-
Notifications
You must be signed in to change notification settings - Fork 0
Cryptography
Cryptography is the mathematical basis of all cybersecurity. We can secure sensitive plaintext by encrypting it with different cryptographic schemes. This intro contains a brief overview of some common cryptographic schemes and terminology, as well as multiple links for further reading.
cipher: a cryptographic algorithm - turns plaintext into ciphertext
plaintext: a message that has not been encoded or encrypted in any way
ciphertext: an encrypted message, the output of a cipher
key: a sequence that is used to encrypt and decrypt plaintext and ciphertext
symmetric cipher: a cipher where the sender and receiver use the same secret key for encryption and decryption
stream cipher: a symmetric cipher that encrypts and decrypts each unit of data as soon as it is received
block cipher: a symmetric cipher that waits for a data block of a certain size before encrypting or decrypting
asymmetric cipher: a cipher where different keys are used for encryption and decryption
private key: the secret key used by a sender
public key: a key that is accessible by anyone
padding: Adding random characters to a plaintext in order to increase length or entropy
hash: A cryptographic function that generates a unique output for every input
The three main principles of cryptography are C.I.A.:
Confidentiality: Messages cannot be read by anyone but the sender and recipient. If Alice sends a message to Bob, Charlie should not be able to intercept and read the message. A good way to measure confidentiality is that a ciphertext should be statistically indistinguishable from random noise.
Integrity: A ciphertext cannot be modified in transit without alerting the recipient. Common ways of ensuring integrity include hash algorithms (e.g., HMAC, SHA-256) and increasing the entropy of each bit (e.g., AES, RSA).
Availability: If data is unavailable, it isn't useful to anyone. Examples of availability attacks are DoS attacks and ransom ware.
Additionally, note that obscurity does mean security. Even if an attacker knows everything about a cryptosystem, it should be secure as long as the keys remain secret.
Encryption and encoding are similar terms that are often confused. Encryption turns text into ciphertext that cannot be decrypted without a key.
On the other hand, encoding changes the representation of text, and can be decoded without a key. Example: ASCII is an encoding system because it changes readable text to unreadable numbers, but it can be decoded by anyone.
A common example of a stream cipher is the Caesar cipher. As soon as you receive a letter of plaintext/ciphertext, it can immediately by encrypted/decrypted without knowledge of upcoming letters. One of the most used modern stream ciphers is ChaCha, which is based on Salsa20. Stream ciphers are less used
The most commonly used block cipher is AES (Advanced Encryption Standard). AES encrypts and decrypts messages in 16 byte blocks. If a message's length is indivisible by 16, it must be padded to divide 16. Some other useful block ciphers are Simon (optimized for hardware implementation) and Speck (optimized for software implementation).
In asymmetric cryptography, a public-private key pair is generated. The private key is kept secret, while the public key is distributed freely. Any message encrypted with a public key can only be decrypted with the corresponding private key. Conversely, any message encrypted with a private key can only be decrypted with the corresponding public key.
The benefit of asymmetric cryptography is that keys do not need to be shared securely. In pure symmetric ciphers, keys have to be shared in plaintext. If anyone intercepts the key handoff, the communication channel is irrevocably compromised.
In asymmetric cryptography, the private key never needs to be transmitted, so it is much more difficult to gain access to it. However, asymmetric cryptography is usually much more computationally intensive than symmetric cryptography. Real world cryptosystems often use asymmetric ciphers to securely transmit symmetric keys before switching to symmetrically encrypted communication.
Asymmetric cryptography can also be used to authenticate messages. If Alice sends Bob a message encrypted with her private key, Bob can attempt to decrypt it using Alice's public key. If the message decrypts properly, then Bob knows that only Alice (with her private key) could have encrypted it.
Commonly used asymmetric ciphers include RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC).
Many asymmetric ciphers (notable RSA, Diffie-Hellman, ECC) rely on the computational intensity of solving the discrete logarithm problem for security. In theory, quantum computers can quickly and easily solve the discrete logarithm problem. Although current quantum computers are not advanced enough to pose a threat, bad actors are recording and storing ciphertexts to crack once quantum computers advance significantly. As such, there is a lot of research in creating new asymmetric cryptosystems that do not rely on the discrete logarithm problem.
In actual CTF competitions, RSA and asymmetric cryptography are favored challenge types. In my experience, it's easier to write exploits into asymmetric cryptographic schemes, and it's also easier to host and solve. Nevertheless, it's still very valuable to understand symmetric algorithms and exploits. Symmetric algorithms are still common in CTFs, and they are extremely useful in industry, both in blue-team and red-team.
Many crypto problems are based on some hyper-specific attack or algorithm where experience is critical to begin exploitation. In these cases, Google is very useful. You can often find a Cryptography Stack Exchange post or a decades old paper that describes the theory behind attacking a similar system.