Cryptography

Cryptography is a field of Computer Science focused on the use of mathematical and logical algorithms for protecting information.

Ancient origins of "message hiding"

Many years ago, more rudimentary techniques of concealing a message's contents or even its existence, were employed to ensure privacy, integrity and/or secrecy. For example, in ancient China (among other places certainly) shaving a messenger's head and writing a message, then letting them grow their hair to cover the message up, was common practice.

In Feudal Europe, one technique involved passing trivial messages using many different messengers over a period of time, but where each message contained only a small piece of another more important hidden message. After the final messenger arrived the other party would be able to build up the "clues" and form the actual significant message (for example, relating to battle plans, positions, conspirator meeting dates/times, etc). In this way, if a single one of the messengers were captured there would be no way for the captor to use the information they had to decypher the more important hidden message. One would have to capture many messengers at once and be clever enough to understand or discover the smaller pieces of the hidden message in order to compromise the communication.

The concept of Cyphering and Decyphering a message is at the core of Encryption.

Specifications

• Universally Unique IDentifier (UUID) URN namespace: https://datatracker.ietf.org/doc/html/rfc4122
• Globally Unique IDentifier (GUID): https://docs.microsoft.com/en-us/dotnet/api/system.guid?view=net-5.0
• Punycode -- Bootstring encoding of Unicodefor Internationalized Domain Names in Applications (IDNA): https://tools.ietf.org/html/rfc3492
• Internationalized Domain Names in Applications (IDNA) protocol: https://tools.ietf.org/html/rfc5891
• Web Cryptography API: https://www.w3.org/TR/WebCryptoAPI/ (part of HTML5 family of specifications)
• WebCrypto API -- Supported algorithms: https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API | Supported algorithms ( Web Crypto API is an interface allowing a script to use cryptographic primitives in order to build systems using cryptography)

^{[1] [2] [3]}

Approaches

Encryption

Encryption is the cyphering (process of rendering unreadable via mathematical models/functions) any form of information, and is most commonly used to conceal the contents of a message.

In electronic form, the practice gained widespread use during World Wars I & II by each side to protect their radio, telephone and other communications, but physical forms of encryption have been around almost as long as humans have been communicating.

Decryption

Decryption is the opposite of Encryption and is the mathematical or logical algorithm applied to retrieve the original information in its previous form, before the Encryption process.

Algorithms

Caesar Cyphers

Ceasar Cyphers were one of the earliest and most common ways to "scramble" a message. It is based on a simple concept creating an index in the alphabet rendering For example, using an index of "8" in the most basic form of a Caeasar Cypher, we add 8 to the beginning index of the alphabet, meaning we shift the whole alphabet left by 8 spots.

THE ENGLISH ALPHABET

a   b   c   d   e   f   g   h   i   j   k   l   m   n  o   p   q   r   s   t   u   v   w   x   y   z  

BECOMES:

i   j   k   l   m   n  o   p   q   r   s   t   u   v   w   x   y   z   a   b   c   d   e   f   g   h
^

Then the word:

s p o o n

Becomes:

a x w w v
         

If you don't know the index value it can be difficult to realize the scrambled word "axwwv" really meant "spoon", however, trained mathematicians and encryption engineers could easily recognize a Caesar Cypher and decypher the word spoon in a few seconds or less.

Thus, more complicated versions of Caesar Cyphers were created which vary both the starting index and middle index, for example, or perhaps, varies both the middle, end and start indexes while also reversing all letters in between.

These mechanisms can confuse a basic decyphering attempt, but again, specialists and professionals would be capable of decyphering such a message quite easily.

The real world applications of a Caesar Cypher was thus often combined with other tried and true methods of concealing a message, for example the previously mentioned methods for hiding it on a messenger, or, mixing it inside of many irrelevant messages which had to be re-assembled in order to decypher the full hidden message.

An example of this is shown below.

Sample Input

THIS
DAWN
THAT
THE
ZORRO
OTHER
AT
THING
#
BUUBDLA PSSPABUAEBXO

Sample Output

ATTACK ZORRO AT DAWN

^{[4] [5] [6]}

Diffie-Hellman

Diffie-Hellman Key Exchange is a method for securely exchanging public keys, without necessarily broadcasting their existence to the entire web.

^{[7] [8]}

RSA

In the digital world, eventually Caesar Cypher types of techniques for scrambling message contents simply became insufficient or impractical for maintaining the security of critical information.

For this reason, the US Department of Defense (among many other nations') began investing heavily in Encryption and information security. One of the major innovations of this research came from Ron Rivest, Adi Shamir, and Leonard Adleman (or RSA).

RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. The keys for the RSA algorithm are generated the following way:

1. Choose two distinct prime numbers p and q.
   • For security purposes, the integers p and q should be chosen uniformly at random and should be of similar bit-length. Prime integers can be efficiently found using a primality test.
2. Compute n = pq.
   • n is used as the Modular arithmetic|modulus for both the public and private keys
3. Compute the totient: φ(pq) = (p − 1)(q − 1).
4. Choose an integer e such that 1 < e < φ(pq), and e and φ(pq) share no divisors other than 1 (i.e. e and φ(pq) are coprime).
   • e is released as the public key exponent.
   • Choosing e having a short addition chain results in more efficient encryption. Small public exponents (such as e = 3) could potentially lead to greater security risks.^[9]
5. Determine d (using modular arithmetic) which satisfies the Modular arithmetic .
   • Stated differently, ed − 1 can be evenly divided by the totient (p − 1)(q − 1).
   • This is often computed using the extended Euclidean algorithm.
   • d is kept as the private key exponent.

The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the modulus n and the private (or decryption) exponent d which must be kept secret. ^[10]

SHA256

• SHA1 vs SHA256: https://www.keycdn.com/support/sha1-vs-sha256

AES

Advanced Encryption Standard (AES).

• wikipedia: Advanced Encryption Standard (AES)

^[11]

ECDSA

• Elliptic Curve Digital Signature Algorithm (ECDSA)- Elliptic Curve Signatures: https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages

^[12]

Tools

• Overview of Cryptography Tools for Data Security: http://www.utdallas.edu/~muratk/courses/dbsec12f_files/crypto.pdf
• Cipher Tools: http://rumkin.com/tools/cipher/
• JavaScrypt -- Browser-Based Cryptography Tools: https://www.fourmilab.ch/javascrypt/
• Cryptography Explorer: http://facultyfp.salisbury.edu/despickler/personal/CryptographyExplorer.asp
• MD5 hash generator: http://www.miraclesalad.com/webtools/md5.php
• Ultimate ZIP Password Cracker: http://download.cnet.com/Ultimate-ZIP-Cracker/3000-2092_4-10040839.html
• Data (Storage) Eraser: http://download.cnet.com/Eraser/3000-2092_4-10231814.html (file shredder whhich removes sensitive data from your hard drive by overwriting it several times)
• WirelessKeyView: http://download.cnet.com/WirelessKeyView/3000-2092_4-10614187.html (crack your WI-FI and router passwords)
• Folder Lock: http://download.cnet.com/Folder-Lock/3000-2092_4-10063343.html (locks, hides, and password-protects files and folders on your PC)
• Sygate Personal Firewall: http://download.cnet.com/Sygate-Personal-Firewall/3000-2092_4-10049526.html (build a personal/home Firewall to protect your PC from hackers, Trojans, and malicious code intrusions)
• HotSpot Shield: http://download.cnet.com/hotspot-shield/ (unblock blocked sites, become anonymous online, and get protection from hackers on public WiFi)
• Windows Password Recovery Tool - ULTIMATE: http://download.cnet.com/Windows-Password-Recovery-Tool-Ultimate/3000-2092_4-10964595.html (reset or remove passwords without reinstalling or suffering a system lockout)

Resources

• CrypTool Portal: https://www.cryptool.org/en/
• crypto-js: https://code.google.com/archive/p/crypto-js/ (JavaScript implementations of standard & secure cryptographic algorithms)
• Encoding vs. Encryption vs. Hashing vs. Obfuscation: https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/#encoding
• Punycode.js converter: https://mths.be/punycode (robust Punycode converter that fully complies to RFC 3492 and RFC 5891)

Tutorials

• Introduction to Asymmetric Encryption for the Working Developer: https://www.geekabyte.io/2022/06/introduction-to-asymmetric-encryption.html
• Given final block not properly padded: https://stackoverflow.com/questions/8049872/given-final-block-not-properly-padded
• My caesar cipher program works but I need to be able to encrypt digits, spaces and special character: https://www.codeproject.com/Questions/1273329/My-caesar-cipher-program-works-but-I-need-to-be-ab
• Caesar Cipher with ASCIICharacters: https://stackoverflow.com/questions/47685789/caesar-cipher-with-ascii-characters
• Encoding, Encryption, and Hashing: https://auth0.com/blog/encoding-encryption-hashing/
• End-to-End Encrypted Chat with the Web Crypto API: https://getstream.io/blog/web-crypto-api-chat/
• Generating 2FA One-Time Passwords in JS Using Web Crypto API: https://webdesigntips.blog/web-design/javascript/generating-2fa-one-time-passwords-in-js-using-web-crypto-api/
• Introduction to Key Exchange for the Working Developer : https://www.geekabyte.io/2022/05/introduction-to-key-exchange-for.html
• AES-256 Encryption with Java and JCEKS: http://java.dzone.com/articles/aes-256-encryption-java-and
• RSA encryption/decryption in Java: https://www.javamex.com/tutorials/cryptography/rsa_encryption.shtml

^{[13] [14] [15]}

• Converting punycode with dash character to Unicode: https://stackoverflow.com/questions/183485/converting-punycode-with-dash-character-to-unicode/301287#301287

^[16]

• How To Generate SHA256 Hash in Java: https://www.quickprogrammingtips.com/java/how-to-generate-sha256-hash-in-java.html^[17]
• Java Hashing - From Overriding HashCode to Mutable Objects: https://dzone.com/articles/java-hashing
• Encryption, Part 2 -- Public Key/Private Key Encryption (assymetric): https://dzone.com/articles/encryption-part-2-public-key-private-key-encryptio
• What is end-to-end encryption and why it's such a confusing term: https://advancedweb.hu/what-is-end-to-end-encryption-and-why-its-such-a-confusing-term/
• Introduction to Cryptographic Hash Functions for the Working Developer : https://www.geekabyte.io/2021/10/introduction-to-cryptographic-hash.html
• Using a nonce with CSP: https://content-security-policy.com/nonce/
• How to generate a SHA256 and SHA512 hash from a String in Java http://oliviertech.com/java/generate-SHA256--SHA512-hash-from-a-String/
• Creating Hashes in Java (including Salting): https://reflectoring.io/creating-hashes-in-java/
• The Caesar Cipher in Java (and how to break it): https://www.baeldung.com/java-caesar-cipher

• Salted Password Hashing - Doing it Right: https://crackstation.net/hashing-security.htm
• Storing passwords securely (in MySQL): https://zinoui.com/blog/storing-passwords-securely^[18]
• How to use password salt the right way: https://security.stackexchange.com/questions/111893/how-to-use-password-salt-the-right-way
• How to securely hash passwords?: https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
• Best way to store passwords in MYSQL database: https://stackoverflow.com/questions/14798275/best-way-to-store-passwords-in-mysql-database
• Best way to store password in database: https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database

External Links

• wikipedia: Cryptographic nonce
• wikipedia: Cryptographic hash function
• wikipedia: PBKDF2
• wikipedia: Salt (cryptography)
• The History of Encryption: https://blog.scottlogic.com/2022/04/06/history-of-encryption.html
• Former Stasi Cryptographers Now Develop Technology for NATO: http://www.spiegel.de/international/germany/0,1518,719726,00.html
• After AES, NIST is Defining the Next Great Standard for Encryption with "Light-weight Cryptography: https://billatnapier.medium.com/after-aes-nist-is-defining-the-next-great-standard-for-encryption-light-weight-crypto-9a8b7e46bfad | VIDEO
• The Song Remains The Same -- We Can’t Confirm If The Data Was Encrypted Properly: https://medium.com/asecuritysite-when-bob-met-alice/the-song-remains-the-same-we-cant-confirm-if-the-data-was-encrypted-properly-74a0bb8086b1
• Cracking RSA: https://medium.com/asecuritysite-when-bob-met-alice/cracking-rsa-4086aa9c999f
• Sometimes It Feels Like Only Cyber Criminals Know How To Use Encryption Properly: https://medium.com/asecuritysite-when-bob-met-alice/sometimes-it-feels-like-only-cybercrimals-know-how-to-use-encryption-properly-3dcebcd39ddb (reference to using CryptoJS handy JavaScript encryption/decryption lib for both good & nefarious purposes)
• Investigating MD5 overheads: https://cl4es.github.io/2021/01/04/Investigating-MD5-Overheads.html
• RSA's 'Denial' Concerning $10 Million From The NSA To Promote Broken Crypto Not Really A Denial At All: https://www.techdirt.com/articles/20131222/23532125671/rsas-denial-concerning-10-million-nsa-to-promote-broken-crypto-not-really-denial-all.shtml

^{[19] [20] [21] [22] [23] [24]}

• NSA -- We've learned our lesson after foreign spies used one of our crypto backdoors – but we can't say how exactly: https://www.theregister.com/2020/10/28/nsa_backdoor_wyden/
• Of course NSA can crack crypto. Anyone can. The question is, how much?: https://arstechnica.com/information-technology/2013/09/of-course-nsa-can-crack-crypto-anyone-can-the-question-is-how-much/
• CIA controlled global encryption company for decades, says report: https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-cia-bnd-germany-intelligence-report
• Switzerland investigating alleged CIA German front-company: https://wtop.com/europe/2020/02/switzerland-investigating-alleged-cia-german-front-company/
• CIA Secretly Owned Global Encryption Provider, Built Backdoors, Spied On 100+ Foreign Governments: Report: https://www.forbes.com/sites/daveywinder/2020/02/12/cia-secretly-bought-global-encryption-provider-built-backdoors-spied-on-100-foreign-governments/?sh=1b7ffa79580a
• SWITZERLAND IS HOME TO THE CIA (CENTRAL INTELLIGENCE AGENCY): https://blogfactory.co.uk/2017/08/17/switzerland-is-home-to-the-cia-central-intelligence-agency/
• Major cryptography blunder in Java enables “psychic paper” forgeries: https://arstechnica.com/information-technology/2022/04/major-crypto-blunder-in-java-enables-psychic-paper-forgeries/
• Oracle already wins 'crypto bug of the year' with Java digital signature bypass: https://www.theregister.com/2022/04/20/java_authentication_bug/
• Major Vulnerability May Bring Down Public Key Encryption: https://billatnapier.medium.com/major-vulnerability-may-bring-down-public-key-encryption-ad60c2055d8b
• At Davos, Crypto Is No Longer on the Outside: https://www.coindesk.com/policy/2022/05/23/at-davos-crypto-is-no-longer-on-the-outside/
• Crypto Security Debate Goes to Court: https://www.wsj.com/articles/the-crypto-security-debate-goes-to-court-11653518489
• Crypto Needs Urgent EU Rulebook to Protect Investors, Regulator Says: https://www.bloomberg.com/news/articles/2022-05-26/crypto-needs-urgent-eu-rulebook-to-protect-investors-esma-says

References

1. ↑ Update on Web Cryptography: https://webkit.org/blog/7790/update-on-web-cryptography/
2. ↑ The Web Crypto API: http://slides.com/katharinemoe/web-crypto
3. ↑ The History and Status of Web Crypto API (SLIDES, 2012): https://www.slideshare.net/Channy/the-history-and-status-of-web-crypto-api
4. ↑ Caesar Cypher: http://acm.uva.es/p/v5/554.html
5. ↑ wikipedia: Cesar cipher
6. ↑ wikipedia: Scytale
7. ↑ wikipedia: Diffie-Hellman
8. ↑ A Review of the Diffie-Hellman Algorithm: http://www.diffiehellman.com/
9. ↑ Twenty Years of attacks on the RSA Cryptosystem: http://crypto.stanford.edu/~dabo/abstracts/RSAattack-survey.html
10. ↑ wikipedia: RSA
11. ↑ AES Is Great... but wenNeed a fallback - meet ChaCha & Poly1305: https://medium.com/asecuritysite-when-bob-met-alice/aes-is-great-but-we-need-a-fall-back-meet-chacha-and-poly1305-76ee0ee61895
12. ↑ An Illustrated Guide to Elliptic Curve Cryptography Validation: https://research.nccgroup.com/2021/11/18/an-illustrated-guide-to-elliptic-curve-cryptography-validation/
13. ↑ Java - How to use PKCS#1 encoding for files: https://stackoverflow.com/questions/40352835/java-how-to-use-pkcs1-encoding-for-files
14. ↑ Breaking down RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING in Java: https://stackoverflow.com/questions/32161720/breaking-down-rsa-ecb-oaepwithsha-256andmgf1padding
15. ↑ Converting RSA keys into SubjectPublicKeyInfo Form from BigIntegers: https://stackoverflow.com/questions/18995687/converting-rsa-keys-into-subjectpublickeyinfo-form-from-bigintegers
16. ↑ Punycode.JS example: https://github.com/nodejs/node-v0.x-archive/blob/426298c8c1c0d5b5224ac3658c41e7c2a3fe9377/lib/punycode.js
17. ↑ SHA-256 & SHA3-256 Hashing in Java: https://www.baeldung.com/sha-256-hashing-java
18. ↑ Storing Passwords in MySQL: https://mysqldatabaseadministration.blogspot.com/2006/08/storing-passwords-in-mysql.html
19. ↑ NSA Paid RSA $10 Million to Use Flawed Security Standard: https://www.tomsguide.com/us/nsa-rsa-secret-deal,news-18020.html
20. ↑ Should I use RSA encryption since RSA is said to be broken by NSA?: https://crypto.stackexchange.com/questions/31904/should-i-use-rsa-encryption-since-rsa-is-said-to-be-broken-by-nsa
21. ↑ RSA attempts (and fails) to refute claims it helped NSA weaken encryption: https://grahamcluley.com/rsa-nsa-weaken-encryption/
22. ↑ No, RSA Is Not Broken: https://www.schneier.com/blog/archives/2021/03/no-rsa-is-not-broken.html
23. ↑ Did the NSA just crack RSA encryption?: https://www.dailydot.com/debug/nsa-rsa-encryption-crack-prime-numbers/
24. ↑ NSA Arranged Secret Contract With RSA, Security Industry Pioneer: https://www.huffpost.com/entry/nsa-rsa-contract_n_4482227

See Also

Security | Encryption | Decryption | Digital Signature | PGP | Cryptocurrency