Cryptography

How Is Cryptography Used In Applications?

December 1, 2020 by Srinivas

Introduction

Cryptography is used in software to protect the data from adversaries. The key principles of cryptography is to provide confidentiality, integrity and authenticity to the data. In the next few articles, we will discuss how cryptography can go wrong when used in our applications and how such errors may be exploited. To begin with, this article outlines some fundamental cryptography concepts followed by how cryptography is used in applications.

What is cryptography?

Cryptography is associated with the process of converting plain text into cipher text, which is unintelligible and vice-versa. It provides secure communication in the presence of adversaries. Encryption is the process of transforming plain text data into encrypted text using an algorithm and a key. Decryption is the process of transforming encrypted data into plain text data using an algorithm and a key. 

A well secured application or system should provide assurances such as confidentiality, integrity, and availability of data along with authenticity and non-repudiation. Confidentiality refers to protecting information from being accessed by unauthorized parties. Integrity refers to protecting information from being tampered and authenticity refers to identifying the owner of the information. Availability is to ensure that the system is available at any given time as intended. Non repudiation refers to the ability to ensure that a party cannot deny that they were the originator of the message.

Encoding vs Encryption vs Hashing

Encoding is the process of converting data from one form to another. Encoding and encryption are often misunderstood and it should be remembered that encoding does not guarantee confidentiality, integrity and authenticity. HTML encoding, URL encoding, Base64 encoding, Base64url encoding are some examples of encoding.

Encryption is the process of transforming plain text to cipher text using an algorithm and key. Encryption guarantees confidentiality. The cipher text can be transformed to plain text only if the same algorithm and key that are used for encryption. RC4, DES, AES, RSA are some examples of encryption algorithms.

Hashing is a process, which takes input and produces a fixed length output. This is an irreversible process and thus it is not possible to determine the original data by just having the output. One of the key properties of hashing is that no two different inputs can have the same hash and thus this process can also be used to verify the data such as user passwords. MD5, SHA1, SHA256, SHA512, Bcrypt are some examples of hashing algorithms.

Symmetric and Asymmetric key encryption

Encryption is again categorized as symmetric and asymmetric. Symmetric encryption uses a single shared key for both encryption and decryption. Asymmetric encryption uses two keys – public key and private key. Usually the data is encrypted using the public key and the cipher text is decrypted using the private key. DES and AES are some examples of symmetric key encryption algorithms and RSA is an example of asymmetric key encryption.

How is cryptography used in applications?

Now that we established some foundational knowledge of cryptography related concepts, let us understand how cryptography is used in applications.

Transport Layer Security

We commonly see the scheme https:// in urls we browse on the web. This scheme means that the information being sent over the network is protected using SSL/TLS. Transport Layer Security(TLS) is a way to ensure that the communications between the browser and the server are protected and cannot be seen by unauthorized parties. This process uses both symmetric key and asymmetric key encryption. During the initial handshake between the client and server, asymmetric key encryption is used to share the symmetric key, which will then be used for actually encrypting and decrypting the communications.

Storing sensitive data at rest

When applications keep sensitive data at rest, it is a common practice to use hashing and/or encryption depending on the type of data the application is dealing with.When the application is dealing with data that is required to be available in clear text, encryption is used. Credit card numbers and user’s personal data are some examples of such data. If the application is dealing with data such as passwords, hashing is used as the user passwords are not meant to be read by anyone except for the user himself. Additionally, hashing can be used to verify the password without knowing the original password of the user.

End to end encryption

Many modern applications employ end to end encryption on top of transport layer security used to data in transit. This is rather commonly seen in banking based mobile applications, where asymmetric key encryption is initially used to transfer the shared key and then symmetric key encryption being used for actual data encryption and decryption. 

Frameworks

Many frameworks, which provide security related functions make use of cryptography. Let us consider a framework using which we can implement JSON Web Tokens(JWT) in our application. JSON Web Tokens are implemented using HS256 and RS256 algorithms and thus the use of cryptography is inherent in such frameworks.

Custom Application features

It is also possible that developers are tasked to develop some features in their applications using some cryptography related concepts. Examples include encrypting a file before storing it on the disk. This feature clearly requires a key to be stored along with the encrypted content to be able to decrypt the files at a later point of time.

Conclusion

In this article, we discussed how cryptography is used in applications. It is clear that we interact with applications leveraging cryptography in our daily life and modern day applications surely deal with cryptography in one way or the other. Use of SSL became a common practice in almost all the applications running on the internet. In the next few articles, we will discuss how cryptography can go wrong when used incorrectly in applications. 

 

Sources

  1. https://csrc.nist.gov/csrc/media/publications/sp/800-175b/archive/2016-03-11/documents/sp800-175b-draft.pdf
  2. https://auth0.com/blog/how-secure-are-encryption-hashing-encoding-and-obfuscation/
  3. https://www.synopsys.com/glossary/what-is-cryptography.html
  4. https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography
Posted: December 1, 2020
Articles Author
Srinivas
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *