Jan 26, 2018
updated at: May 28, 2019
Cryptography is the practice and study of techniques for secure communication in the presence of third-parties.
Encryption is the process of encoding messages or information in such a way that only some parties can read it.
An algorithm for performing encryption or decryption.
Device designed to generate a sequence of numbers or symbols that doesn't use any pattern.
A parameter that determines the functional output of a cipher.
A 1-way cryptographic conversion function which is considered practically impossible to invert.
The output of a hash function.
Algorithm that uses the same key for both encryption of plain text and decryption of cipher text.
Algorithm that uses a different key for both encryption of plain text and decryption of cipher text.
A table of precomputed hashes that are unsalted.
A cipher (pronounced SAI-fuhr) is any method of encrypting text. It is also sometimes used to refer to the encrypted text message itself although here the term ciphertext is preferred.
Plain text -> Ciphertext Ciphertext -> Plain text
An example of ROT13, this is developed in Ancient Rome.
$ cat crypto.txt zl anzr vf fronfgvnna $ cat crypto.txt | tr "a-z" "n-za-m" my name is sebastiaan
Rijndael (AES), Serpent, Twofish, RC6, MARS.
128,192,256 bit keys.
A hash function is any function that can be used to map data of arbitrary size to data of fixed size
Message -> (Message) Digest
An example of sha512.
$ echo -n "secret" | openssl dgst -sha512 (stdin)= bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d9 \ 3dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2
MD5, SHA-1, SHA-2, SHA-3
These are hash functions with a user-provided key. It is an indication that the message came from the intended origin. The key itself is not in hash.
Message + Key -> (Message) Digest
An example of HMAC.
<?php string hash_hmac ( string $algo , string $data , string $key [, bool $raw_output = false ] ); echo hash_hmac('sha256', 'message.', 'secret'); ?>
MD5, SHA-1, SHA-2, SHA-3
Generating a key from password or phrase, converts into salt, iterations, specific output size which can be used for a cipher (needs to be specific for example: 128 bits for a AES 128, because it will only take 128 sized bits).
Message + Salt + Iterations -> (Message) Digest
An example of PBKDF2.
<?php $password = "password"; $iterations = 1000; /* * Generate a random IV using mcrypt_create_iv(), * openssl_random_pseudo_bytes() or another suitable source of randomness */ $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20); echo $hash; ?>
Generates secret key common to both parties. It will generate a base, prime numbers and a public key. These three will be send to an other party, he will mix the public key with his private key (which every party has) to generate a shared key, after that he will send his public key to the original sender and the original sender will mix that public key with his private key. Key agreement schemes are used in wps, ssl/tls, ssh, vpn
Generate keys send public key -> other client mix public key with private key = shared key
An example of ssh.
$ ssh-keygen $ ssh-copy-id email@example.com
Multiple layers of encryption sounds like an utopia, but it isn't in fact this entire idea has been studied for quite a while under the heading of combiners. These deal with combining crytposystems in a secure way , such that the combination remains secure even if some of the underlying schemes are broken. You need to ask yourself if it's worth to go with multiple layers of encryption.
RNG is almost everywhere, in games, gambling, cryptography, security, and so on. But how to decide how random random is. There are 2 methods to generate random numbers:
To generate true random numbers, the computer needs a true source of entropy, this entropy will gather from physical phenomenons that takes place outside of a computer. The entropy could for example rely on atmospheric noise, thermal noise, and other external electromagnetic and quantum phenomena or simply use the exact time you press keys on your keyboard as a source of unpredictable data.
An example of a TRNG is https://www.random.org/ , they offer free true random number generators, their randomness comes from atmospheric noise.
Pseudorandom numbers are an alternative to “true” random numbers. A computer could use a seed value and an algorithm to generate numbers that appear to be random, but that are in fact predictable. The computer doesn’t gather any random data from the environment. But you can also mix TRNG with PRNG the outcome will be a PRNG but more reliable and more random. Almost everything on a computer that wants to generate numbers is PRNG, it's just a question about the randomness and the predictability.
/dev/random TRNG mix with PRNG, the outcome blocks depends on the available entropy from the system. /dev/random is almost as good as TRNG. /dev/random has a very high randomness and very low predictability.
Generates randomness from the available entropy in blocks:
$ cat /dev/random | tr -dc 'a-fA-F0-9' | fold -w 20 | head -n 1
dev/urandom is almost the same as /dev/random except the output stream is permanent, which means more PRNG.
$ cat /dev/urandom | tr -dc 'a-fA-F0-9' | fold -w 20 | head -n 1
See the amount of entropy available:
$ cat /proc/sys/kernel/random/entropy_avail
How to test the predictability and the randomness of a list with random characters in it (how random is random, it will always be questionable):