Cryptography remains cryptic and complex because most people don’t have the time or the desire to become a cryptography expert. But a high-level understanding of applied cryptography and cryptanalysis is valuable to developers and hackers alike. Understanding when, why and how cryptography should be used in different contexts is important to ensure that the software is actually receiving the desired level of protection. And the ability to recognize misuse of cryptography can be useful for a hacker trying to determine whether encrypted data can be broken with ease or is beyond their capabilities.
Fundamentals of cryptography
Before digging into the details of how cryptography is used and can be broken, it’s important to understand the basic principles of cryptography, the types of cryptographic algorithms and how they can be used. Symmetric and asymmetric encryption algorithms perform similar actions, but they have their own advantages and disadvantages. Hash functions, on the other hand, may look similar (and are cryptographic algorithms), but they work differently and are used for different purposes. Most cryptographic algorithms have libraries that make them plug-and-play; however, this is of limited utility if you don’t know which one is right for the job.
Modern applications of cryptography
Cryptography is used every day at the core of a variety of technologies and some of the largest applications in the modern world, including: Public Key Infrastructure (PKI) is the backbone of many modern uses of encryption. Digitally signed email and websites that have URLs that begin with HTTPS come with digital certificates that are used to verify the website or the email sender’s identification. Certificates are hard to fake, because PKI creates a chain of trust that makes certificate verification possible. SSL and TLS are the protocols that encrypt most data flowing over the network. Early internet protocols had no protections for authentication or confidentiality. Through a combination of asymmetric and symmetric cryptography, SSL and TLS verify the identity of the server to the client and protect communications against eavesdroppers. Virtual Private Networks (VPNs) help protect communication between a client and a server as it flows over a public network. This is accomplished by setting up an encrypted “tunnel” that protects traffic from eavesdroppers. However, not all VPN protocols are created equal and VPNs do not always promise full confidentiality. Secure credential management is essential to protecting the authentication information that websites and applications use to verify user identities. While best practices exist for doing this, recent research about credential security on content management systems (CMS) and a recent Facebook password scandal demonstrate how easy it is to mess up. Full-disk encryption is designed to protect data security on lost, stolen or discarded electronic devices. These systems make effective use of symmetric cryptography to accomplish this, but their protection can be bypassed in some cases. Blockchain technology is often oversold, but the technology has promise. Blockchain is designed to use cryptographic algorithms to replace trust in centralized organizations. As a result, it makes heavy use of asymmetric cryptography and hash functions to accomplish these goals. These are some of the biggest applications of cryptography but there are many more. Understanding how cryptography can be used is helpful in understanding how it should be used and how things can go wrong.
Basics of applied cryptanalysis
Most modern cryptanalytic techniques require complicated math and they’re generally useless if a developer has done their job well. If a cryptographic algorithm is broken by an attack then it is officially deprecated, so any use of “strong” cryptography isn’t worth trying to crack. However, people don’t always use “strong” cryptography. In malware, it’s not uncommon to see encoding algorithms like Base64 or URL encoding used instead of an encryption algorithm. While these algorithms are similar to encryption algorithms in that they obfuscate data, they’re trivially breakable. Not all encryption algorithms are created equal either. Some “modern” algorithms like MD5 and SHA-1 are considered “broken” and shouldn’t be used. Others, like weak XOR encryption and ROT-13, were never secure and can easily be broken with frequency analysis. Basic applied cryptanalysis requires the ability to identify obfuscated data and to determine if it can be easily decoded. In many cases, the algorithm in use can be easily identified. Depending on the result, the analyst can quickly decode the data or move on to softer targets.
Conclusion
Most developers and hackers don’t need to be cryptography experts to be effective. A little bit of cryptography knowledge can go a long way, though. The fragility of cryptographic algorithms means that even small mistakes can render them completely ineffective and vulnerable to attack. Understanding the most common types of mistakes and how to detect them can help developers to avoid them and hackers to exploit them.
Sources
Pass the salt! Popular CMSs aren’t securing passwords properly, Naked Security Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years, Krebs on Security Frequency Analysis, Learn Cryptography