Table of Contents

Cryptography

Symmetric Encryption

Symmetric encryption uses one key for both encryption and decryption. The sender and receiver must both have access to this shared secret key.

Key Features:

One key: The same key is used to encrypt and decrypt data.
Fast and efficient: Because the algorithm is less complex, symmetric encryption is faster and more efficient, making it suitable for encrypting large amounts of data.
Key management: A major challenge is securely sharing the key between parties. If the key is intercepted or leaked, the encrypted data can be compromised.

Algorithms:

AES (Advanced Encryption Standard): The most widely used symmetric encryption standard today. It supports key sizes of 128, 192, or 256 bits.
DES (Data Encryption Standard): An older encryption method, now considered insecure due to its short key length (56 bits).
3DES (Triple DES): An enhancement of DES, applying DES encryption three times to each block of data.

Use Cases:

Data at Rest: Symmetric encryption is ideal for encrypting large amounts of stored data, like files or databases, because of its speed.
VPNs (Virtual Private Networks): Often use symmetric encryption (like AES) to secure data transmitted over the network.
TLS/SSL: After establishing a secure session, symmetric encryption is typically used to encrypt data exchanged over HTTPS connections.

Example Workflow:

Alice and Bob share a secret key.
Alice encrypts a message with the secret key and sends it to Bob.
Bob uses the same secret key to decrypt the message.

If an attacker obtains the key, they can decrypt all the messages.

Asymmetric Encryption

Asymmetric encryption uses two keys: a public key and a private key. The public key is used for encryption, while the private key is used for decryption. The keys are mathematically related, but it is computationally infeasible to derive the private key from the public key.

Key Features:

Two keys: The public key is used to encrypt data, and the private key is used to decrypt it.
Slower: Asymmetric encryption algorithms are computationally more complex and slower than symmetric encryption. This is why they are usually used for encrypting small amounts of data (e.g., keys, rather than large files).
Secure key exchange: No need to securely share a secret key in advance, as the public key can be shared openly, and only the holder of the private key can decrypt the messages.

Algorithms:

RSA: The most commonly used asymmetric encryption algorithm. It relies on the difficulty of factoring large prime numbers.
Elliptic Curve Cryptography (ECC): A more efficient alternative to RSA, providing the same level of security with smaller key sizes.
Diffie-Hellman (DH): A key exchange algorithm that allows two parties to generate a shared secret over an insecure channel.

Use Cases:

Digital Signatures: Asymmetric encryption allows the creation of digital signatures, ensuring both the authenticity and integrity of a message.
Key Exchange: Used to securely exchange the symmetric key (e.g., in SSL/TLS).
Email Encryption: Protocols like PGP (Pretty Good Privacy) use asymmetric encryption to secure email communication.

Example Workflow:

Alice generates a public key and a private key.
Alice shares her public key with Bob, who uses it to encrypt a message.
Only Alice, with her private key, can decrypt the message.

Even if an attacker intercepts the encrypted message, they cannot decrypt it without the private key.

Key Differences:

Feature	Symmetric Encryption	Asymmetric Encryption
Key Usage	One key for both encryption and decryption	Public key for encryption, private key for decryption
Speed	Fast and efficient for large data	Slower, better for small amounts of data
Security	Secure as long as the key is kept private	More secure, as the private key is never shared
Key Management	Securely sharing the key is a challenge	Public key can be shared openly
Common Algorithms	AES, DES, 3DES	RSA, ECC, Diffie-Hellman
Main Use	Encrypting large amounts of data	Secure key exchange, digital signatures, email encryption

Combining Symmetric and Asymmetric (Hybrid Encryption):

In practice, symmetric and asymmetric encryption are often used together in hybrid encryption systems. For example:

SSL/TLS (used in HTTPS): Asymmetric encryption (RSA or ECC) is used to securely exchange a symmetric key (like an AES key). Once the symmetric key is exchanged, symmetric encryption is used for the rest of the session to encrypt and decrypt the bulk of the data.

Summary:

Symmetric encryption is faster but requires a secure key exchange process.
Asymmetric encryption is slower but provides better security for key exchange and digital signatures.
In real-world systems, both are often used together for optimal security and performance.

DES Encryption

Data Encryption Standard → Fiestel function is used for this → 16 rounds
Uses only key size of 56 bit.
Supports same modes as AES. Again ECB mode is insecure here too.
Before delving into DES, you need to know what a Fiestel cipher means

Triple DES Encryption: DES Encryption(key1) → DES Decryption(Key2) → DES Encryption(Key3)
Why DES is vulnerable?
- 56 bit key is small, leading to bruteforce attacks.
- Operated on 64-bit blocks, as same key is used it can be susceptible to collisions
- if used 2DES, it’s vulnerable to meet-in-the middle attack.
💡
in 2DES you encrypt with key1 and then encrypt with key2.
1. Attacker encrypts the Plain-Text with all possible versions of Key1(bruteforce). This gives the intermediary results and stored.
2. Now the attacker takes the final cipher text with all possible key2’s. Then compare the previously stored version 1 and this.

AES Encryption

Modes of operation

ECB(Electronic codeblock mode): In ECB mode, each block of plaintext is encrypted independently using the same key. It’s a simple method where “identical plaintext blocks result in identical ciphertext blocks”. This sums up why this system is vulnerable.

CBC (Cipher Block Chaining Mode): CBC mode improves security by chaining blocks together. Each plaintext block is XORed with the previous ciphertext block before encryption, so the encryption of each block depends on the previous one.

GCM mode is secure too.

RSA Encryption

Choose large prime numbers, also don’t pick e=3 makes the encryption vulnerable.

Diffie Hellman Key exchange

p is a large prime number, g is a base and smaller than p. Both p and g are publicly shared.

Digital Signatures

Sender sends both the encrypted message and the above.
Receiver gets the both, he can decrypt the hash with the public key of sender and compare the message with the hash, to check whether there’s any data tampering.

Hashing

One way unlike encryption or decryption. Mainly used for data integrity.
possibility that 2 messages produce same hash when passed to a hashing algorithm → Collision
Birthday paradox proves how likely is it to have multiple people in room having same birthday.
MD5 algorithm → 128 bit output

Message Authentication code(MAC)

PGP → Pretty Good Privacy
- This is same as asymmetric encryption,

How PKI Works (Step-by-Step):

Key Pair Generation:
- A user or organization generates a pair of cryptographic keys: a public key and a private key. The private key is kept secret, while the public key is intended to be shared.
Certificate Request:
- The user generates a Certificate Signing Request (CSR) that includes the public key and identity information (e.g., organization name, domain name).
- The CSR is sent to a Certificate Authority (CA) to request a digital certificate.
Identity Verification:
- The Registration Authority (RA) or CA verifies the identity of the user requesting the certificate. This can involve checking company documentation, personal identification, or other methods of validation.
Issuance of the Certificate:
- After verification, the CA signs the digital certificate using its private key, binding the user’s identity to the public key. The certificate includes the public key, the owner’s details, the CA’s signature, and an expiration date.
Distribution of the Public Key:
- The public key certificate is made available (often shared on a public key server or provided via a website), so others can use the public key to verify signatures or encrypt data that only the owner of the private key can decrypt.
Certificate Validation:
- When someone receives a certificate, they verify that it was issued by a trusted CA by checking the CA’s digital signature on the certificate.
- If the certificate is valid (and not revoked), they can use the public key to verify signatures or encrypt communications.
Revocation:
- If the private key associated with a certificate is compromised or the owner’s identity is no longer trusted, the CA adds the certificate to a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) server, allowing others to check the status of the certificate.

Certificate chain

Leaf Certificate:
- When you visit a website that uses SSL/TLS, the web server sends its leaf certificate to your browser. This certificate is issued by an intermediate CA.
Intermediate Certificates:
- The browser checks the issuer of the end-entity certificate to see if it is trusted. Since the end-entity certificate is usually issued by an intermediate CA, the browser will need the intermediate certificate(s) to verify the authenticity of the end-entity certificate.
- The intermediate certificate is signed by another intermediate CA or the root CA.
Root Certificate:
- Finally, the intermediate certificate is signed by the root certificate, which is already trusted by your browser or operating system. This is because the root certificates from well-known CAs (e.g., DigiCert, GlobalSign) are pre-installed in most systems and browsers.
- Once the browser verifies the root certificate, it trusts the entire chain of certificates.

Browsers and OS has set of trusted certificate stores, which contain root certificates from most trusted CA’s

…….More coming soon!