I think it would be cool to share some common concepts about the Internet and your computer with you.
Not only do I think they are fun to learn, but you use these every day. In part 1 (this post) I would like to explain some cryptographic fundamentals.
We will work towards the concept of SSL certificates. They are grounded in integrity protection and digital signatures. Loosely defined, integrity means something is:
- Authentic (only from original/trusted sources)
- Indisputable (the person who sent the message cannot dispute this fact)
To understand this concept we first need to look at what a hash function is. Simply put, it is a mathematical function that always produces the same output based on an input.
It is 'deterministic'. More importantly, it is one way (cannot be reversed), has a fixed length output and changes atleast 50% when one part of the input is changed.
Example hashing algorithms are:
- MD5 (128 bit, very old, insecure)
- SHA1 (160 bit, insecure)
- SHA256, SHA512, etc.
- nonam -> 7245C94212D6C45B1A7F83C08C62F053
- noname -> 499DDAAD9DF107BF7107A3E2C0064800
You can see this often when you download a file from the Internet, it will include a hash for you to check against.
Message authentication code (authenticity)
How do we verify that the person who sends a message through the Internet is someone we expect it to be?
Lets go back to the hashing algorithm we just looked at. Anyone can generate a hash for a message. There is no way to verify this!
Now take a look at the following picture.
Generating an (unsafe) 'message authentication code' (MAC) is relatively simple:
- Create a hash of the text or document like before
- Encrypt this hash using a symmetric algorithm (AES, DES, 3DES, etc.)
What is the point of this? Well, since in theory only trusted parties have the preshared key, the message is 'authenticated' to be from a known source.
In addition to that, after decryption, the hash is compared to check whether the message was changed!
In practice, preshared keys are almost never used because of scalability issues and risk of compromise.
Note: if you want a proper and fast way of using MAC in practice than have a look at 'HMAC' for further reference.
Next up ...
Digital signatures. We didn't yet discuss how to make a message indisputable.
As you can imagine, everyone can create a hash of a message and all trusted parties can create a message authentication code.
Suppose we have 5 parties, how can we be sure that one of the messages is specifically from party C?
This is something we will explore further in the next post: public key cryptography and how it is applied, in combination with hashing, to SSL certificates in your browser.
I'd love to hear your feedback, thoughts and knowledge level on the subject.
Hope to see you in the next post.