Research Assessment #4

Date: 10/10/2019

Subject: Cryptography - What is it and how does it work?

MLA Citation:
Agius, Chris. “Cryptography-What Is It and How Does It Work?” Medium, Noteworthy - The
Journal Blog, 17 May 2019,
blog.usejournal.com/cryptography-what-is-it-and-how-does-it-work-2a21a730d694.

Analysis:

My previous three research assessments were focused on the overview of Cybersecurity

and the basic types of attacks that can affect a computer. While researching those topics helped
me understand the significance of the field by understanding the true magnitude of the cyber
attacks, it is definitely not enough to be proficient in Cybersecurity. For that reason, I decided to
delve into one of the more technical aspects of the study and research articles about
cryptography. As I browsed through many articles, I eventually found this website, and it really
helped me understand not only what cryptography is, but also how it operates in simple terms.

Right off the bat, this article addresses an extremely common misconception. By
analyzing the word cryptography, the article mentions that although cryptography is primarily
used as a digital term that relates to computers, it also applies to any form of communication that
attempts to hide, or encrypt the data from outsiders. In fact, according to the website, “the
earliest known use of cryptography is found in non-standard hieroglyphs carved into the wall of
a tomb from the Old Kingdom of Egypt circa 1900 BCE”. When I first read through this section,
I was really surprised as it really changed my way of thinking about cryptography; it started to
make me recollect all the times when I would try to make symbols to communicate with my
friends so that others would not understand. Unknowingly, I had started using cryptographic
techniques since the start of my childhood, which is fascinating!

Later on, after describing the meaning of cryptography and explaining how it supports the
CIA triad (Confidentiality, Integrity, and Availability), the article delves further into the details
of how it relates to cybersecurity. For instance, it starts to talk about two different types of
encryption: symmetric and asymmetric encryption. Fundamentally, symmetric encryption is a
process in which the same key is used to both encrypt and decrypt data, whereas in asymmetric
encryption, different keys are used. This essentially means that asymmetric encryption is more
secure as it is more difficult for potential hackers to obtain the public and private keys. While
what I mentioned seems really simple, it is only a brief overview of the encryption types and
there are many more complexities that I need to learn in the future. Before reading this article, I
had heard the names of these two main types of encryption, but until now, I had never known
some of the specificities and their usefulness.

Moreover, I finally learned through this article how I could combine my programming
skills and my basic Cybersecurity skills to secure a particular software. For instance, this website
shows several different snippets of code that utilize the symmetric/asymmetric encryption
algorithms into the rest of the software. Although these snippets show code that is programmed
in the language Ruby (which I am unfamiliar with), I could learn the new syntax, use my Java
programming skills, and apply the same coding fundamentals in the future. Although there are
still several statements that I didn’t fully understand in this article, I understood the main
functions and characteristics of each concept that they mentioned.

Towards the latter part of the article, hash functions and digital signatures are discussed
with several details. These topics were not fully foreign to me because I had reviewed them last
year when preparing for my BPA (Business Professionals of America) Computer Security Event.
More specifically, I knew that the hash functions are primarily used to conceal the data that is
being transmitted using certain encryption algorithms, but I did not know of any specific types of
algorithms until I read the article. Additionally, I knew that digital certificates signify the
secureness of a certain website on the browser but I did not know that the Certificate Authority
(CA) has to issue the digital certificate, which has a certain expiry date. Once again, this article
includes several other snippets of Ruby code that shows how programming and information
security could be combined to enhance a system’s credibility.

To summarize, by reading this article, I delved into the more technical aspects of
Cybersecurity and learned a lot more about how I could use my background programing
knowledge and incorporate it into information security. Moreover, while I had heard of several
of the concepts that were mentioned in the article beforehand, I hardly knew how any of them
were implemented and how they could be beneficial. To top it off, I have enriched myself greatly
by reading this article and enhanced my confidence to talk to Cybersecurity professionals during
interviews since I have a much deeper understanding of my topic than I did at the beginning of
this school year. I also have been able to note down several of the portions of the article that I did
not fully understand so that I could ask my potential Cybersecurity mentor in the near future.

**Annotated article is below (following page)

 Cryptography—What Is It and
How Does It Work?
A High-Level Overview With Examples Using Ruby +
OpenSSL This is especially helpful to me since it shows how my knowledge of
programming could help me in Cybersecurity - I might just have to learn Ruby +
OpenSSL in my future

Cryptography—Not Just a Digital

Thing
As defined by Bruce Schneier in his book Applied Cryptography, “The art and science of
keeping messages secure is cryptography […].” Cryptography, while now considered
fundamental in our digital lives, is not specifically related to computing. This completely
changed my way of thinking about this topic. I originally thought that it was only related
to computers, but as I started to think about the meaning of the word, I realized that it
only means to hide something, which can be done in the physical world as well. It has
existed in various forms for millennia. From Wikipedia’s article on the history of
cryptography:

The earliest known use of cryptography is found in non-standard hieroglyphs carved into
the wall of a tomb from the Old Kingdom of Egypt circa 1900 BCE. This is really cool! Until
now, I had not thought of cryptography in this way. These are not thought to be serious
attempts at secret communications, however, but rather to have been attempts at mystery,
intrigue, or even amusement for literate onlookers. These are examples of still other uses of
cryptography, or of something that looks (impressively if misleadingly) like it. Some clay
tablets from Mesopotamia somewhat later are clearly meant to protect information — one
dated near 1500 BCE was found to encrypt a craftsman’s recipe for pottery glaze,
presumably commercially valuable. Later still, Hebrew scholars made use of simple
monoalphabetic substitution ciphers (such as the Atbash cipher) beginning perhaps around
500 to 600 BCE. In India around 400 BCE to 200 CE, Mlecchita vikalpa or the art of
understanding writing in cypher, and the writing of words in a peculiar way was documented
in the Kama Sutra for the purpose of communication between lovers. This was also likely a
simple substitution cipher. Parts of the Egyptian demotic Greek Magical Papyri were
written in a cypher script.

You have probably seen simple examples of cryptography before. A Caesar cipher, or
shift cipher, is commonly used in children’s games Upon reflection of my early
childhood, my friends and I used to do something similar in which we would talk in a
“code language” so that others won’t understand what we are saying. It is interesting to
see that I have been learning about cryptography since that early age! which involve
decoding a secret message. ROT13 is an extremely common type of shift cipher in which
the alphabet is rotated by 13 steps, as illustrated below:
ROT13 in action. (Wikimedia Commons)

It’s easy to see that this kind of cipher provides no real security, but it’s a simple and fun
illustration of the general idea behind cryptography. I used to solve puzzles like this
wherein I translate symbols to actual letters. I really enjoyed it back then, and seeing
this in the present really motivates me.

Nowadays when we talk about cryptography, we usually talk about it in the context of
technology. How is personal and financial information safely transmitted (known as
protecting data in transit) on the Web, say, when we make a purchase or look at our
bank accounts? How can data safely be stored (known as protecting data at rest) so
that someone couldn’t just open up a computer, pop out the hard drive, and have a field
day with the information on it?
Some Definitions and a Quick Cybersecurity Primer

In cybersecurity, there are a number of things we are concerned with when it comes to
data. These include confidentiality, integrity, availability, and non-repudiation.
I had learned about these topics last year when I was preparing for a Computer Security
Event. Also known as the CIA triad, these concepts describe the fundamental purpose of
Cybersecurity.

Confidentiality means that our data cannot be accessed/read by unauthorized users.

Integrity means that our data gets to us 100% intact, and has not been modified,
whether by a malicious actor, data loss, or otherwise.

Availability means that our data is accessible when needed.

Non-repudiation means that if Bob sends some data to Mary, he should not be able to
claim later on that he was not, in fact, the sender of that information. In other words,
there is some way to determine that no one other than Bob could have sent the data.
This is definitely a very valuable process - I am curious to see how exactly this works.

Cryptography doesn’t do much for us in the way of availability, but we will look at the
various forms of digital cryptography and how they can help us achieve the other three
goals listed above. When we talk about digital cryptography, we are usually referring to
one of the following:

1. Symmetric encryption
2. Asymmetric encryption
3. Hash functions
 4. Digital signatures

I will expand on each of these below. All code examples are adapted from Jesus
Castello’s awesome post on SitePoint, Exploring Cryptography Fundamentals in Ruby,
as well as official Ruby documentation. Also keep in mind that these examples are
meant to illustrate the concepts, not to provide best practices for data security.

For all the examples, you should have Ruby installed, as well as the ‘openssl’ and ‘pry’
gems.

Symmetric Encryption

Okay, before we dive into this: what exactly do we mean by ‘encryption’? Encryption and
decryption are typically used to mean enciphering and deciphering, respectively; to put
it simply, encrypting a message means making it unreadable to unauthorized parties
using a cipher (the specific method for doing so). Do the unauthorized parties
essentially just include anyone other than the sender and receiver? Also, how can these
unauthorized parties intercept the data between the sender and receiver? Decrypting the
message means reversing the process and making the data readable once more.

In order to properly encrypt and decrypt our data, we need both the data and a key
(which determines the output of our cipher). What exactly is a key? I don’t fully
understand, so I will take note of this and ask my potential mentor.

With symmetric encryption, the key used to encrypt and decrypt data is the same. Let’s
take a string and encrypt it using Ruby and OpenSSL:
Note that I am doing this destructively (reassigning the variable which contained our
original string) in order to demonstrate that we are indeed encrypting and decrypting.
Now let’s pop into our Pry console: I do not understand the given code as I am proficient
in Java and not Ruby

Notice that our data_to_encrypt variable, which was initially set to ‘now you can
read me!’, is now a bunch of unreadable garbage. Let’s reverse the process, using the key
we initially saved in the key variable.
As we can see, using the same key we set for encryption, we get back our original string.
What happens if someone gains access to that key - will the information then be
vulnerable to exploitation?

Asymmetric Encryption

The problem with symmetric encryption is this: What if I need to send data securely in a
hostile environment, such as the Internet? If asymmetric encryption is done when
transmitting data over the internet, what is symmetric encryption used for?If the same
key is used to encrypt and decrypt data, then I would first need to send you the
decryption key to establish a secure connection. But that means I’m sending the key over
an insecure connection to start with, meaning the key can be intercepted and used by a
third party! How do we get around this? Enter asymmetric encryption.

I haven’t really studied the mathematics of asymmetric encryption, and it would be

beyond the scope of this blog post anyway, but I can give you a general idea. To use an
asymmetric cipher, you need to generate two keys which are mathematically related.
One key is your private key, which only you should have access to, and your public key,
which (as its name suggests) can be shared publicly with anyone.

So, you request a secure connection to a server, the server sends its public key, the client
generates a key for a symmetric cipher and encrypts it with the server’s public key, the
server decrypts the message containing the symmetric key using its private key, and now
that both parties have the symmetric key, a secure connection can be established using
symmetric encryption. Essentially, these paragraphs detail the background process of
asymmetric encryption and explain how it more secure than symmetric encryption

But wait! Now we have another problem. How do I know that the server’s public key is
legitimate, i.e. belongs to that server!? In general, there are a couple of ways to deal with
this issue, but the most common method (and the one used on the web) is by using
Public Key Infrastructure (PKI). In the case of websites, there is a Certificate Authority
that has a directory of all websites to which it has issued certificates, as well as their
public keys. When you connect to a website, its public key is first verified with the
Certificate Authority.

Let’s bring back our string to encrypt from the last section, and generate a
public/private key pair:

Now let’s get into our Pry console and work on our string:
First, notice that our key and our public key are separate objects with different object
IDs. Using#public_encrypt, we can encrypt our string using our public key. Again,
note the nonsensical output that we’ve put in our data_to_encrypt variable. Now
let’s decrypt the data using our private key. Wow, this snippet of code seems really
complex! I definitely do not understand it so I might need to do more research about
this in the future when I must implement encryption in my programs

Ta-da!

Using #private_decrypt, we were able to get back the original message using NOT
the public key which with which we originally encrypted the message, but its related
private key. The same works in reverse, though we would not want to do this in
practice—if we encrypt with our private key, anyone who has our public key will be able
to view the message. Ok, so basically, to practice asymmetric encryption, it is
recommended to encrypt with the public key and decrypt with the private key since no
one else will then be able to see the data.(Thanks to Michael Hansen for pointing this
out in his response!)