Our society has become increasingly reliant on digital platforms and the world wide web to propagate economic transactions, communicate and exchange personal information, social interaction, basically almost every aspect of our lives unfolds in a digital medium. This global shift towards digitalization raises numerous questions related to how we manage to secure our information and communication channels especially in vital areas such as healthcare, finance, government, defense, and business in general. Enter cryptography, the science of protecting information by transforming it into a secure format.
In the field of computer science, cryptography refers to the study and application of techniques based on mathematical concepts and rule-based calculations (algorithms) used to secure information and communication channels. In general, cryptography is used to protect data at rest or in transit and it involves the process of scrambling plaintext into ciphertext through a process called encryption, and then back into its original form through decryption.
Key concepts in cryptography
- Plaintext – commonly referred to as clear text, it represents ordinary, unencrypted text or information that can be read with the naked eye. With the advent of computing, the concept plaintext has expanded beyond human-readable documents to encompass any data or file that is in a format that can be viewed or used without requiring decryption.
- Encryption – is the process of encoding plaintext into a format so that it can be read or used only by certain individuals, usually the recipient of the encrypted message. Encryption uses an algorithm to scramble or encrypt plaintext.
- Cipher – the algorithm used to encrypt/decrypt plaintext. Some cryptographic techniques rely on a cryptographic key to encrypt/decrypt plain text.
- Ciphertext – plaintext that has been encrypted through a cryptographic algorithm
- Decryption – the process of taking encoded or encrypted plaintext and converting it back to a form that can be understood by the user or the computer.
- Polymorphism – in the context of this article, polymorphism is a more advanced segment of cryptography that is used in encryption techniques. It is a cipher that changes itself after each use to produce a different output. This means that if you pass the same plaintext through this type of cipher, you will receive different outputs. As such, it is much harder to reverse engineer these types of ciphers, which makes them more resistant to tampering.
Brief history of cryptography
Although hidden from the view of most users, cryptography is considered a fundamental part of our digital lives, but it should be noted that cryptography has existed in various forms for millennia. The etymology of the word cryptography indicates that it is derived from the ancient Greek word “kryptos” which means hidden, secret, and “graphein”, to write.
Historical evidence places cryptography’s origins to somewhere around 2000 B.C. in the Old Kingdom of Egypt where archaeologists found carved in the wall of a tomb a series of non-standard hieroglyphs.
An early example of modern ciphers is the Caesar cipher created and used by Julius Caesar to secure messages. Although quite simple, the cipher was effective. It was a type of substitution cipher in which each character in a message was replaced by a character three positions ahead of it in the Roman alphabet. For example, if we take the word blockchain and pass it through the Caesar cipher, we will receive the output string EORFNFKDLQ.
Another example that predates the Caesar cipher is the Atbash Cipher, another type of substitution cipher that works by substituting each letter in the message by its exact opposite in the alphabet. For example, A becomes Z, B becomes Y, C becomes X, and so on.
All these examples suggest that encoding and decoding messages are practices deeply intertwined with the evolution of mankind, and as society has progressed, the techniques of ensuring secrecy have also evolved.
Modern cryptography covers a wide array of techniques and algorithms that are suited for a particular implementation. Regardless, of the type of cryptography involved, it needs to ensure a series of primary functions:
- Confidentiality/Privacy – the information should only be understood by its intended recipient. Even if the data is hijacked by a malicious third party, cryptography is intended to act as a last line of defense that prevents access.
- Integrity – data cannot be altered in storage or in transit between the sender and recipient. The receiver should have guarantees that the data in question hasn’t been altered.
- Authentication – the sender and the receiver should be able to confirm each other’s identity
- Non-repudiation – a mechanism that proves that the sender was in fact the one who sent the message. The creator/sender of the message is unable to deny at a later stage that he sent the message.
- Key exchange – a mechanism through which the sender and receiver exchange cryptographic keys without compromising them.
Types of cryptographic algorithms
There are multiple ways to classify cryptographic algorithms. In this article, we will categorize them based on the number of cryptographic keys employed in encryption and decryption.
Secret key cryptography (SKC)
The fundamental theory behind SKC was published in 1949 by Claude Shannon of Bell Laboratories.
Also known as single key cryptography, it is a technique that uses a single cryptographic key for both encryption and decryption. The creator of the message uses the key to encrypt the plaintext into ciphertext and send it to the receiver who applies the same cryptographic key to decrypt the message, converting it back into plaintext. Because this method relies on a single key for both encryption and decryption, it is often referred to as symmetric encryption.
SKC requires both the sender and the receiver to use the same key which must be kept secret from anybody else (hence the name secret key cryptography). This is the biggest challenge to this approach – to find a mechanism to communicate the key to the intended receiver, without it being intercepted or compromised by a third party.
Popular SKC algorithms
- Data Encryption Standard (DES) – one of the oldest block ciphers that saw widespread use. It was developed in the 1970s by IBM and adopted by the National Bureau of Standards (now the National Institute of Standards and Technology). It is no longer considered secure due to its tiny key size of 56 bits (the longer the key size, the harder it is to perform a brute force attack – submit many passwords in the hope of eventually guessing correctly). In an attempt to extend the lifespan of DES, 3DES was created a scheme where the input is first encrypted, then decrypted, then encrypted again. By applying the algorithm three times, the cipher becomes harder to attack through cryptanalysis, and the larger key makes brute force attacks impractical.
- Advanced Encryption Standard (AES) – selected through a public, peer-reviewed competition following an open call for proposals, AES was adopted in 2001 as the official successor of DES. At the moment of writing, there are no practical ways of attacking AES.
Public key cryptography (PKC)
Also known as asymmetric cryptography, PKC is widely regarded as one of the most important developments in cryptography. The modern iteration of PKC was published in 1976 by Stanford University professor Martin Hellman and graduate student Whitfield Diffie. In their paper, they outlined a two-key crypto system in which two parties could engage in secure communication over a non-secure communication channel, without requiring to share a secret key.
Standard PKC makes use of a mathematically related key pair: one public that can be shared with anybody, and a private key that needs to be kept secret. Each user has a public and a private key. People who want to send you an encrypted message need to take your public key and use it to encrypt the plain text. Once the information is converted to ciphertext, it is impossible to decipher without your private key. The fact that the public key is made available to other people doesn’t represent a risk because it is impossible to reverse engineer the private key from the public one. Besides its primary role as an encryption algorithm, PKC is also used in key exchange algorithms, such as Diffie-Hellman, and in the creation of digital signatures.
The box analogy is a great way to understand the concept of PKC. Imagine a two-tiered box where items can be introduced only through the first compartment. The box in question has 2 separate keys, one for each compartment. The owner can give keys to the first compartment to all of his friends, in order to allow them to put items in the box. These keys are similar to the public key from asymmetric cryptography. Once an item is introduced in the first compartment, it passes through to the second one. But the second compartment can only be opened by the owner of the box with a special key. As you may have already assumed, that special key is represented by the private key from asymmetric cryptography.
RSA is the first and most common PKC implementation. It was named after the three MIT mathematicians who developed it – Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA is still being used in numerous software products ranging from key exchange mechanisms, digital signatures, and encryption.
Hash functions are one way, deterministic encryption algorithms that take an input of indeterminate length and produce an output string of fixed length known as hash value or hash digest. Hash functions do not use cryptographic keys. Once the hash digest of an input has been calculated, it is impossible to determine the original input based on the digest. Hash algorithms are typically used to provide a digital fingerprint of a file’s contents that helps ensure its integrity. Hash functions are also commonly employed by many operating systems to encrypt passwords.
Let’s use SHA-256, a hashing algorithm used in blockchain technology as an example. If we pass the input blockchain through SHA-256 we will always receive the output hash ef7797e13d3a75526946a3bcf00daec9fc9c9c4d51ddc7cc5df888f74dd434d1. But if we slightly modify our input and pass Blockchain, the hash digest will be drastically different, 625Da44e4eaf58d61cf048d168aa6f5e492dea166d8bb54ec06c30de07db57e1. In fact, if we pass the whole content of this article through SHA-256 we will receive a digest of 64 characters.
In order to be considered useful, a cryptographic hash function needs to have the following qualities:
- Each hash value has to be unique. It must be impossible* to produce the same hash value with different inputs
- Deterministic. The same input must always produce the same hash value
- The hash function needs to be quick to produce a hash value for any given input
- It must be impossible to determine the input based only on the hash value
- Even a slight change to the input must generate a completely different hash value.
* In theory, this is – in fact – incorrect. If we employ a hash function that generates a 128-bit hash digest, mathematically speaking we would only have 2128 possible hash values. If we consider the fact that we have an infinite number of values at our disposal, 2 different inputs may produce the same hash digest. This is known as a hash collision. In practice, this is very difficult to achieve because hash algorithms are designed to work with a limited message size, which puts a cap to the number of possible inputs.
Another potential issue stems from the fact that an input always produces the same hash output. The amount of passwords that people actually use is very limited, and certain patterns emerge, especially when you consider the fact that many people use the same password on multiple systems or accounts. This has led to the creation of huge tables that map passwords to their hash values. These types of tables are known as rainbow tables.
The dangers of rainbow tables have been mitigated to a certain degree by a process called salting in which the password is mixed with a random value before hashing it. In a database system, the salt value is stored next to the password hash in the database. When a user authenticates using the password, he also combines the salt with the password, hashes it, and compares it against the stored hash.
Why not use a single encryption technique for everything?
The answer is quite straightforward. Each technique is designed and optimized to fit a specific cryptographic application. For example, due to their sum of characteristic hash functions are ideal for ensuring data integrity, as even a minor change to the hash input will generate a radically different hash digest. Also, considering the fact that it is highly improbable for two hash inputs to produce the same hash value, data integrity is ensured to a sufficient degree.
What about public-key cryptography and secret key cryptography, why do we still use SKC? The most important reason for this is performance. Although more secure, public-key cryptography is slower. Also, secret key cryptography is suited for encrypting messages to provide privacy and confidentiality. On the other hand, asymmetric techniques are ideal for key exchange mechanisms, and an ideal method for ensuring non-repudiation and user authentication. However, a closer examination of practical cryptosystems reveals the fact that most of them are hybrid systems that combine the advantages of multiple techniques to ensure an optimal performance.
A digital signature is a type of algorithm that combines public-key cryptography with a hashing function to create a mechanism that can verify the authenticity of digital messages or documents.
Digital signatures are composed of three algorithms:
- A key generation algorithm, which creates a private and public key.
- A signing algorithm that combines data and private key to make the digital signature.
- An algorithm that verifies signatures and determines whether the message is authentic or not based on the message, the public key, and signature.
They are instrumental in ensuring the authenticity of transactions, data transfers, software distribution, contract management, basically every process which may be susceptible to external tampering. Digital signatures utilize public-key cryptography, which means that data can be shared between users through the public key. Ownership of a digital signature is always linked to a certain user, as such, one can be sure that they are communicating with whom they intend to.
A digital signature is created by combining a user’s private key with the hash value of the message through the signing algorithm to create a value that can be later verified through a verification algorithm that uses the signer’s public key.
Because private keys are linked to individual users, this gives digital signatures a quality of non-repudiation, meaning that if something is digitally signed by a user, it can be legally binding and entirely associated with that person.
The main difference between digital signatures and asymmetric key encryption is that the signer’s private key is used to produce the message (signature), and the public key is used to interpret it. This is the opposite of how encryption and decryption work in asymmetric systems.
Modex BCDB comes with a plug-and-play approach to enhance the encryption of your data
Modex BCDB is a middleware software solution that can augment the security of existing software applications by combining complex cryptographic mechanisms and blockchain technology. By connecting an existing software application to a blockchain backend, Modex BCDB can ensure confidentiality, integrity, and availability of databases. Through Modex BCDB companies can move from a centralized model to a decentralized, distributed model, secured by complex encryption and hashing algorithms. In addition, the Modex solution comes with inbuilt customizable data access mechanisms and a separate blockchain authorization network that stores user credentials and passwords, to create an ecosystem inherently resistant to data loss.
Blockchain, an ideal framework that combines multiple cryptography techniques
Blockchain is a digital, distributed, and decentralized ledger of transaction which stores transaction data in structures called blocks. Each block contains transaction data and metadata (a set of data that provides information about the respective block). The advantage of this structure is that each block is constructed upon the previous block, in a chain-like structure (hence the name blockchain), by calculating the hash of the previous block and combining it with the hash of the second block of transactions. This complex design is what gives the data introduced in the blockchain its immutability and integrity. If a malicious actor attempts to alter the data from a block, every change will be immediately noticed by the system and every other network participant, because it will render all the following blocks invalid. These design choices make blockchain ideal for data storage because it is an append-only structure, which means that data can only be introduced into the system, it can never be completely deleted. Any changes made are stored further down the chain, but an admin can always see when the changes occurred, who made them as well as the previous version of the data.
Data immutability enabler
Each year, companies spend billions of dollars on cybersecurity solutions to secure their data from external tampering. Besides cybersecurity measures, companies and enterprises rely on third-party auditing firms to guarantee that data is correct and resolve any eventual disputes. Although an efficient line of defense, auditing firms charge a significant fee for their services, but more importantly there is the question of who verifies the auditor. In the end, companies are still required to place their trust in an external party to whom they must give access to their data.
Blockchain provides a viable alternative to this model. By combining cryptography with hashing algorithms, blockchain ensures data immutability, a feature that brings unprecedented levels of trust to the data owned by enterprises. In turn, immutability provides data integrity which drastically simplifies audit processes, while providing proof to stakeholders that the information has not been altered.
In an enterprise context, data immutability significantly reduces overhead, streamlines operations, and unlocks new value:
- Data integrity is assured by blockchain’s architecture and data storing mechanism. Once data has been introduced in a blockchain network, it cannot be altered without compromising the entire data chain. Any data discrepancies are automatically detected by the system, which allows companies to pinpoint in real-time any tampering attempts.
- Streamlined auditing – as an append-only structure, blockchain provides an indisputable record history of all the data that has been introduced in the network.
- Enhanced efficiency – data immutability enables information traceability and record history which can unlock new business momentum and new opportunities in analytics
- Ideal settlement ecosystem – data traceability, immutability, integrity, and a complete record history can reduce costly business-related disputes from months and even years, to a couple of days
Complex data encryption mechanisms
Ensuring data security has become a primordial interest for companies and enterprises, regardless of their business profile and sphere of activity. The most common method to ensure data protection is through encryption, a process through which information is transformed into ciphertext, an unintelligible block of text that can be decrypted only with the correct encryption key. For decades, data encryption has become an important line of defense in the flow of cybersecurity architecture because even if data is intercepted by malicious actors, a complex encryption algorithm can block attackers from deciphering the content of the information.
Although an invaluable tool, how encryption is applied to protect information usually determines the levels of data tamper resistance. The problem is that encryption is mostly used to protect data at rest or in transit, leaving it potentially vulnerable during processing. As encryption mechanisms have evolved, the range of attacks on data has also expanded, ranging from attacks focused on encryption keys, integrity or corruption attacks, ransomware, and data destruction attacks.
Modex BCDB enables companies to tap into the potential of blockchain technology to store their database entries into a secure tamper-proof blockchain ecosystem. The infrastructure of the BCDB system was designed with security in mind. As such, to supplement the security capabilities of a standard blockchain network, Modex BCDB comes with a default data encryption mechanism that removes the need for programmers to write new code to encrypt the data. To enhance user experience and add a layer of flexibility to the BCDB environment, users have the option to enable automatic encryption at the field level. As such, any new data inserts are automatically stored in an encrypted format.