Just some notes on encrypting, decrypting, hashing, and related use cases.
Encryption vs. Hashing
Encryption is when you want to scramble something (encrypt) for use later when you will unscramble (decrypt) it to read the original something. In other words, encryption is two way.
Hashing, on the other hand, is one way. You want to scramble something, but with the intention of only using the scrambled output. Each hash value is unique, but of a known length.
The output of a hash function is called a digest, whereas the output of an encryption function is called ciphertext.
There are two main types of encryption. Asymmetric and symmetric.
- Asymmetric - Public/private key encryption is one example of this. One key encrypts, the other decrypts. The encryption goes two ways (both encrypt and decrypt), but you don’t use the same key to decrypt that you use for encrypting. This is the underlying model for a lot of functional encryption use cases, like TLS and SSH.
- Symmetric - This is secret key encryption, like a password. One key which is used to encrypt, and only that key can be used to decrypt.
Most of the encryption we use in the field is asymmetric. Regardless, there are several algorithms in use for both asymmetric and symmetric.
- AES - Advanced Encryption Standard. This is a standardized implementation for encryption in use since 2001.
- RSA - Rivest Shamir Adleman. Named after its creator. This is a public key (asymmetric) encryption algorithm that has been around since 1978 and is still in use today.
- ECC - Elliptic Curve Cryptography.
- PGP - Pretty Good Privacy. A collection of algorithms for hashing, encryption, etc. Often criticized for its keys long length.
Advanced Encryption Standard
It’s not an implementation, per se, but a specification and set of requirements that need to be met, thus different ciphers and implementations can all be “AES”. This was originally known as Rijndael.
There are different implementations (ciphers) of the Advanced Encryption Standard. They have different use cases and advantages/disadvantages. Here are some examples.
- CBC mode
Authenticated Encryption with Associated Data.
As mentioned, there is more than one AES implementation, which have different use cases. While all guarantee confidentiality, not all of them guarantee authenticity. While using AES in CBC mode, for example, an attacker could actually tamper with the ciphertext and the ciphertext would still decrypt without failing.
Authenticated Encryption with Associated Data does that. Basically this ensures authenticity of the encryopted payload, meaning it can prevent a man-in-the-middle attack from changing the payload.
Encryption at rest vs. encryption in transport
Encryption at rest means your data is encrypted in it’s stored state. For example, all files on disk being encrypted, every record in your DB being encrypted, or everything in your S3 bucket being enccrypted.
Encrytion in transport, in comparison, refers to encrypting a payload for the express purpose of sharing between two end parties. For example, TLS encrypts all data in transport for HTTP traffic, giving us “HTTPS”. That’s a barbaric description of it but basically that’s what it mean”. That’s a barbaric description of it but basically that’s what it means.
As mentioned above, a hash function produces a digest. A digest is a short fixed-length value derived from some variable-length input. Cryptographic digests should exhibit collision-resistance, meaning that it’s hard to come up with two different inputs that have the same digest value.
Based on my notes from Crypto 101
- XOR - exclsuive or. If one of the two operands is true, the result is true. If the two operands are true, the result is false. 1 ⊕ 1 = 0.
- One-Time Pad - The ultimate “perfectly secure” algorithm for encryption, but impractical because it requires the key to be as long as the message, and because the key (pad) MUST be only used once otherwise it’s useless.
- Block Cipher - This is a general term for an encryption function that 1. is a permutation (i.e., it’s reversible) and 2. it’s efficient.
- ciphertext - the encrypted output of encryption, the encrypted gobbledigook.
- iv initialization vector. This should be unique everytime you encrypt something to prevent the ciphertext from matching something encrypted with the same key.
- forward secrecy - like forward compatibility, but for secrets. If an encryption system has forward secrecy, that means that a compromise of long-term public key pair doesn’t compromise any previously encrypted plaintext.