Let's Talk Crypto

Cryptography is big part of today's information security. Hence, it is important to know at least the basics. So, let's begin with some terms and their definitions.

One must remember that any security mechanism is only as secure as its weakest link. While cryptography is basis of many security systems, it does not provide a solution to all security problems. Cryptography is only as reliable as its implementation and usage. Strongest crypto solutions have fallen due to poor implementations in past. What this means is that you should never ever try to invent your own cryptographic system unless you have mastered the science of Mathematics, Cryptography, and Computers. A more in depth analysis of crypto and security pitfalls can be found at Bruce Schneier's Cryptogram blog. I am a strong believer in two principles:

There are two types of cryptographic algorithms:

Aside from confidentiality, there is another use for Cryptography.

Hashing Algorithms are used to validate message integrity. These algorithms were written to only validate message integrity and not provide confidentiality. Hence, one cannot use hashing algorithms to encrypt a message. In fact, a hash (result of application of hashing algorithm on data) shall never be reversible. That is, one shall not able to take a hash and reverse it to reveal original message. The way hashing works is that you apply hashing algorithm to a message or file to compute is hash. A hash value is solely dependent on data. Hence, if even a single bit of the data changes, the hash value will change. Also, for same message or file, there shall only be one hash. When two distinct pieces of data, message, or file have same hash value, it is called collision. Collisions render a message integrity mechanism insecure. Examples of hashing algorithms include MD5, SHA1, SHA256, and SHA512. MD5 is broken due to collisions and shall not be used. SHA1, in my opinion, is pretty close to its death.

Here is a fun example to demonstrate hashing.

SHA256 sum or hash of word GeekMemos is 2f7038693a8f559afacf8ddeb1a261fa69af6db6ea60496ab30c337aaf0778a6.
SHA256 sum or hash of word GeekMeemo is c95cf448105666e1a01174bcfd2336d7d2e0ff304a599807743e218df1403ff3.

Key size is important. Longer and more random keys can mitigate brute force attacks. Many key generation systems use randomness of environment such as weather for time of key creation, movement of computer mouse, temperature of processor, noise, or combination of aforementioned. AES symmetric key encryption algorithm offers 128, 192 or 256 bits long keys. Asymmetric encryption implementation of PGP (using RSA or DSA algorithm) offers 512, 2048, and 4096 bits long keys. Generally, a 128 bit key for AES or 2048 bit key for RSA is safe to use. While longer keys provide more deterrence against brute force attacks, they do tend to be resource hungry.

That is it for our crypto talk today. Want to learn more? Check out Coursera's course on Cryptography,
A Graduate level book on Cryptography, and An education tool to learn Cryptography and Cryptanalysis.

The author would love to hear your comments. Let us discuss at Twitter @hashtaginfosec.