Unit III Overview: Introduction to Cryptography
Cryptography is the science of securing information through mathematical transformations. It is the most fundamental technical tool in cyber security, providing the basis for secure communication, data protection, authentication, and digital trust. The word derives from Greek: kryptos (hidden) + graphia (writing).
Unit III covers cryptographic foundations (this lesson), symmetric cryptography (DES, AES), asymmetric cryptography (RSA, digital signatures), and their application to securing web and email systems.
---
Core Cryptographic Concepts
| Term | Definition | Example | Key Fact | Notation |
|---|---|---|---|---|
| Plaintext | Original readable message | "Transfer $1000 to account 12345" | Input to encryption | P or M |
| Ciphertext | Encrypted, unreadable output | "X7kP2qR#9mL..." | Transmitted over insecure channel | C |
| Encryption | Process of converting plaintext to ciphertext | AES encryption of a file | Requires algorithm + key | E(K, P) = C |
| Decryption | Process of converting ciphertext to plaintext | AES decryption of a file | Reverse of encryption | D(K, C) = P |
| Key | Secret value used in encryption/decryption | 256-bit random string | Security depends entirely on key secrecy | K |
| Algorithm/Cipher | Mathematical function for encryption | AES, RSA, ChaCha20 | Should be public (Kerckhoffs's principle) | — |
| Cryptanalysis | Science of breaking cryptographic systems | Differential cryptanalysis | Studies algorithm weaknesses | — |
---
Types of Cryptography
Cryptography is broadly classified into three types based on key usage:
| Type | Keys Used | Speed | Use Case | Key Challenge | Examples |
|---|---|---|---|---|---|
| Symmetric | Same key for encrypt + decrypt | Very Fast | Bulk data encryption | Secure key distribution | AES, DES, 3DES, RC4 |
| Asymmetric | Different keys (public + private) | Slow | Key exchange, digital signatures | Key pair generation | RSA, ECC, DSA |
| Hash Functions | No key (one-way function) | Extremely Fast | Integrity verification, password storage | Collision resistance | SHA-256, SHA-3, MD5 (broken) |
Hybrid Cryptography combines symmetric and asymmetric:
- Alice and Bob use asymmetric (RSA) to securely exchange a symmetric session key
- They then use symmetric (AES) to encrypt bulk data with that session key
- This is how HTTPS/TLS works in practice
---
User Authentication Methods
Authentication verifies that a user is who they claim to be. There are four authentication factors:
| Factor | Category | Examples | Strength | Vulnerabilities |
|---|---|---|---|---|
| Password / PIN | Something you know | Text password, security question | Low–Medium | Phishing, cracking, reuse |
| Hardware Token / Smart Card | Something you have | RSA SecurID, YubiKey, CAC card | High | Theft, loss |
| Biometrics | Something you are | Fingerprint, facial recognition, iris | High | Spoofing (fake fingerprint), cannot be changed if compromised |
| Location / Behavior | Somewhere you are / Something you do | GPS location, typing cadence, keystroke dynamics | Medium | VPN bypasses location |
Multi-Factor Authentication (MFA) combines two or more factors. The strongest form is FIDO2/WebAuthn with hardware security keys (YubiKey) — completely phishing-resistant.
---
Password Authentication in Depth
Password storage is critical — never store plaintext passwords:
| Storage Method | How It Works | Cracking Resistance | Modern Use | Status |
|---|---|---|---|---|
| Plaintext | Password stored as-is | None | Never use | Insecure (forbidden) |
| MD5 hash | MD5(password) stored | Very Low — GPU can test 10 billion/sec | Legacy systems | Broken (avoid) |
| SHA-1 hash | SHA1(password) stored | Low — GPU test 4 billion/sec | Deprecated systems | Broken (avoid) |
| Salted SHA-256 | SHA256(salt + password) | Medium — defeats rainbow tables | Some systems | Acceptable (not recommended) |
| bcrypt | Adaptive cost function, built-in salt | High — designed to be slow | Most web apps | Recommended |
| Argon2id | Memory-hard, adaptive cost | Very High — winner of Password Hashing Competition | Modern systems | Gold standard |
---
Message Authentication
Message Authentication ensures:
- The message has not been altered in transit (integrity)
- The message came from the claimed sender (authenticity)
Tools for message authentication:
- MAC (Message Authentication Code): A cryptographic checksum using a shared secret key. Both parties share a secret key; only they can generate and verify the MAC. Algorithm: HMAC-SHA256.
- Digital Signature: Uses asymmetric cryptography. Sender signs with private key; anyone can verify with public key. Provides authentication + non-repudiation.
- Hash Functions: MD5, SHA-256 — verify integrity (content has not changed) but not authenticity (anyone can compute a hash).
Exam Tip: Know the three services provided by cryptographic systems: Confidentiality (encryption hides content), Integrity (hashing detects tampering), Authentication/Non-repudiation (digital signatures prove origin). Also know: symmetric = fast + same key; asymmetric = slow + different keys; hash = one-way, no key.
---
Study Deep: Cryptographic Foundations
- Kerckhoffs's Principle — security through obscurity fails: Auguste Kerckhoffs stated in 1883 that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge. This means: publish your algorithm, keep only the key secret. This enables public scrutiny and builds trust. Security through obscurity (hiding the algorithm itself) has repeatedly failed historically.
- The key length determines security: For symmetric encryption, key length determines brute-force resistance. 56-bit DES can be broken in hours. 128-bit AES would take longer than the age of the universe with current technology. For asymmetric (RSA), 2048-bit is the current minimum; 4096-bit is recommended for long-term security. Key length must increase over time as computing power grows.
- Quantum computing threatens current cryptography: Current RSA and ECC asymmetric algorithms can theoretically be broken by quantum computers running Shor's algorithm. NIST completed post-quantum cryptography standardization in 2024, selecting CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures) as the new standards.
- Hash collisions break trust: A hash collision is when two different inputs produce the same hash output. MD5 collision attacks were demonstrated in 2004 (Wang and Yu). SHA-1 was publicly broken in 2017 (Google's SHAttered attack). This is why moving to SHA-256 (SHA-2 family) or SHA-3 is critical for integrity checking.
- One-Time Pad is theoretically unbreakable: The only cryptographic system proven mathematically unbreakable is the One-Time Pad (OTP) — where a truly random key as long as the message is used once and destroyed. It is used for diplomatic hotlines between nations. Practical limitations: key distribution is impossibly difficult at scale. The "red telephone" between US and USSR used OTP-based encryption.