Cyber Security Part 9: Fundamentals of Cryptography

#cyber security part9 Cryptography Basics Cryptography Basics for the Aspiring Hacker As hackers, we are often faced with the hurdle of cryptography and encryption. Every cyber security engineer worth their pocket protector understands that encryption make the hacker/attacker's task much more difficult. In some cases it may be useful to the hacker, to hide actions and messages. Many applications and protocols use encryption to maintain confidentiality and integrity of data. To be able to crack passwords and encrypted protocols such as SSL and wireless, you need to have at least a basic familiarity with the concepts and terminology of cryptography and encryption. ​ To many new hackers, all the concepts and terminology of cryptography can be a bit overwhelming and opaque. To start, cryptography is the science and art of hiding messages so that they are confidential, then "unhiding" them so that only the intended recipient can read them. Basically, we can say that cryptography is the science of secret messaging. ​ With this brief overview for the newcomer, I hope to lift the fog that shrouds this subject and shed a tiny bit of light on cryptography. I intend this simply to be a quick and cursory overview of cryptography for the novice hacker, not a treatise on the algorithms and mathematics of encryption. I'll try to familiarize you with the basic terminology and concepts so that when you read about hashing, wireless cracking, or password cracking and the encryption technologies are mentioned, you have some grasp of what is being addressed. ​ Don't get me wrong, I don't intend to make you a cryptographer here (that would take years), but simply to help familiarize the beginner with the terms and concepts of cryptography so as to help you become a credible hacker. I will attempt to use as much plain English to describe these technologies as possible, but like everything in IT, there is a very specialized language for cryptography and encryption. Terms like cipher, plaintext, ciphertext, keyspace, block size, and collisions can make studying cryptography a bit confusing and overwhelming to the beginner. I will use the term "collision," as there really is no other word in plain English that can replace it. ​ Let's get started by breaking encryption into several categories. ​ Types of Cryptography ​ There are several ways to categorize encryption, but for our purposes here, I have broken them down into four main areas (I'm sure cryptographers will disagree with this classification system, but so be it). ​ Symmetric Encryption Asymmetric Encryption Hashes Wireless ​ Symmetric cryptography is very fast, so it is well-suited for bulk storage or streaming applications. The drawback to symmetric cryptography is what is called the key exchange. If both ends need the same key, they need to use a third channel to exchange the key and therein lies the weakness. If there are two people who want to encrypt their communication and they are 12,000 miles apart, how do they exchange the key? This key exchange then is fraught with the all the problems of the confidentiality of the medium they choose, whether it be telephone, mail, email, face-to-face, etc. The key exchange can be intercepted and render the confidentiality of the encryption moot. Some of the common symmetric algorithms that you should be familiar with are: DES - This was one of the original and oldest encryption schemes developed by IBM. It was found to be flawed and breakable and was used in the original hashing system of LANMAN hashes in early (pre-2000) Windows systems. 3DES - This encryption algorithm was developed in response to the flaws in DES. 3DES applies the DES algorithm three times (hence the name "triple DES") making it slightly more secure than DES. AES - Advanced Encryption Standard is not a encryption algorithm but rather a standard developed by National Institute for Standards and Technology (NIST). Presently, it is considered the strongest encryption, uses a 128-, 196-, or 256-bit key and is occupied by the Rijndael algorithm since 2001. It's used in WPA2, SSL/TLS, and many other protocols where confidentiality and speed is important. RC4 - This is a streaming (it encrypts each bit or byte rather than a block of information) cipher and developed by Ronald Rivest of RSA fame. Used in VoIP and WEP. Blowfish - The first of Bruce Schneier's encryption algorithms. It uses a variable key length and is very secure. It is not patented, so anyone can use it without license. Twofish - A stronger version of Blowfish using a 128- or 256-bit key and was strong contender for AES. Used in Cryptcat and OpenPGP, among other places. It also is in the public domain without a patent