Valentin Dupas

💡 If this is the first course you read from me, please read this small thing : about my courses

🔐 Cryptography

Cryptography is the practice of turning information into a shape that is unreadable and back.

It's not a definition which is 100% correct but let's work with it for now.

In Rome, do as the romans.

Let's say we're friends.

We want to pass messages in class, we write stuff that is embarrassing in them. We can't help people having access to the messages as it passes hands, and it might also be intercepted by a prof, but I've had a brilliant idea over the week end, here's how it goes.

My favorite number is 3 and yours is 7, and because we're friends, you're the only one who knows my number and I'm the only one who knows your number. When I'm writing a message for you I will offset all the letters in the alphabet by your number.

Here is an example, I want to just say "hi!" in the first message.

Your favorite number is 7. In the alphabet, seven letters after 'h' we find 'o' and seven letters after 'i' we find 'p'. So I'll send you the message 'op!' and to translate the message back you'll take each letter and go back seven places in the alphabet.

Let's try with a longer message. What does this says?

svvr ha ovd zthya fvb hyl.

I don't even have to give you the answer, you'll know when you'll have it, you'll feel it click distinctly, when you'll turn noise back into information.

And now, when we'll exchange messages, it'll be secure.

Vocabulary time!

How you turn the info into an unreadable version is the "cryptographical algorithm" for the rest of this writing I'll just write "algo".

3 et 7 are what we call "keys". You could call them "password" if you wanted, I don't really care.

Mirror mirror on the wall...

... True hope lies beyond the coast You're a damned kind can't you see That tomorrow bears insanity.

The algo we saw is called the Caesar Cipher. It's a "symmetric" algorithm, that's because to decrypt a message we have to use the same key that we used to encrypt it.

we could summarize it like so:

crypt(message, key) -> crypted_message
decrypt(crypted_message, key) -> message

and with an example

crypt("hi!", 7) -> "op!"
decrypt("op!",7) -> "hi!"

That's it. That's what "symmetric algorithms" are.

The Caesar Cipher is outdated (by at least a millenia lmao!) and anyone can guess the original messages, first reason being that there is only 24 possible keys.

But a common and high quality algo you may be using is AES. It's used in 7-zip to password-protect archives for example.

What you're putting in the "Enter password" field is the key. And the person who's going to try unzipping that archive will have to enter the same password as what you've given.

Ain't that enough?

"I mean, what more is there to say? AES can't reasonably be brute forced, I'll just have a password for each friend and we're good nah?"

We can do better. We can, just send stuff to each other, even if we've never talked before. For that, we'll have to learn what asymmetric algorithms are.

With an asymmetric algo I need two keys. I'll call them S and P. If I encrypt a message with one key, you'll have to use the other key to decrypt it.

So if I encrypt a message with my S key, than you'll just have to decrypt it with my P key.

we could summarize it like so:

crypt(message, P_key) -> crypted_message(with P)
crypt(message, S_key) -> crypted_message(with S)

decrypt(crypted_message(with P), S_key) -> message
decrypt(crypted_message(with S), P_key) -> message

decrypt(crypted_message(with P), P_key) -> ❌
decrypt(crypted_message(with S), S_key) -> ❌

At that point you may notice that I can just give you only one of the keys and that's the point, S stands for Secret, and P stands for Public.

I can post my public key on the internet for all to see! All the messages encrypted with my Public key can only be read by one person, me!

So I can just post my Public key online and you post yours. To send you something I encrypt my message with your public key and to reply you encrypt your response with my Public key.

One More Thing

You thought we were done with asymmetric algos‽ Hell nah.

We can do it the other way around! I can encrypt a message with my Secret key, which means that to be decrypted you'd use my Public key.

Why?? Anyone can do it??

That's the point. Anyone can do it but my S key and my P key are linked. If you can decrypt a message using my Public key, then that means it was encrypted using my Secret key, and I'm the only one who has access to my Secret key ... which means ... that's a proof the message comes from me.

That is called "Signing" baby!!

Can you guess what I'm thinking?

"is it Superman?"

Let's look at something else, "hashing algorithms". These are algorithms which do not need keys and what they produce isn't meant to be decrypted. Which is why we say that we "hash" things with these and not "encrypt".

What's the point?

There are two main point.

  1. You can hash a particular message any number of time, you'll always get the same hash everytime.
  2. It doesn't matter if two messages are very similar, if they aren't straight up identical then the hashes will be wildly different.

That enables a cool thing, we can prove that we think of the same thing without having to say it. If we end up with the same hash then it means we entered the same thing in the algo.

Why would we care about that?

Let's say I handle an e-commerce application. When you sign up I'll ask you for a password to protect your account, but what I'll do is that I'll store the hash of your password. Because hashing algorithms don't work backward, no employee of mine can steal your password by looking into the database.

When you'll want to login I'll just ask for your password then hash it and compare it to what I have stored, if it matches then you've given me the same message as when you signed up, which means the password is correct.

And because the output is wildly different even for similar inputs then it means I can't guess your password by hashing something and steering my inputs one change at a time toward the good hash.

End-to-end

not middle-out

End-to-end encryption just means that the message is encrypted as soon as possible, ideally before moving out of the application you used to type the message, and most importantly, before it goes out to the internet.

And it is decrypted as late as possible, ideally right as you look at it.

Meaning that at no point was it readable in between.