What I learned about cryptography in 3 weeks

Publish Date: Nov 4 '18

It's been 3 weeks that I started developing WarShield, a file encryption CLI. So I wanted to tell you everything important I know today about cryptography.

Keys (passwords) in cryptography

In case you want to encrypt your data, it's good to be able to decrypt it too: that's why you use a key, more commonly named as password.

Keys in cryptography are grouped in two categories:

Symmetric-key cryptography
Public-key cryptography, also called as asymmetric-key cryptography

Symmetric-key cryptography algorithms uses only one key to encrypt and decrypt a value, unlike public-key cryptography algorithms that uses a "public key" to encrypt and a "private key" to decrypt.

^{^{Image credits: SSL2Buy}}

Those keys must be exactly the same length as required by the encryption algorithm. For instance, an algorithm like AES-256-GCM require a 128 bit key (32 characters), GCM being the "mode of operation" that define how the algorithm works to provide additional informations like authenticity.

But don't worry, you don't need to have 32 characters passwords, event though it would be secure. You can (and must) hash your keys to provide a secure and well sized key.

Random and authenticity

If you encrypt multiple values with the same key, the outputs would leak some informations about your key. Which you don't want for security reasons. A great way to secure your encrypted values is to make them fully random. And here you have: the Initialization Vector.

Initialization Vector (IV)

This technique is basically a way to mix your key with another value, best being a random value.

It's size depends on the defined encrypting algorithm mode of operation and must be given manually. It's not generated by the algorithm.

Authentication and integrity

Maybe you heard about MD5 algorithm to check if your downloaded file contain all the wanted data? Well, it's called integrity. It ensure that your data is exactly the one you want.

Authentication involve integrity and make sure that your data has been encrypted by a specific entity (for instance, a computer). It's a way to ensure the non-repudiation of data, in clear, it's mean to be sure that the data isn't falsified. An authentification value is called a Tag or a MAC (Message Authentication Code).

The most used integrity algorithms are SHA1 and MD5. For authentication algorithms it's HMAC, checksum and CMAC. There is bunch of others algorithms but here's the main ones.

^{^{Image credits: Wikipedia}}

And... That's it! There is nothing more to say about the basics of cryptography. Sure I could talk about different encryption algorithms but I find it useless in this case.

I will learn more and more about cryptography, improve my projects and maybe my own security. Hope that you learned too about cryptography 😄

Comments 18 total

Ben HalpernNov 4, 2018

Thanks for sharing your learnings, keep up the great work
- Nathanael DemaconNov 5, 2018
  
  Thanks, the community helps me alot to improve myself! Hope that people like my posts as I like to make them!
Willem OdendaalNov 5, 2018

I've always wondered about the IV. Since it's random, you probably store it along with your encrypted data (but as an unencrypted value). Am I right? Is it the same thing as a "salt"?
- Nathanael DemaconNov 5, 2018
  
  It's literally the same thing as a salt, it's mixed with the key like you mix some cheeses to make a fondue
Vishwas MahadevNov 5, 2018

Thanks for sharing! Informative😀
Paul Siorai WaldorfNov 5, 2018

Excellent write up!

So now I'm curious about something. Did you happen to come across the proposed RSA alternatives for asymmetrical key pairs that use things like EC25519 in order to move away from NSA created standards? If so, what was your take?
- Nathanael DemaconNov 5, 2018
  
  ECC curves are far from what I know at this time.. If your question was about how to don't use NSA standards (like AES), I would use something like 3DES, former competitor of AES before AES was declared as the US government's standard.
eLabFTWNov 5, 2018
Your last paragraph on Authenticity sounds wrong and misleading. You're putting everything in the same bag. It would have been better to explain what HMAC is instead of comparing it to md5 which is a hashing function and provides absolutely no authenticity, only integrity.
- Nathanael DemaconNov 5, 2018
  
  You're right, I somehow poorly formulated the paragraph, it need a rework :)
- Nathanael DemaconNov 6, 2018
  
  Rework finished, hope that you will enjoy it!
$I'm Luis! \^-^/$
I'm Luis! \^-^/Nov 5, 2018

"This technique is basically a way to mix your key with another value, best being a random value."

Is this what you call a salt ??
- Nathanael DemaconNov 5, 2018
  
  It's theoricaly the same thing as a salt, a salt is mostly used in hashing, where it will be append to the original value then hashed. An IV is XORed with a value (here a key)
Fleshwound⚡Nov 9, 2018

I would like to to use case examples with scripts #showusthescripts!
- Nathanael DemaconNov 10, 2018
  
  It's hard to show proper code of how cryptography works. You can't show code in an essay because your readers could not understand the programming language you use.
  
  It's more like an explication than a demonstration.
  - Fleshwound⚡Nov 11, 2018
    
    I understand Im just a snippet snob I guess lol
Leviathan JeanisDec 1, 2018

Just a small point, but encryption and ciphers are two different things. A cipher consists of nothing more than a character (or byte) map from one alphabet to another.

Beyond that, nice work!
- Nathanael DemaconDec 1, 2018
  
  I'll note that! I'm not an english native. In french, the word "crypting" doesn't really have the purpose of transforming a text to a ciphertext, there's a website dedicated to this word because of bad uses.
  
  Thanks you for tell me that, I'll not make this error anymore!
  
  (post fixed)
Alimam MiyaDec 9, 2020
I describe What is Cryptography in an easy way

Add comment

Nathanael Demacon @quantumsheep