loading...
Cover image for What I learned about cryptography in 3 weeks

What I learned about cryptography in 3 weeks

quantumsheep profile image Nathanael Demacon Updated on ・2 min read

It's been 3 weeks that I started developing WarShield, a file encryption CLI. So I wanted to tell you everything important I know today about cryptography.


Keys (passwords) in cryptography

In case you want to encrypt your data, it's good to be able to decrypt it too: that's why you use a key, more commonly named as password.

Keys in cryptography are grouped in two categories:

  • Symmetric-key cryptography
  • Public-key cryptography, also called as asymmetric-key cryptography

Symmetric-key cryptography algorithms uses only one key to encrypt and decrypt a value, unlike public-key cryptography algorithms that uses a "public key" to encrypt and a "private key" to decrypt.

Encryption types (from https://ssl2buy.com)
Image credits: SSL2Buy

Those keys must be exactly the same length as required by the encryption algorithm. For instance, an algorithm like AES-256-GCM require a 128 bit key (32 characters), GCM being the "mode of operation" that define how the algorithm works to provide additional informations like authenticity.

But don't worry, you don't need to have 32 characters passwords, event though it would be secure. You can (and must) hash your keys to provide a secure and well sized key.


Random and authenticity

If you encrypt multiple values with the same key, the outputs would leak some informations about your key. Which you don't want for security reasons. A great way to secure your encrypted values is to make them fully random. And here you have: the Initialization Vector.

Initialization Vector (IV)

This technique is basically a way to mix your key with another value, best being a random value.

It's size depends on the defined encrypting algorithm mode of operation and must be given manually. It's not generated by the algorithm.

Authentication and integrity

Maybe you heard about MD5 algorithm to check if your downloaded file contain all the wanted data? Well, it's called integrity. It ensure that your data is exactly the one you want.

Authentication involve integrity and make sure that your data has been encrypted by a specific entity (for instance, a computer). It's a way to ensure the non-repudiation of data, in clear, it's mean to be sure that the data isn't falsified. An authentification value is called a Tag or a MAC (Message Authentication Code).

The most used integrity algorithms are SHA1 and MD5. For authentication algorithms it's HMAC, checksum and CMAC. There is bunch of others algorithms but here's the main ones.

MAC
Image credits: Wikipedia


And... That's it! There is nothing more to say about the basics of cryptography. Sure I could talk about different encryption algorithms but I find it useless in this case.

I will learn more and more about cryptography, improve my projects and maybe my own security. Hope that you learned too about cryptography 😄

Discussion

pic
Editor guide
Collapse
elabftw profile image
eLabFTW

Your last paragraph on Authenticity sounds wrong and misleading. You're putting everything in the same bag. It would have been better to explain what HMAC is instead of comparing it to md5 which is a hashing function and provides absolutely no authenticity, only integrity.

Collapse
quantumsheep profile image
Nathanael Demacon Author

Rework finished, hope that you will enjoy it!

Collapse
quantumsheep profile image
Nathanael Demacon Author

You're right, I somehow poorly formulated the paragraph, it need a rework :)

Collapse
siorai profile image
Paul Siorai Waldorf

Excellent write up!

So now I'm curious about something. Did you happen to come across the proposed RSA alternatives for asymmetrical key pairs that use things like EC25519 in order to move away from NSA created standards? If so, what was your take?

Collapse
quantumsheep profile image
Nathanael Demacon Author

ECC curves are far from what I know at this time.. If your question was about how to don't use NSA standards (like AES), I would use something like 3DES, former competitor of AES before AES was declared as the US government's standard.

Collapse
willemodendaal profile image
Willem Odendaal

I've always wondered about the IV. Since it's random, you probably store it along with your encrypted data (but as an unencrypted value). Am I right? Is it the same thing as a "salt"?

Collapse
quantumsheep profile image
Nathanael Demacon Author

It's literally the same thing as a salt, it's mixed with the key like you mix some cheeses to make a fondue

Collapse
isavegas profile image
Leviathan Jeanis

Just a small point, but encryption and ciphers are two different things. A cipher consists of nothing more than a character (or byte) map from one alphabet to another.

Beyond that, nice work!

Collapse
quantumsheep profile image
Nathanael Demacon Author

I'll note that! I'm not an english native. In french, the word "crypting" doesn't really have the purpose of transforming a text to a ciphertext, there's a website dedicated to this word because of bad uses.

Thanks you for tell me that, I'll not make this error anymore!

(post fixed)

Collapse
ben profile image
Ben Halpern

Thanks for sharing your learnings, keep up the great work

Collapse
quantumsheep profile image
Nathanael Demacon Author

Thanks, the community helps me alot to improve myself! Hope that people like my posts as I like to make them!

Collapse
vishwasmahadev profile image
Vishwas Mahadev

Thanks for sharing! Informative😀

Collapse
zerquix18 profile image
I'm Luis! \^-^/

"This technique is basically a way to mix your key with another value, best being a random value."

Is this what you call a salt ??

Collapse
quantumsheep profile image
Nathanael Demacon Author

It's theoricaly the same thing as a salt, a salt is mostly used in hashing, where it will be append to the original value then hashed. An IV is XORed with a value (here a key)

Collapse
fleshwounded profile image
Fleshwound⚡

I would like to to use case examples with scripts #showusthescripts!

Collapse
quantumsheep profile image
Nathanael Demacon Author

It's hard to show proper code of how cryptography works. You can't show code in an essay because your readers could not understand the programming language you use.

It's more like an explication than a demonstration.

Collapse
fleshwounded profile image
Fleshwound⚡

I understand Im just a snippet snob I guess lol