I know a little about cryptography and related practices (encryption & decryption, hashing, encoding & decoding). However, my knowledge is limited to how to use certain libraries in certain programming languages (AES in PHP and JavaScript, Bouncy Castle in Java, pycryptodome in Python and system.security.cryptography in C#), without actually knowing what's going on under the hood. (One of the hallmarks of a good API is that a developer need not know the implementation details in order to use it.) That's served me well enough in the past, since most users don't care about how their data is secured, as long as it is (and I'm persnickety about going above the minimum requirements). Be that as it may, I feel that I should know a lot more about cryptography if I am going to focus on blockchain and cryptocurrency development (both because it's one of my interests and will be a valuable skill to keep me relevant in the age of Web 3.0). With that in mind, I decided to read Cryptography for Dummies, since the "For Dummies" books are my go-to launching point for almost any subject. After that, I will likely need something more in depth.
"I don't want to remember nothing. Nothing! You understand?"
— Cypher; The Matrix
Important Note: This is a "learn and earn" deal: You learn, you like it, you tip me and I earn. Let's get started, shall we? Computer says "yes".
Part 1: The Basics
"Little did I realise that in our efforts to make it easy for computers to share stuff, it would make it easy for other people to see all of our personal stuff, too. [...] The Internet is truly the Global Village . . . a village where everyone can see what you do and hear what you say. The good news is that you can use cryptography to protect yourself from the eavesdroppers and Peeping Toms of the village.
— Chey Cobb, author of Cryptography for Dummies
Did you know that, by default, almost anyone can read your email (not just the intended recipient)? It's one of the failings of how E-mail came into existence. How do you think Google builds a profile of you and tailors its advertising? That's part of the reason why I pay Protonmail for their email service (which includes PGP). It's not perfect (PGP doesn't encrypt or obfuscate metadata and there are alternatives), but it's better than no security at all.
"Not only can cryptography scramble your files, but it can also be used to prove who you are (and maybe who you aren't!). Cryptography can be used to alert you if the contents of a file have been changed, attest to the identity of the person who sent you a message, keep online communications safe and secure, and, of course, hide important data."
— Ibid.
Yes, folks, that's right! While cryptography can hide the contents of your communications and interactions, it doesn't necessarily hide your identity (although it can be made to through things like tunnels and VPNs; more on that later).
There's an inaccurate perception that cryptography is for shady individuals involved in espionage, terrorist and other nefarious activities. Maybe that idea came about around the time of the Cold War between the USA and then USSR, but it has no place in the modern world. Cryptography is for everyone and valuing one's privacy doesn't automatically make one suspicious or a criminal. (Don't believe everything your government tells you, otherwise you'll be subject to FUD and will have a tough time in the cryptosphere.)
In order to both hide/scramble data and reveal it again, there has to be a formula (a set of instructions to follow). In advanced mathematics (and computer science, of which cryptography is a branch), this is known as an algorithm. In the case of cryptography, the algorithm specifies both how to encrypt (scramble) and decrypt (restore) the data. (Don't confuse this process with hashing, since hashing is only concerned with the scrambling part, not the recovery of the original data.)
To give an example of this process, consider the "rotate-13" algorithm (which shouldn't be used for anything other than illustration, since it isn't secure):
1. Rotate the letters A-Z (case-insensitive) by thirteen places.
The above is the extent of the instructions for the "rotate-13" (often shortened to "rot13") algorithm. As you can see, it is extremely simple, to the point of uselessness. Here's an example implementation in Python (don't worry if you don't know Python; it's fairly easy to understand if you read the explanatory comments):
from string import maketrans
# characters in the cypher
rot13trans = maketrans('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz', 'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm')
def rot13(text): # Function to translate plain text
# Find the characters in the text (in the first string) and replace them with the substitution characters (in the second string) in the rot13trans mapping
rotated = text.translate(rot13trans)
return rotated
def main():
txt = "ROT13 Algorithm Example" # text to encrypt
encrypted = rot13(txt) # get and store the encrypted text
decrypted = rot13(encrypted) # decryption is done by simply rotating the encrypted string
print(encrypted) # output the encrypted text
if __name__ == "__main__":
main() # execute the algorithm
If the text "DUCK" is entered, the output "QHPX" should bed returned (and vice versa). It is this very simplicity that makes it easy to decrypt the encrypted text and makes the algorithm insecure.
If you want to learn Python (particularly if you've never written a program before), I recommend Beginning Programming with Python for Dummies. Otherwise, there's Learning Python by Mark Lutz (for existing developers). If you are familiar with Python, you might be interested in Tutorials Point's Cryptography with Python tutorial or looking for a pycryptodome tutorial (not pycrypto, which is outdated).
Encryption algorithms used in the real world, such as Advanced Encryption Standard (AES) are complex and the code for their algorithms fills many pages. The reason for this is that the complexity makes it hard to decrypt/decipher the encrypted text if one doesn't know the formula's steps. (There's no point in encrypting a message meant to remain secret if unauthorised/unintended people can read it.) For this reason, most algorithms are mind-numbingly complex/complicated mathematical equations to anyone who isn't a Maths geek. The good news is that, just as you don't need to be a motor mechanic in order to drive a car, you don't need to be a Maths genius in order to use cryptography, so long as you keep up with the recommendations of the cryptography community. At the time I write this, AES and Secure Hash Algorithm (SHA) versions 2 and 3 are in vogue.
"... there's way too much information to decode the Matrix. You get used to it, though. Your brain does the translating. I don't even see the code."
— Cypher; The Matrix
There are a number of cryptography algorithms in existence. This is for two reasons:
1. the older ones (such as DES and SHA1) have flaws, which are corrected/improved upon in later versions.
2. Different algorithms have different use cases, depending on ease of use and speed. (In crypto, slower is often better, since it can limit how quickly a cracker discovers the original message's plain text.)
Basic Terms
Like many fields (and subsections of computer science, such as software development), cryptography has jargon. In order to not get lost, here are some basic terms:
- Encrypt: Scramble data to make it unrecognisable (also known as munging)
- Decrypt: Unscramble the encrypted (scrambled) data to return it to the original form
- Mung: Mash until no good (although this implies, perhaps incorrectly, not being able to recover the original in any sense)
- Plaintext: Another term for the original data (usually provided that it is readable/printable text)
- Cipher/Cypher: Another word for the algorithm used
- Ciphertext/Cyphertext: Another word for the result of encryption. (This may include the result of passing binary data through some form of encoding, which makes it presentable in readable/printable form.)
- Key: A complex and unique sequence of alphanumeric characters, produced by the algorithm, which allows for encrypting and decrypting data.
- Salt: Used in hashing, this is a special key that ensures the same plaintext will *always* result in the same hash (scrambled output). This is useful for comparing hashes, since comparing plaintext and getting a match should be impossible. (Never encrypt/decrypt passwords; always hash them.)
Note: The key difference between encryption and hashing is that a hash is not intended to be decrypted/deciphered. In the encryption/decryption method, being able to decrypt the data is just as important as being able to encrypt it. However, some hash algorithms (such as MD5 and SHA1) have been found to be insecure, making the plaintext version discoverable. In fact, there are a number of tools for cracking weak hashes generated with certain algorithms (or common combinations thereof). Two of the more popular ones are hashcat and John the Ripper. I use hashcat to test my own implementations.
Cryptography is nothing new. It dates back to Greek and Roman times. (Julius Cæsar used a method that is known as the Cæsar Cypher. It uses Rot18.) It just took them a lot longer to do than it does with computers (which really got going with World Wars I and II, in which the allies put effort into cracking secret messages sent by the Germans.)
Keys are vital to modern cryptography. They are used to both lock (encrypt) and unlock (decrypt) the messages that two or more parties exchange. (In the case of PGP, a public key encrypts the message, while the private key decrypts it. Multiple senders can have the public key, but only one recipient has the private key.) The finer details of keys will be covered at a later point.
What Makes a Cipher?
The first ciphers (such as rot13 and rot18) were really primitive and easy to crack. They have improved with time and technology. Ciphers can be placed in one or more categories, depending on their characteristics:
- Concealment ciphers have been used to hide a message in plain sight. They usually consist of a passage of text (often from a book or letter), with the key being some pattern of extracting the details (such as "every third letter after full stop").
- Substitution ciphers replace one byte or character with another. (These are commonly used in modern cryptography.) Rot13 is a substitution cipher. The Enigma machine used by the Germans in WWII used multiple substitutions.
- Transportation ciphers change the order of the characters/letters of the original message. Such messages are usually written in a series of columns and rows in a grid. The rail fence cipher (used in the American Civil War) is a transportation cipher. The Vigenère cipher is both a polyalphabetic (multiple-substitution) and transportation cipher.
That's probably enough information for one post. Here endeth the first lesson. There's a whole lot more to come.
Thumbnail image: Photo of Hieroglyphs by Rachel Claire on Pexels