Cryptography

Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. Cryptology is the study of cryptography and cryptanalysis, the science of studying and breaking the secrecy of encryption processes, reverse engineering algorithms, and things of this nature. Cryptography has been around for thousands of years. It started in the most basic form with substitution ciphers by the Jews, who simply reversed the alphabet, Caesar did a similar thing several hundred years later with a 3 letter shift, and even today, with the ROT13 encryption, a similar cipher is used by those on online forums to say something potentially offensive. More practical today are the mathematical algorithms used by programs and systems to communicate securely. These algorithms are generally known because the idea, following the Kerckhoffs Principle, is that with many people looking at is, fewer errors will be missed. The important part is the key. Keyspace refers to the range of values that can be used to construct a key. When someone refers to the strength of an algorithm, they are referring to the necessary processing power, resources, and time required to break the cryptosystem using a brute force attack.

There are many encryption methods. A one-time pad/Vernam cipher is considered to be a perfect encryption method if used properly; i.e. the pad is only used one time and is long enough to cover the entire message without repeating. Steganopraphy isn’t actually an encryption method, but more a means of security through obscurity. This is done by hiding messages in different types of media, such as pictures and music. It relies on the least significant bit, which is the smallest bit in any piece of information. It has very little to no impact on the media, so it is very hard to detect. Types of ciphers include substitution, which we’ve already discussed with the Jews, and transposition, which is where the bits or symbols are merely moved around.

Encryption is either performed using symmetric or asymmetric cryptography. Symmetric cryptography relies on both users to use the same key for encryption and decryption. The major problem with this is that it’s hard to keep up with all of the necessary keys. One exception of this is the use of a session key. It is symmetric cryptography that is only good for one use. After that the key is discarded and a new one assigned if the connection is needed again. Asymmetric cryptography uses two different keys, which are mathematically related. They rely on a public key to decipher privately encrypted information. On top of encryption, hashes are utilized to ensure message integrity. They ensure no unauthorized modifications were made, generally performed through a one-way hash. It assigns a hash value to the message, which is rehashed and compared to the initial value when received. Initialization Vectors, discussed in the WEP hack post, are random values that are used with algorithms to ensure patterns are not created during encryption. The idea is that two identical pieces of plaintext will not produce two identical pieces of ciphertext.

A few quick points about key management:

•  Should not be kept in clear text

• Processes should be automated

• Backup copies should be maintained

• Keys should be extremely random and long enough to not be brute forced

Two common security protocols are HTTP Secure, which is HPPT running over Secure Sockets Layer (SSL), and S-HTTP. HTTP Secure uses public key encryption and provides data encryption, server authentications, message integrity, and operational client authentication. S-HTTP performs similar functions, except it deals with messages, as opposed to the entire channel.

Some attacks to keep in mind include Cipher only attacks, which obtain cipher text and try to get the key by comparing multiple examples. It is hard to do successfully due to the limited information provided, but it is easy to obtain text through sniffing. Known plaintext attacks take ciphertext and compare it to pieces of known plaintext, such as greetings and salutation in combination with reverse-engineering and brute force. Side-channel attacks watch identifiers such as power consumption, heat generation, and time to reverse-engineer the code. One other interesting attack is the replay attack, which was described in the WEP hack post. In this attack the hacker captures some type of data and resubmits it to try and obtain some desired outcome. The best way to fight this is to use time stamps and sequence numbers along with validation methods. These are just few of the many attacks against encryption seen all the time.