Cryptography For Software Engineers

Kamal Joshi

You pay by credit card in an unknown shop. How do you make sure your card is not copied?

you type your password into google.com and press send how do you know no one else other than google servers can read your password?

you are reading something in public wifi. How do you make sure no one knows about what are you reading?

sending some private message to your friend on WhatsApp. How do you make sure no one else can read that message?

All of the above things are possible through the magic of cryptography.

Software engineering is about designing systems and building applications. Very often we think cryptography is a lot of math so it must be really hard and it’s partly true but the good news is that you don’t have to know any math or cryptography algorithm details in order to use them. In fact, you can be relatively good in building a secure system without even knowing most of the details of any of the cryptographic algorithms. Just remembering properties of these algorithms is enough.

Alright so let’s learn some of the concepts first

  • it is deterministic so the same message always results in the same hash
  • it is quick to compute the hash value for any given message
  • it is infeasible to generate a message from its hash value except by trying all possible messages
  • a small change to a message should change the hash value so extensively that the new hash value appears uncorrelated with the old hash value
  • it is infeasible to find two different messages with the same hash value
  • Implementation — SHA-128 and SHA-256
  • 2 separate keys are used aka public key and private key
  • One key is used for encrypting and another key is for decryption
  • Can be used for transferring keys and digital signatures
  • Relatively slower than symmetric encryption
  • Also known as public key cryptography
  • Implementation — RSA
  • Usage only one key to encrypt and decrypt the message
  • After encryption, the output should be completely random and anyone without the key should not be able to extract any information out of the encrypted text.
  • Implementation — AES

And that’s it. Almost everything in crypto is built on top of these concepts. Once you internalize these concepts, you can use these to reason about the secure systems, anticipate how something might be working and use these concepts to solve something. It’s truly magical and surprisingly very few software engineers understand these concepts and use them when required and you can become one of those few people. These concepts are like first principles when reasoning about any system that usage cryptography.

Okay, let’s try to find answers to the above questions now. Try to think of the solutions based on the above concepts before you see the answers.

you are paying by credit card in an unknown shop. How do you make sure your card is not copied?

All the smart cards including credit cards use some version of asymmetric encryption( RSA). Smart card login is a two-step authentication mechanism that uses a hardware device to store a user’s public key credentials, and a Personal Identification Number (PIN) as the secret key to authenticate the user to the smart card. The smart card includes a built-in microprocessor, operating system, and memory for storing personal information securely. A smart card offers tamper-resistant storage for the user’s private key, which can only be accessed by entering a secret Personal Identification Number (PIN), and cryptographic support for operations such as digital signatures and key exchange.

The PIN is only used to authenticate the user to the smart card and it is never sent over the network, as is the case of shared secret login information obtained from the user’s password is transmitted over the network. Once authenticated, the user’s public key is retrieved from the card by the Security Subsystem and verified to make sure it is valid and that a trusted party issued it.

you type your password into google.com and press send how do you know no one else other than google servers can read your password?

you are reading something in public wifi. How do you make sure no one knows about what are you reading?

Both of these are possible by using https combined with some trusted third party. Usually, this is achieved by digital certificates and these certificates are trusted by your browser. digital certificates are nothing but a public key with some metadata.

sending some private message to your friend on WhatsApp. How do you make sure no one else can read that message?

WhatsApp is using a combination of all of the above concepts. You can find more details about the protocol here(signal protocol)

So many other systems are using the above concepts to solve different problems.

  • GIT is using SHA-128 to version files and commits.
  • ssh
  • disk encryption
  • digital currency(Bitcoin)
  • Chrome and Firefox can sync and save all your bookmark, browsing history and saved passwords without knowing about your data. Click below link to learn about it and enable it now for your chrome. You really don’t want Google to know about all your saved passwords.

Google Chrome — Set or Change a Sync Passphrase

Hope you now know the basics and excited to explore more. Cheers!

Posted by Web Monkey