What exactly is cryptography? How can one deploy it? For what purposes is it used? How can it be used to secure the confidential information and data of an organization? How can cryptography be used to secure the lines of network communications between a remote worker and the corporate servers?
These are all questions that a well-trained cryptographer can answer. They are well-versed in all aspects of this amazing part of cybersecurity, with everything from its deployment to how it can best be used to meet the security requirements of any organization.
In this article, we will examine the top thirty questions that can be asked of an experienced cryptographer, ranging from what it is all about to its commercial applications. These types of questions can be broken into down into Level 1, Level 2 and Level 3 Questions. These questions can also be used in an interview situation when a business or a corporation wishes to hire a cryptographer, either on a full-time or contract basis.
Level 1 Questions
1. What is cryptography?
Cryptography is a specialized area of cybersecurity, but it has a broad array of applications that we will examine later. Kaspersky Lab has defined it as follows: “Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. In addition, cryptography also covers the obfuscation of information in images using techniques such as microdots or merging.”
2. What exactly are encryption and decryption?
The terms “scrambling” and “descrambling” are commonly known. In terms of decryption, scrambling and descrambling are also known as “encryption” and “decryption.”
For example: when the written message “I LOVE YOU” is scrambled by the sending party, it becomes what is known as the “encrypted message.” This means that the written message has been disguised in such a manner that it would be totally meaningless, or in the terms of cryptography, it would be undecipherable.
Encryption can also be described as conversion of information from a readable state to apparent nonsense. When the receiving party receives this encrypted written message, it must be unscrambled into an understandable and comprehensible state of context. This process of unscrambling is also known as decryption
3. What is plaintext or cleartext?
The decrypted message, when it is returned back into its plain or original state of context which is comprehensible and decipherable, is also known as cleartext or plaintext.
4. What is ciphertext?
When the message is encrypted into a state which is totally incomprehensible and undecipherable, this is known as the ciphertext. So, to illustrate all of this, with the previous example, when the sending party creates the written message of “I LOVE YOU”, this is the plaintext or the cleartext. Once this message is encrypted into the format of “UYO I VEOL” and while it is in transit, it becomes known as the ciphertext. Then, once the receiving party gets this ciphertext and then decrypts it into a comprehensible and understandable form of “I LOVE YOU,” this message then becomes the plaintext or the cleartext again.
5. How does the encryption process actually take place?
This is a question in which we will have more specific answers for later on. But generally speaking, in its simplest form, the text or the written message is encrypted via a special mathematical formula. This formula is specifically known as the “encryption algorithm.” Because the ciphertext is now encrypted by this special mathematical algorithm, it would be rendered useless to a third party with malicious intent, because of its totally garbled nature.
6. What are the origins of cryptography?
For almost as long as people have been writing, people have wanted to protect what was written. According to some scholars, cryptography can be traced all the way back to 1900 BC, when the tomb of Khnumhotep II used unknown hieroglyphs to apparently mask the intent of a carved message. Other early messages include simple ciphers on Mesopotamian clay tablets and the Greek use of a “scytale,” a decoding stick, which would reveal a message when a strip of cloth with a cipher on it was wrapped around it.
7. What is the Caesar cipher?
In the Caesar methodology, each letter of the text or the written message is substituted with another letter of the alphabet which is so many spaces or letters later in the alphabet. This is probably the simplest form of encryption, because each letter in plain text message is literally substituted by another letter, thus forming the ciphertext. This methodology (which was said to be used by Julius Caesar) is probably the most-cited type of algorithm in academic literature.
8. What is the goal of cryptography?
Although the main purpose of cryptography appears to be making content and images undecipherable, the true goal of cryptography in an information technology context is to ensure the confidentiality and integrity of any information technology system. In other words, the content and images must remain private between the sending and the receiving parties; while they are in transit across the Internet, assurances must be provided that they will remain intact and not altered in any way.
9. Are there any other ciphers that are available, other than the Caesar cipher?
Yes, there are. As cryptography has evolved over time, so has the degree of sophistication of these other ciphers.
10. Just how important is the field of cryptography?
Cryptography is going to play a very large role in cybersecurity today and in the future. For example, it will be vital to encrypt all kinds and types data, especially as it relates to a business or corporation and their customers.
Level 2 Questions
1. What is the difference between a private key and a public key?
As it was alluded to earlier, one of the main purposes of cryptography is to scramble forms of content and images into an undecipherable state. You may be wondering how this is all exactly done. The answer is that it primarily involves the use of a key. Traditionally, this is a private key. With this particular key, the sending party can encrypt the plaintext, and from there the content or image will be sent in its garbled state across the network medium to the receiving party. A private key is private to the sender or the receiver, while a public key may be available to a group.
2. What are symmetric and asymmetric key systems?
A symmetric key system uses only the private key, and the asymmetric key system makes use of both the public key and the private key. The latter used primarily in what is known as a Public Key Infrastructure, or PKI for short. It will be discussed in more detail later on.
3. What kinds of threats exist for a cryptographic system?
There are three traditional types of attacks, and they are as follows:
- Ciphertext-only attack: With this type of attack, only the ciphertext is known to the attacker. But if this particular individual is well-trained in statistics, then he or she can use various statistical techniques to break the ciphertext back into the plaintext
- Known-plaintext attack: This occurs when the hacker knows some aspect of either the letter pairings; thus, they can consequently crack the ciphertext back into the plaintext
- Chosen-plaintext attack: With this type of attack, the hacker can choose the plaintext and view the encrypted output which is being transmitted across the network medium. From this, they can reverse-engineer it back into its ciphertext form in an attempt to figure out the specific encryption scheme
4. What is polyalphabetic encryption?
This was listed as a specific type of cipher earlier. A polyalphabetic cipher is simply a substitution cipher that uses multiple alphabets for substitution.
5. What is a block cipher?
With this method of transposition, the plaintext message is encrypted into its scrambled format by being broken up into blocks and encrypted block-by-block. Let us illustrate this with our example used before, but this time, let us assume a block of three characters, mathematically represented as 3 bits, or where k=3.
Plaintext: I LOVE YOU
Plaintext Block: ILO VEY OUX
Ciphertext Block: OLI YEV XUO
6. What is cipher block chaining?
The initialization vectors are part of a larger process known as cipher block chaining, or CBC. Within this methodology, multiple loops of encryption are created in order to further totally scramble the ciphertext.
Here is the how the process works:
- The Initialization Vector is created first
- Through a mathematical process known as XOR (which stands for exclusive OR and is used quite frequently to determine if the bits of two strings of data match or not), the first created Initialization Vector is XOR’d with the first block of ciphertext data
- The first chunk of data which has been XOR’d is further broken down by another layer of encryption
- This process is then continued until all of the blocks of ciphertext have been XOR’d and enveloped with another layer of encryption
This is how cipher block chaining gets its title. For instance, steps 1-4 create the first loop or chain; the second loop or chain is then next initiated, and so on, until the ciphertext has been fully analyzed and encrypted by this methodology.
7. What are the disadvantages of symmetric key cryptography?
Symmetric key cryptography suffers from three major vulnerabilities:
- Key storage and recovery
- Key distribution
- Open systems
As previously mentioned, symmetric cryptography requires the sharing of secret keys between the two parties (sending and receiving), which further requires the implicit trust that this key will not be shared with any other outside third party. The only way that any type of secrecy can be achieved in this regard would be to establish some sort of trusted channel. An option here would be the use of a so-called designated controller. But this carries third-party risks as well.
With regards to the second vulnerability, since there will be many more lines of communication between the sending and the receiving parties, the need to implement more controllers becomes totally unrealistic as well as unfeasible. Thus, the distribution of the private keys can become a virtual nightmare.
Finally, with the third vulnerability, private or symmetric cryptography works best only when it is used in a very closed or “sterile” environment, where there are at best only a few (or even just a handful) of sending and receiving parties. In other words, given the threat landscape today, it would be completely unrealistic to implement a symmetric cryptography system in an open environment.
8. How is a Key Distribution Center (KDC) used?
The Key Distribution Center consists of a database of all of the end users at the place of business or corporation and their respective passwords, as well other trusted servers and computers along the network.
If an end user wishes to communicate with another end user on a different computer system, the sending party enters their password into the KDC using a specialized software called “Kerberos.” When the password is received by the KDC, the Kerberos then uses a special mathematical algorithm which adds the receiving party’s information and converts it over to a cryptographic key.
Once this encrypted key has been established, the KDC then sets up and establishes other keys for the encryption of the communication session between the sending and the receiving party. These other keys are also referred to as tickets. These tickets will actually expire at a predetermined point in time in order to prevent unauthorized use, and it would also be rendered useless if it is stolen, hijacked or intercepted by a third party.
9. What are the mathematical algorithms used in symmetric cryptography?
They are as follows:
- The Needham-Schroder algorithm
- The Digital Encryption Standard algorithm (DES)
- The Triple Digit Encryption Standard algorithm (3DES)
- The International Data Encryption Algorithm (IDEA)
- The Advanced Encryption Standard algorithm (AES)
10. What is the hashing function?
The hashing function is a one-way mathematical function. This means that it can be used to encode data, but it cannot decode data. Its primary purpose is not to encrypt the ciphertext; rather, its primary purpose is to prove that the message in the ciphertext has not changed in any way, shape or form. This is also referred to as “message integrity.” If the mathematical function has changed in any way, the message has then changed.
Level 3 Questions
1. What is asymmetric key cryptography?
In the most simplistic terms, asymmetric cryptography can be likened to that of a safety deposit box at a local bank. In this example, there are normally two set of keys used. One key is the one which the bank gives to you. This can be referred to as the public key, because it is used over and over again. The second key is the private key which the bank keeps in their possession at all times, and only the bank personnel know where it is kept.
The world of asymmetric cryptography is just like this example, though of course, it is much more complex than this in practice.
Let us refer to the public key as “pk” and the private key as “sk.” So, to represent both of these keys together, it would be mathematically demonstrated as (pk, sk). It is then the sending party which uses the public key (pk) to encrypt the message they wish to send to the receiving party, which then uses the private key (sk) to decrypt the ciphertext from the sending party.
2. What are the key differences between asymmetric and symmetric cryptography?
With symmetric cryptography, the complete secrecy of the key must be assured. Whereas asymmetric cryptography requires only half of the secrecy, namely that of the private key (sk).
Secondly, symmetric cryptography utilizes the same secret key for the encryption and decryption of the ciphertext, but in asymmetric cryptography two different keys (namely the public and the private keys) are used for the encryption and the decryption of the ciphertext.
3. What are the disadvantages of asymmetric cryptography?
Despite the advantages that asymmetric cryptography has, it does possess one very serious disadvantage: When compared to symmetric cryptography, it is two to three times slower than symmetric cryptography. This is primarily because of the multiple parties and multiple keys which are involved.
4. What are the mathematical algorithms used in asymmetric cryptography?
There are three of them that are primarily used:
- The RSA algorithm
- The Diffie-Hellman algorithm
- The Elliptical Wave Theory algorithm
5. What is the Public Key Infrastructure (PKI)?
Since the public key has become so important in the encryption and the decryption of the ciphertext messages between the sending and receiving parties and given the nature of its public role in the overall communication process, great pains and extensive research have been taken to create an infrastructure which would make the process of creating and sending keys much more secure and robust.
In fact, this infrastructure is a very sophisticated form of asymmetric cryptography, and it is known as the “Public Key Infrastructure” or “PKI” for short. The basic premise of PKI is to help create, organize, store, distribute and maintain the public keys.
6. What are the specific components of the Public Key Infrastructure (PKI)?
The PKI consists of the following components:
- The Certificate Authority (CA): This is the party who issues the digital certificates
- The Digital Certificate: This serves to verify the identity of the certificate holder and is issued by the CA. These digital certificates are typically kept in the local computer of the employee, or even the central server at the place of business or organization
- The LDAP or X.500 Directories: These are the databases which collect and distribute the digital certificates from the CA
- The Registration Authority (RA): If the place of business or organization is very large (such as a multinational corporation), this entity usually handles and processes the requests for the required digital certificates and then transmits those requests to the CA to process and create the required digital certificates
7. What are the technical specifications of the Certificate Authority?
The Certificate Authority consists of the following technical specifications:
- The digital certificate version number
- The serial number
- The signature algorithm identifier
- The issuer name
- The validity period
- The public key
- The subject distinguished name
- The subject alternate name email
- The subject name URL
8. How does the Public Key Infrastructure (PKI) work?
At a macro level, this is how the Public Key Infrastructure (PKI) works:
- The request for the Digital Certificate is sent to the appropriate Certificate Authority (CA)
- After this request has been processed, the Digital Certificate is issued to the person who is requesting it
- The Digital Certificate then gets signed by confirming the actual identity of the person who is requesting it
- The Digital Certificate can now be used to encrypt the plaintext into the ciphertext which is sent from the sending party to the receiving party.
9. What is the LDAP protocol and how is it used in a Public Key Infrastructure (PKI)?
LDAP is an acronym which stands for Lightweight Directory Access Protocol. This is a database protocol used for the updating and searching of the directories which run over the TCP/IP network protocol (this is the network protocol which is primarily used by the PKI infrastructure).
It is the job of the LDAP server of the Public Key Infrastructure to contain information and data as it relates to the digital certificates and the public and the private key storage locations, as well as the matching public and private key labels.
The Certificate Authority uses a combination of the end user name and the matching tags to specifically locate the digital certificates on the LDAP server. From that point onwards, the LDAP server checks to see if the requested digital certificate is valid or not, and it if it is valid, it then retrieves a digital certificate which can then be sent to the end user.
Although all digital certificates have a finite lifespan when they are first issued, they can also be revoked for any reason at any time by the Public Key Infrastructure Administrator.
10. What are the security vulnerabilities of hashing functions?
One major security vulnerability of using hashes is that they can be altered while it is en route. In other words, a cyber-attacker can intercept the ciphertext and its associated hash, alter both and create a brand-new ciphertext and hash.
As a result, the receiving party is fooled into believing that this new, altered ciphertext and new, altered hash are the original sent by the sending party while the cyber-attacker keeps the actual ciphertext and hash which was generated the first time around.
To fix this, the ciphertext is combined with a “secret key” at the point of origination first, then the hash is created. As a result, this hash will contain specific information and data about the secret itself. As a result, the receiving party can even be further convinced that the ciphertext they have received is the original one sent by the sending party.
This is so because even if the ciphertext, the hash and the associated secret key were to be intercepted, there is very little that a hacker can do to alter the ciphertext and its associated hash. This is because they have to have the information and data about the secret key, which is of course something they will never gain access to.
Ethical Hacking Boot Camp — 93% Exam Pass Rate
Overall, this article has examined some of the more challenging aspects of cryptography. An experienced cryptographer should be able to answer these, as well as well as the candidate who is applying for a cryptography position. In the case of the latter, a good candidate should be able to answer these questions to some degree of detail.
As a recruiter, it is imperative to put your cryptographer candidate to the test; after all, it will be your organization that will be relying upon him or her in order to fortify the lines of security at the endpoints and in the middle.
It is important to note that cryptography is heavily dependent upon the usage of mathematics; therefore, the cryptographer candidate should have a solid background in this area as well.
As a candidate, if you really want that cryptographer position, reviewing this article in depth will help you make it happen. And get that extra edge, you can review more cryptography-based Q&As here.
- Cryptography Definition, Kaspersky Lab
- A Brief History of Cryptography, Red Hat
- Cryptography Interview Questions & Answers, All About Testing
- Fundamentals of Cryptography: Algorithms, and Security Services, Northeastern University
- Cryptographic algorithms, Bart Preneel
- William Stallings, Cryptography and Network Information, Prentice Hall
- Dorothy Denning, Cryptography and Data Security, Purdue University
- J.F. Kurose & K.W. Ross, “Computer Networking: A Top Down Approach,” Pearson Education Group, 2008 p. 683