overview edit doc new doc remove

Jan 26, 2018

updated at: May 28, 2019




Cryptography is the practice and study of techniques for secure communication in the presence of third-parties.


Encryption is the process of encoding messages or information in such a way that only some parties can read it.


An algorithm for performing encryption or decryption.


Device designed to generate a sequence of numbers or symbols that doesn't use any pattern.


A parameter that determines the functional output of a cipher.

Hash (function)

A 1-way cryptographic conversion function which is considered practically impossible to invert.


The output of a hash function.

Symmetric encryption algorithm

Algorithm that uses the same key for both encryption of plain text and decryption of cipher text.

Asymmetric encryption algorithm

Algorithm that uses a different key for both encryption of plain text and decryption of cipher text.


A table of precomputed hashes that are unsalted.



A cipher (pronounced SAI-fuhr) is any method of encrypting text. It is also sometimes used to refer to the encrypted text message itself although here the term ciphertext is preferred.

Algorithm explained:

Plain text -> Ciphertext
Ciphertext -> Plain text

An example of ROT13, this is developed in Ancient Rome.

$ cat crypto.txt
zl anzr vf fronfgvnna

$ cat crypto.txt | tr "a-z" "n-za-m"
my name is sebastiaan


Rijndael (AES), Serpent, Twofish, RC6, MARS.

128,192,256 bit keys.

Hash functions

A hash function is any function that can be used to map data of arbitrary size to data of fixed size

Algorithm explained:

Message -> (Message) Digest

An example of sha512.

$ echo -n "secret" | openssl dgst -sha512

(stdin)= bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d9 \


MD5, SHA-1, SHA-2, SHA-3


Hash-based message authentication codes

These are hash functions with a user-provided key. It is an indication that the message came from the intended origin. The key itself is not in hash.

Algorithm explained:

Message + Key -> (Message) Digest

An example of HMAC.


  string hash_hmac ( 

    string $algo , 
    string $data , 
    string $key [, bool $raw_output = false ] 


  echo hash_hmac('sha256', 'message.', 'secret');



MD5, SHA-1, SHA-2, SHA-3


Password-based key derivation functions

Generating a key from password or phrase, converts into salt, iterations, specific output size which can be used for a cipher (needs to be specific for example: 128 bits for a AES 128, because it will only take 128 sized bits).

Algorithm explained:

Message + Salt + Iterations -> (Message) Digest

An example of PBKDF2.


  $password = "password";
  $iterations = 1000;

  *  Generate a random IV using mcrypt_create_iv(),
  *  openssl_random_pseudo_bytes() or another suitable source of randomness

  $salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);

  $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);
  echo $hash;





Key agreement schemes

Generates secret key common to both parties. It will generate a base, prime numbers and a public key. These three will be send to an other party, he will mix the public key with his private key (which every party has) to generate a shared key, after that he will send his public key to the original sender and the original sender will mix that public key with his private key. Key agreement schemes are used in wps, ssl/tls, ssh, vpn

Algorithm explained:

Generate keys
send public key -> other client
mix public key with  private key = shared key

An example of ssh.

$ ssh-keygen
$ ssh-copy-id hostname@




Multiple layers of encryption

Multiple layers of encryption sounds like an utopia, but it isn't in fact this entire idea has been studied for quite a while under the heading of combiners. These deal with combining crytposystems in a secure way , such that the combination remains secure even if some of the underlying schemes are broken. You need to ask yourself if it's worth to go with multiple layers of encryption.

Random number generating

RNG is almost everywhere, in games, gambling, cryptography, security, and so on. But how to decide how random random is. There are 2 methods to generate random numbers:

True random number generating

To generate true random numbers, the computer needs a true source of entropy, this entropy will gather from physical phenomenons that takes place outside of a computer. The entropy could for example rely on atmospheric noise, thermal noise, and other external electromagnetic and quantum phenomena or simply use the exact time you press keys on your keyboard as a source of unpredictable data.

An example of a TRNG is https://www.random.org/ , they offer free true random number generators, their randomness comes from atmospheric noise.

Pseudorandom number generating

Pseudorandom numbers are an alternative to “true” random numbers. A computer could use a seed value and an algorithm to generate numbers that appear to be random, but that are in fact predictable. The computer doesn’t gather any random data from the environment. But you can also mix TRNG with PRNG the outcome will be a PRNG but more reliable and more random. Almost everything on a computer that wants to generate numbers is PRNG, it's just a question about the randomness and the predictability.

Examples of PRNG

/dev/random TRNG mix with PRNG, the outcome blocks depends on the available entropy from the system. /dev/random is almost as good as TRNG. /dev/random has a very high randomness and very low predictability.

Generates randomness from the available entropy in blocks:

$ cat /dev/random | tr -dc 'a-fA-F0-9' | fold -w 20 | head -n 1

dev/urandom is almost the same as /dev/random except the output stream is permanent, which means more PRNG.

$ cat /dev/urandom | tr -dc 'a-fA-F0-9' | fold -w 20 | head -n 1

See the amount of entropy available:

$ cat /proc/sys/kernel/random/entropy_avail

Testing RNG

How to test the predictability and the randomness of a list with random characters in it (how random is random, it will always be questionable):