashing is different. Hashing does not encrypt data. Instead, hashing is a one-way process that takes a piece of data of any size and uses a mathematical function to represent that data with a unique hash value of a fixed size. You cannot compute the original data from its hash.
Because each hash should be unique, hashing allows us to see if changes have been made to documents. For example, when you make edits to a file on Github, GitHub hashes the file to see whether you made any changes. Similarly, if you wanted to know whether a website had changed, you could download the CSS and HTML files, hash them, and then see if you get the same value when you hash them later. If the value is different the second time, something on the website changed. No matter how large or complex your file is, hashing provides a fast, reliable way to compare files and verify their authenticity.
Ideally, hash functions always generate unique values for different inputs. When they don’t it’s called a hash collision. While it’s hypothetically possible to encounter a hash collision with nearly any hashing algorithm, with modern algorithms like SHA-256, it would take so long to result in a collision that it’s functionally impossible. Earlier hashing algorithms, like MD5 and SHA-1, are more likely to result in hash collisions.Multiple choice
What is it called when two different inputs generate the exact same hash?
This is not possible.
Hash CollisionMultiple choice
Which of the following hashing algorithms is the most secure?
All of these algorithms are equally secure
It’s easy to get the hash value of some types data. If you are on a Unix-based operating system, open your terminal and type:
echo "Hello World" | shasum -a 256
That will give you the SHA-256 hash of the string “Hello World”. Try changing the string slightly, and you’ll see that the resulting hash changes as well.
Windows does not have a built-in function to generate hashes of Strings (although you can use Get-FileHash in Powershell to hash files), but you can easily get the SHA-256 hash of a string online.
Using Hashes to Protect Data
Hashes are widely used in order to store passwords in online databases. If passwords are stored in plaintext and a database is breached, so are all of the passwords! However, if they are stored as hash values, even if someone hacks into a website’s database, only the password hashes are exposed. For example, if your password for a website is:
But that website is storing it as a SHA-256 hash, even if someone hacked into that website, all they would see is the hash value.
Remember, an attacker has no way of “decrypting” a hash value to get the original value.
Attackers can still come up with a list of common passwords, generate hashes, and find which lines in the database match those hashes. Rainbow tables, massive tables of common passwords and password-hash combinations, speed up that process even more. However, It is practically impossible for an attacker to guess and match the hash of a complex password!
Organizations can further protect hashed information by using something called a salt. A salt is a secret random string that is combined with a password prior to hashing specifically to defend against the use of rainbow tables.Multiple choice
Why are passwords stored as hash values?
Hashes protect passwords against rainbow tables.
Hashes are easier to store in a database than plaintext password strings.
Hashes protect passwords in case a database is breached.
Hashes take less memory to store than plaintext password strings.Multiple choice
Which of the following is NOT a use of hashing?
Encrypting and decrypting messages
Verifying file integrity
Comparing malware samples
Storing passwords in a database
Hashing is a key application of cryptography! A cybersecurity professional uses hashing algorithms to compare files big and small, as well as to protect data.
Cryptography is a dynamic field, with new algorithms being invented, tested, and solved all the time, it is also an essential part of keeping up information security. You will continue to see the applications as you learn more about cybersecurity!