- Introduction
- Symmetric Encryption
- Asymmetric Encryption
- Diffie-Hellman Key Exchange
- Hashing
- PKI and SSL/TLS
- Authenticating with Passwords
-
Caesar cipher - substitution cipher which shifts the letters by a fixed number of places to the left/right; can use a key between 1 and 25.
-
Transposition cipher - encrypts the message by changing order of the letters.
-
We can use resources such as quipquip to decrypt simple substitution ciphers.
1. You have received the following encrypted message:
“Xjnvw lc sluxjmw jsqm wjpmcqbg jg wqcxqmnvw; xjzjmmjd lc wjpm sluxjmw jsqm bqccqm zqy.” Zlwvzjxj Zpcvcol
You can guess that it is a quote. Who said it? - Miyamoto Musashi-
Terminology:
- Cryptographic algorithm/cipher - defines encryption/decryption processes
- Key - algorithm needs a key to convert plaintext into ciphertext and vice versa
- Plaintext - original message to be encrypted
- Ciphertext - message in encrypted form
-
Symmetric encryption algorithm uses the same key for encryption/decryption.
-
Block cipher encryption algorithm converts input plaintext into blocks, and encrypts each block.
-
Stream cipher encryption algorithm encrypts the plaintext byte by byte.
-
Programs used for symmetric encryption:
- GNU Privacy Guard:
gpg --version #check supported ciphers gpg --symmetric --cipher-algo CIPHERNAME message.txt #encrypt file in binary openPGP format #output saved as message.txt.gpg gpg --armor --symmetric --cipher-algo CIPHERNAME message.txt #encrypt file in ASCII armored output gpg --output original.txt --decrypt message.gpg #decrypt file
- OpenSSL Project:
openssl aes-256-cbc -e -in message.txt -out encrypted_message #encrypt file openssl aes-256-cbc -d -in encrypted_message -out original_message.txt #decrypt file openssl aes-256-cbc -pbkdf2 -iter 10000 -e -in message.txt -out encrypted_message #encrypt using PBKDF2 with 10000 iterations openssl aes-256-cbc -pbkdf2 -iter 10000 -d -in encrypted_message -out original_message.txt #decrypt in similar way
1. Decrypt the file quote01 encrypted (using AES256) with the key s!kR3T55 using gpg. What is the third word in the file? - waste
2. Decrypt the file quote02 encrypted (using AES256-CBC) with the key s!kR3T55 using openssl. What is the third word in the file? - science
3. Decrypt the file quote03 encrypted (using CAMELLIA256) with the key s!kR3T55 using gpg. What is the third word in the file? - understand-
In asymmetric encryption algorithm, we would generate a key pair (public key and private key) - public key can be public, but private key should be saved securely.
-
RSA:
openssl genrsa -out private-key.pem 2048
#generates RSA private key of size 2048 bits
openssl rsa -in private-key.pem -pubout -out public-key.pem
#generates public key
openssl rsa -in private-key.pem -text -noout
#shows RSA variables for p,q,N,e,d
#if we have recipient's public key, we can encrypt
openssl pkeyutl -encrypt -in plaintext.txt -out ciphertext -inkey public-key.pem -pubin
#recipient can decrypt it
openssl pkeyutl -decrypt -in ciphertext -inkey private-key.pem -out decrypted.txt1. What is the first word of the original plaintext? - Perception
2. What is the last byte of p? - e7
3. What is the last byte of q? - 27- Diffie-Hellman - asymmetric encryption algorithm; allows the exchange of a secret over a public channel.
openssl dhparam -out dhparams.pem 2048
#generate DH parameters
openssl dhparam -in dhparams.pem -text -noout
#view parameters1. A set of Diffie-Hellman parameters can be found in the file dhparam.pem. What is the size of the prime number in bits? - 4096
2. What is the prime number’s last byte? - 4f-
Cryptographic hash function - algorithm that takes data as input and returns a fixed size value (message digest or checksum) as output.
-
Hashing is used in storing passwords and detecting modifications.
-
HMAC (hash-based message authentication code) - message authentication code (MAC) that uses a cryptographic key and hash function.
-
HMAC needs a secret key, inner pad and outer pad:
hmac256 s!Kr37 message.txt
#calculate HMAC using key
sha256hmac message.txt --key s!Kr37
#HMAC using sha256hmac with key, same output1. What is the SHA256 checksum of the file order.json? - 2c34b68669427d15f76a1c06ab941e3e6038dacdfb9209455c87519a3ef2c660
2. Open the file order.json and change the amount from 1000 to 9000. What is the new SHA256 checksum? - 11faeec5edc2a2bad82ab116bbe4df0f4bc6edd96adac7150bb4e6364a238466
3. Using SHA256 and the key 3RfDFz82, what is the HMAC of order.txt? - c7e4de386a09ef970300243a70a444ee2a4ca62413aeaeb7097d43d2c5fac89f-
Key exchanges such as the Diffie-Hellman key exchange are not immune to MITM attacks.
-
PKI (Public Key Infrastructure) is ensured in websites, where an encrypted connection is secured over HTTPS with a valid cert.
-
For a certificate to get signed by a certificate authority, we need to:
-
Generate CSR (Certificate Signing Request) - create cert and send public key to be signed by a third party.
-
Send CSR to CA (Certificate Authority) - trusted CA signs the certificate.
-
openssl req -new -nodes -newkey rsa:4096 -keyout key.pem -out cert.csr
#generate cert signing request
#-nodes to save private key without passphrase
openssl req -x509 -newkey -nodes rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
#generate self-signed cert
#-x509 indicates self-signed instead of CSR
openssl x509 -in cert.pem -text
#view cert- Once the client (browser) receives a signed cert it trusts, the SSL/TLS handshake takes place; purpose is to agree on ciphers and secret key.
1. What is the size of the public key in bits? - 4096
2. Till which year is this certificate valid? - 2039-
Rainbow tables - contain lists of passwords along with their hash values.
-
Salt - a random value that can be appended to passwords before hashing it.
-
We can also store passwords by using key derivation functions such as PBKDF2 (Password-Based Key Derivation Function 2) to make it more secure.
1. You were auditing a system when you discovered that the MD5 hash of the admin password is 3fc0a7acf087f549ac2b266baf94b8b1. What is the original password? - qwerty123