Cryptography
Cryptography#
Cryptography is the science of protecting information by transforming it into an unreadable format (ciphertext) using algorithms and mathematical keys. Authorized users can decrypt it back into readable text. It provides data confidentiality, integrity, authenticity, and non-repudiation to secure online transactions, communications, and data storage.
Encoding vs Encryption vs Hashing vs Obfuscation#
Encoding#
Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed. It does not require a key as the only thing required to decode it is the algorithm that was used to encode it.
Examples: ASCII ↗, unicode ↗, URL Encoding, Base64 ↗
Encryption#
The purpose of encryption is to transform data in order to keep it secret from others, e.g. sending someone a secret letter that only they should be able to read, or securely sending a password over the Internet. Rather than focusing on usability, the goal is to ensure the data cannot be consumed by anyone other than the intended recipient(s).
Encryption transforms data into another format in such a way that only specific individual(s) can reverse the transformation. It uses a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to perform the encryption operation. As such, the ciphertext, algorithm, and key are all required to return to the plaintext.
Examples: AES ↗, Blowfish ↗, RSA ↗
Hashing#
Hashing is a process that takes input data and produces a hash value, a fixed-size string of characters, also referred to as digest. This hash value uniquely represents the data, and any change in the data, no matter how small, should lead to a change in the hash value. Hashing should not be confused with encryption or encoding; hashing is one-way, and you can’t reverse the process to get the original data.
Examples: SHA-3 ↗, MD5 ↗, etc.
Obfuscation#
The purpose of obfuscation is to make something harder to understand, usually for the purposes of making it more difficult to attack or to copy.
- One common use is the the obfuscation of source code so that it’s harder to replicate a given product if it is reverse engineered.
- It’s important to note that obfuscation is not a strong control (like properly employed encryption) but rather an obstacle. It, like encoding, can often be reversed by using the same technique that obfuscated it. Other times it is simply a manual process that takes time to work through.
- Another key thing to realize about obfuscation is that there is a limitation to how obscure the code can become, depending on the content being obscured. If you are obscuring computer code, for example, the limitation is that the result must still be consumable by the computer or else the application will cease to function.
Examples: JavaScript Obfuscator ↗, ProGuard ↗
Obscurity is not security#
In the world of cryptography, a cipher must be proven to be unbreakable before claiming that it is secure. According to Kerckhoff’s principle ↗, cryptography should be designed in such a way that all the details of an algorithm—except for the private key—should be knowable without sacrificing its security. For example, you can access all the details about how AES encryption works online and yet it is still unbreakable.
Occasionally, organizations implement their own, custom encryption algorithms. There have been instances where those secret cryptographic systems have been quickly cracked after being made public.
A cryptographic system should not be considered secure if it requires secrecy around how it works.