Encryption Terminology Primer for Web / Mobile / Server-side Software Developers (Part 1)
Cryptography and Encryption are among those critical topics, many Software Developers, touch on an as-is basis, to satisfy their implementation requirements. Moreover, many Software Developers use Cryptographic terms in an interchangeable way, leading to not so secure results in their Google based quests. In this context, the following is an attempt to present different Cryptography specific terminology, that covers about Cryptography, Encryption, Symmetric and Asymmetric Cryptographic Algorithms, Password Hashing etc…, along with some info about good practices, wherever applicable, in a developer to developer perspective, all with a hope to be useful, for entry to mid-level Software developers.
Encryption: It is a process in which, data is converted from a readable format to unreadable one, using a secret, so only intended user can reverse the process and read it.
Decryption: It is a process in which, unreadable encrypted data is converted back in to a readable format, using the same Secret / Corresponding Key, known as Decryption.
Plaintext: The Data in clear text, that is subjected to Encryption process is known as Plaintext.
Ciphertext: The Data, that is obtained as the result of a previous encryption operation, is known as Ciphertext.
Cipher: A Cipher is an Algorithm, that is used to Encrypt the given Plaintext and get Ciphertext as a result, and knowledge of algorithm name, along with the Secret / Corresponding Key is mandatory, whenever the User intends to convert Ciphertext back in to Plaintext. The term Cipher often represents both Encryption and Decryption operations, in both Symmetric Key and Asymmetric Key Cryptographic approaches.
Encryption Algorithm: This can be considered, an alias of Cipher.
Cryptanalysis: This is an approach wherein, Cryptographic Security Systems are studied to exploit the weaknesses, in the implementation, to thereby convert available Ciphertext in to corresponding Plaintext, without any firsthand knowledge of the plaintext source, security keys and about the utilized encryption algorithm in the process.
Cryptanalyst: Anyone who performs Cryptanalysis, is known as Cryptanalyst.
Cryptography: This is an approach wherein, sensitive information can be communicated on in secure channels, using encryption and related techniques in the process.
Cryptographer: Anyone who performs Cryptography, is known as Cryptographer.
Symmetric Key Cryptography: This is an approach wherein, a common cryptographic key is used by both parties, among whom, one uses it to encrypt the plaintext, while the other party uses it to decrypt the ciphertext.
Asymmetric Key Cryptography: This is an approach wherein, a key pair is generated among which, one key can be shared with general public, known as Public Key and the other key is kept secret, known as Private Key. The convention is to Encrypt Plaintext with the Public Key, so Ciphertext can be Decrypted only by the one who possesses the corresponding Private Key.
Symmetric Cryptography: This can be considered, an alias of Symmetric Key Cryptography.
Asymmetric Cryptography: This can be considered, an alias of Asymmetric Key Cryptography.
Secret Key Cryptography: This can be considered, an alias of Symmetric Key Cryptography.
Private Key Cryptography: This can be considered, an alias of Symmetric Key Cryptography.
Public Key Cryptography: This can be considered, an alias of Asymmetric Key Cryptography.
Integer Factorization: This is an approach in which, a Composite Number is written as a product of Smaller Integers. Even today, there are no efficient algorithms, in existence, that can handle Integer Factorization in a quicker and time bound way, for very large Prime Numbers.
Prime Factorization: This is an approach in which, a Composite Number is written specifically as a product of Smaller Prime Factors / Prime Numbers, also known as Prime factorization of the Composite Number.
Primality Test: This is an approach, to check, if the integer n, that is chosen for the test, is a Prime Number or not.
Trail Division: This is an approach wherein, an integer n, that has to be factored, can be systematically tested to see if, the integer n, is divisible by any smaller number that is greater than 1, while excluding multiples of all previously failed divisors / factors, in the loop. The Trail Division can be considered as the simplest form of Primality test.
Integer Factorization Cryptography: This is one of the approaches of implementing Asymmetric Key Cryptography, whose strength is assumed to be based on the practical difficulty of the factorization of the product of two large prime numbers (also known as factoring problem). The advantage with this is, it is more resistant to Quantum Computing, when compared to Elliptic Curve Crytography, all attributed to larger modulus and corresponding larger Public Key.
Elliptic Curve Cryptography: This is among the later created approaches of implementing Asymmetric Key Cryptography, whose strength is assumed to be based on the practical difficulty of finding the discrete logarithm, of a random elliptic curve element, w.r.t., a publicly known base point (also known as elliptic curve discrete logarithm problem). The advantage with this is, it can give same level of security, that Integer Factorization Cryptography provides, with a smaller Public Key.
Symmetric Cipher: The Encryption Algorithm that facilitates both Encryption and Decryption activities, using a Single Cryptographic Key, as per the Symmetric Key Cryptography concept, is known as Symmetric Cipher.
Asymmetric Cipher: The Encryption Algorithm that facilitates Encryption using a Public Key and Decryption using a Private Key, as per the Asymmetric Key Cryptography concept, is known as Asymmetric Cipher.
Symmetric Key Algorithms: This can be considered, an alias of Symmetric Cipher.
Asymmetric Key Algorithms: This can be considered, an alias of Asymmetric Cipher.
Secret Key Encryption: A Single Cryptographic Key is used to Encrypt the Plaintext and Decrypt the Ciphertext, in according to Symmetric Key Cryptographic principles, known as Secret Key Encryption.
Secret Key Cipher: This can be considered, an alias of Symmetric Cipher.
Public and Private Keys: As per Asymmetric Key Cryptographic principles, every Asymmetric Cipher utilizes a mathematically related Keypair wherein, the two Cryptographic Keys are not identical and the Key that can be made available to everyone, and is used for Encryption activity, is known as Public Key, while the other Key, that is kept Secret, and that is subsequently used for Decryption activity, is known as Private Key.
Self Signed Certificates: A Self-Signed Certificate is a Digital Certificate, that is generated when the Public Key of a Keypair, is signed by the Private Key of the same.
The ownership details that are entered during the Keypair creation, w.r.t. the Individual / Organization, is not vetted by any trusted third party Certificate Authority, which is the reason why it got it’s name as a Self Signed Certificate. In general, Web Browsers raise an alert when a website is opened with HTTPS Protocol, but when it does not use SSL certificate, from a trusted Certificate Authority.
Certificate Authority: Any Organization that issues Digital Certificates, by certifying the Ownership of submitted Public Key, to the Named Subject (i.e., Individual / Organization), using validation options like Domain Control validation (DCV), by verifying the Domain Name Ownership and Extended Validation (EV), by verifying corresponding Individual / Organization identifying documentation, with / without optional financial warranties and assurances, is known as a Certificate Authority.
Certification Authority: This can be considered, an alias of Certificate Authority.
Deterministic Algorithm: With Deterministic Algorithm, the output will be same, for a given input, irrespective of when it is executed.
Non-deterministic Algorithm: With Non-deterministic Algorithm, the output differs, every time the input is subjected to the process. Some of the possibilities to inculcate randomness is with the usage of a random value, Unix timestamp etc…
Deterministic Encryption: This is an approach wherein, encryption happens by following deterministic algorithms and thereby, same Ciphertext is produced, for a given Plaintext & Key input, even in separate execution attempts.
Non-deterministic Encryption: This is an approach wherein, encryption happens by following non-deterministic algorithms and thereby, different Ciphertext is produced, for a given Plaintext & Key input, in every separate execution attempt.
Probabilistic Encryption: This can be considered, an alias of Non-deterministic Encryption.
Block Cipher: Any Cipher, that follows Deterministic Encryption and Symmetric Key Cryptographic principles, when performing encryption / decryption operations (wherein all operations happen on a fixed length groups of bits, known as Blocks, and each block is assumed to be of 64 bit length in general, with few algorithms taking exceptions), is known as a Block Cipher. Example: AES, Blowfish etc…
The length of Output always matches the length of Input, irrespective of whether the particular operation is to convert Plaintext in to Ciphertext or vice versa.
Stream Cipher: This is an approach, that follows Symmetric Key Cryptographic principles wherein, Plaintext is combined with Pseudo-random Key stream, to form Ciphertext, one bit at a time, known as a Stream Cipher. Example: Salsa20, Chacha20 etc…
The Ciphertext is Secure, as long as the Keys are unique and are generated using a Cryptographic Hash function or with a CSPRNG (Cryptographically Secure Pseudo-random Number Generator). In general, Stream Ciphers operate on 1 Byte at a time.
Cryptosystem: This is a suite of Cryptographic Algorithms (Key Generation, Encryption, Decryption) that are needed to implement a particular security service, and the end result is Data Confidentiality / Data Privacy. The term Cryptosystem is explicitly used whenever Key Generation, Encryption and Decryption operations, are expected in the chosen Encryption Algorithm and this is generally expected in Asymmetric Key Cryptography approach. Examples include: RSA Encryption, Curve25519 etc…
Entropy (randomness): This is the randomness, that is collected at operating system / application level, for use be it in User land Cryptographic Applications (Cryptographic nonce / IV etc), or anywhere else, random data is a requirement. This randomness can be derived from fan noise / hard drive etc and when it comes to Linux, special files in the operating system like /dev/random and /dev/urandom are popular in the sense, they can be used for regular random requirements and cryptographically secure nonce requirements appropriately.
Key Generation: This is the process of Generating Keys for Cryptographic Applications, be it a Single Key, for Symmetric Key Cryptographic Systems (that uses Encryption Algorithms like AES, Blowfish etc) or a Keypair, for Asymmetric Key Cryptographic Systems (that uses Encryption Algorithms like RSA, Curve25519 etc), known as Key Generation.
Key Length: The number of bits, that a Cryptographic key comprises of, is known as Key length. This can also be referred to as Key Size as well.
The recommended Key Length with Symmetric Key Cryptographic Algorithms is 128 bit (AES) and above while for Asymmetric Key Cryptographic Algorithms are 2048 bit (RSA). Being one of the popular Web browers, the recent attempt on behalf of Google Chrome browser to flag all 1024 bit Key length based Root Certificates of Certificate Authorities, forced many Webmasters to start using SSL Certificates, that are issued by Certificate Authorities whose 2048 bit Root certificates are well propagated in popular browsers, and as a healthy consequence, this increased the security baseline to a new minimum, that forced many Certificate Authorities (with 1024 bit Root Certificates) to either propagate new 2048 bit Root Certificates quickly or for time being, partner with other complying Certificate Authorities, to continue serving their customer base, in the process.
Padding: This is an approach in which, the input data, that may or may not be a multiple of the encryption algorithm’s block size, is extended, to make it comply with the chosen encryption algorithm’s block size, and this process is known as Padding.
Symmetric Padding: Many Block Ciphers require the given Plaintext input, to be multiples the Symmetric Algorithm’s Block Size and in this context, the particular block, that does not comply, will be extended with additional data, and this process is known as Symmetric Padding.
OAEP Padding: OAEP Padding is the abbreviated form of Optimal Asymmetric Encryption Padding, is a padding scheme, that is regularly used in Asymmetric key Cryptographic Algorithms, that too specifically with the RSA Encryption Algorithm. Among the available padding schemes, OAEP is the only Padding Scheme, that is currently Secure, for RSA Encryption, against Chosen Ciphertext Attack.
This is the Part 1 of Encryption terminology primer, for Software Developers, who implement Web Applications, Mobile Applications and Server-side Software. A document, developer to developer perspective.
Note: More Cryptographic terminology will be presented soon, in Part 2 of this document.
P.S. This article was originally posted on Linkedin Pulse on August 28, 2018. https://www.linkedin.com/pulse/encryption-terminology-primer-web-mobile-server-side-part-dendukuri/