Encourage FUNIX

The consultation of the site is completely free and without advertisements. Donations are nevertheless appreciated to pay for hosting and encourage its author

Miscellaneous

- Presentation of my configuration
- Controlling a garmin GPS watch

Multimedia

- Definitions and other concepts in video
- Basic tools for video
- Video container
- Video players
- Transcoding and DVD ripping
- Audio and karaoke players
- Managing audio metadata and playlists
- Kodi mediacenter

Video editing

- The basics of video editing
- Installation of video editing software
- Editing your video with Kdenlive
- Editing your video with Cinelerra
- Editing your video with OpenShot Video Editor
- Editing your video with Pitivi Video Editor
- Editing your video with Flowblade Video Editor
- Editing your video with Shotcut

Edit your video with kdenlive

- Introduction
- Presentation and configuration
- Project preparation
- Fixing performance issues
- Roughing
- Applying effects
- Adding transitions
- Managing titles and subtitles
- Managing keyframes
- Video grading
- Exporting your video

Network and system

- OpenLDAP
- User authentication system with OpenLDAP
- Install a VPN network with OpenVPN
- System and data backup tools
- Cloud backup with infomaniak kdrive and Google Drive (with encryption)
- Check the integrity of your disks with smartmontools

Email management

- Receiving mail and making it available (POP, IMAP and webmail)
- Fighting spam and viruses
- Managing mail transport with sendmail

LAMP

- Use a DBMS with MariaDB
- Apache PHP MariaDB (with sources)
- Analyse logs Apache

Securing

- A word about cryptographie
- Securing your linux workstation
- Video surveillance system

A word about cryptography
[ HistoryPrinciplesasymmetric private key algorithm   , symmetric public and private key algorithm , session key , fingerprintdigital signaturescertifications , a word on keys ) | Some algorithms ( Presentation , hash function , symmetric algorithmsasymmetric algorithms )   | And what about French law?  | Some interesting links | Encryption by concealment   ]

A word about cryptography

Security

January 27, 2017

This site has been automatically translated with Google Translate from this original page written in french, there may be some translation errors

Historical

Since the dawn of time, men have sought to encrypt messages so that if they fell into "enemy" hands they could not be reread. Thus Julius Caesar used a coding system to communicate with his generals, but long before him, the Egyptians also encrypted their hieroglyphs.
For millennia, cryptology only concerned a small number of people, mainly governments, the army and secret services. Thus until recently, cryptology was considered a weapon of war in many countries, including the United States and France.
With the advent of networks and the Internet, e-commerce, cryptology has experienced considerable growth in all areas, legislation has been able to adapt, even if there is still progress to be made, particularly in France.
This page presents the main principles of cryptography software found on the Internet, as well as the associated algorithms, without going into detail.

By the way, what do we say cryptology, cryptography, encrypt, decrypt? To put it simply:
- cryptology is the science of secrecy (literal translation),
- cryptography is the set of techniques to protect a message,
- we encrypt a message with an encryption code that is known to us to make it incomprehensible to the person who does not know the code,
- we decrypt a message with an encryption code that is known to us to make it understandable,
- we decrypt a message when we do not know the encryption code, this is what code breakers do,
- encrypting a message does not exist etymologically, and it does not make sense! Do not use it if you do not want to be seen as a fool, it is purely and simply eliminatory for a job interview in the world of security!

Principles

Symmetric private key algorithm

The sender encrypts his message with a private key, he transmits the message to the recipient who also has the private key and can thus decrypt the message using the key. A major drawback of the system is that the private key must not fall into the hands of third parties.

Asymmetric public key algorithm

The symmetric private key algorithm is absolutely not suitable for the Internet, it is indeed very risky to send your private key over the network without it being intercepted by third parties and yet this key exchange is necessary to be able to decrypt the message.
We get around the problem by creating two keys, a secret key and a public key, the first must not be communicated under any circumstances, while the second can be widely distributed. There is a relationship between the two keys, a text encrypted with a public key can only be decrypted with the corresponding private key.
The operating principle is as follows, let A who wants to send a message to B. B sends his public key to A, A encrypts the message using B's public key, B receives the message and decrypts it with his private key. B is the only one who can decrypt the message, since he is the only one who holds the private key necessary for decryption.

The session key

Asymmetric algorithms are generally more computationally intensive and slower than symmetric ones, so during an encryption/decryption session we use an intermediate key, called a session key, which is a compromise between the two asymmetric/symmetric techniques, we also talk about a hybrid algorithm.

In short, when encrypting a message, we go through the following steps:

sender side:

- creation of a message-specific, single-use session key,
- encryption of the session key with an asymmetric algorithm using the recipient's public key, the recipient can decrypt the session key with his private key and the sender and recipient therefore have a common session key,
- use of a symmetric algorithm to encrypt the message using the session key,
- the message is encrypted ready to be sent.

on the recipient side, we will have:

- call the same asymmetric algorithm to decrypt the session key with its private key,
- call the same symmetric algorithm to decrypt the message with the session key.

A small weakness of the method, if a third party (let's call him C) pretends to be B and sends his public key to A, A will be able to send him encrypted messages without him realizing the identity theft. This is an attack called man in the middle, like the attack. In fact, the public key is not linked to the identity of its owner, but there is a way to remedy this.

Footprint

We will therefore associate a fingerprint with the message, this unique fingerprint is generated from the content of the message and only from it (in plain language it does not depend on keys or other parameters). The fingerprint generation is done from so-called hash functions, they are non-reversible (one-way), that is to say that the fingerprint does not allow the message to be reconstructed, on the other hand it identifies it perfectly. If a single character evolves in my text, the fingerprint would be totally different, for this property we say that the function is "collision-free". On the other hand, even if the probability is extremely low, potentially two messages can have the same fingerprint (we speak of collisions). For a given text, anyone can generate a fingerprint, it will necessarily be identical if we use the same hash function.

In the end:

- A generates a fingerprint of his message,
- A encrypts the fingerprint with his private key and sends it to B, this allows the fingerprint to be authenticated because he is the only one who can encrypt it with his private key,
- B decrypts the fingerprint of the message with A's public key,
- B recalculates the fingerprint from the decrypted message,
- B compares the 2 fingerprints, if they are identical, the message is intact (it has not been modified) and has been sent by A (sender authentication).

In the Anglo-Saxon world we will speak of digest for imprint.

This is a bit cumbersome, because now in addition to encrypting the message, its fingerprint must be encrypted, just as the sender must decrypt the message and the fingerprint and make fingerprint comparisons. Fortunately, there is still a method to lighten all this which is used in particular for encrypted connections with OpenSSL/TLS.

In fact, it is the session key that will be used to authenticate the sender automatically, which gives this:

sender side:

- creating a message-specific, one-time-use session key,
- generating a fingerprint from the session key,
- encrypting the session key with an asymmetric algorithm using the recipient's public key,
- encrypting the fingerprint with the private key,
- using a symmetric algorithm to encrypt the message using the session key,
- the message and the fingerprint of the session key are encrypted, ready to be sent,

on the recipient side, we will have:

- call the same asymmetric algorithm to decrypt the session key with its private key,
- call the same symmetric algorithm to decrypt the message with the session key,
- generation of the session key fingerprint,
- decryption of the fingerprint from the sender's public key,
- comparison of the 2 fingerprints, if they are identical, the message is intact and the sender is clearly identified

The session key has a lifetime limited to the session, it can even be changed during the dialogue. Indeed, if the dialogue is intercepted by a third party, after a certain calculation time it could be able to decrypt the session key and therefore the exchange. So the idea is that the lifetime of the session key is always less than the time it would take to decrypt it

Digital signatures

Just as encrypting a message with the recipient's public key, we can also encrypt a message using their private key, in which case anyone can decrypt the message as long as they have the corresponding public key. You might then say to me, what is the point of encrypting a message with your private key, since everyone can decrypt it with the public key that has been widely distributed. In fact, in the absence of confidentiality, it allows you to authenticate yourself perfectly, because you are the only one capable of generating a message with the private key and decipherable with the public key. It is in a way a kind of digital signature. In this case, we are talking about signing a document.
Note that you can also sign the fingerprint of a document to authenticate yourself, it is as reliable as signing a document. To do this:
- with a hash function the sender will generate a fingerprint of any document,
- he encrypts the fingerprint with his private key,
- the sender generates the fingerprint of the same document (which he also has),
- he decrypts the encrypted fingerprint with the sender's public key,
- he compares the 2 fingerprints, if they are identical, the sender is clearly authenticated.

Instead of fingerprint, we also speak of signature.

Certifications

When B receives a public key from A, it is not certain that it was actually A who sent it. B obviously has the possibility of asking A to send him his signature, by decrypting it with his public key B will then be able to confuse him.
B and A have yet another possibility, A will have his public key authenticated by an authority, which we will call a certification authority . This authority will retrieve a document from A containing for example a signature with name, first name, email and the public key of A. The authority will certify the authenticity of this document by signing it, this signed document is the certificate of A. In practice, the certificate of A will be encrypted by the certification authority using the secret key of the authority. The decryption will be done using the public key of the certification authority known to all.
Consequently, if we receive a certificate from A and we manage to decrypt it with the public key of the certification authority, and we therefore obtain the signature and the public key of A, it is because we are dealing with A.

In practice, the service provided by a certification authority is not free, however there is let's encrypt which is a certification authority based on free software to certify a server (apache, ftp, or whatever), it is completely free. On the other hand, let's encrypt does not (yet) allow to certify a signature.

A word about keys

The key is a value that will be used in a cryptography algorithm to encrypt or decrypt a text. The key is characterized by a size expressed in bits, the greater the number of bits, the lower the risk that the text will be decrypted without its owner knowing.

Some algorithms

Presentation

As we have seen previously, we distinguish between asymmetric key management algorithms, symmetric algorithms for encrypting messages and hash functions for fingerprints. A little vocabulary, in the Anglo-Saxon world, an encryption algorithm is called a cipher.

Hash functions

The most well-known hash functions are MD5 (Message Digest 5) and SHA (Secure Hash Algorithm), MD5 is considered insecure today, and SHA with its more recent SHA-1 and SHA-2 variants is preferred.

Symmetric algorithms

DES (Data Encryption Standard) is a private key algorithm that was created by IBM in 1977. It was originally developed for banks. It is considered obsolete and should no longer be used. Triple-DES (or 3DES) is now used, which means that the DES algorithm is applied three times, thus using three different private keys. DES and triple-DES are both royalty-free. It is used to encrypt data.
AES (Advanced Encryption Standard) is considered the reference symmetric encryption algorithm.
The IDEA (International Data Encryption Algorithm) algorithm appeared in 1990, it is a very attack-resistant algorithm, much better than DES. IDEA is used to encrypt data.

Asymmetric algorithms

DH (Diffie Hellman) First algorithm based on public and private keys invented in 1976. RSA is directly derived from it. This algorithm is now free of rights. DH is not used to encrypt messages but for key management.
RSA (Rivest Shamir Adleman name of its creators) was created in 1977, it is an asymmetric algorithm with public key. It has become a standard in the field. It has fallen into the public domain since 2000.
DSA (digital signature algorithm) which as its name suggests is a digital signature algorithm. It is used to generate a digital signature that authenticates the origin of a document. The private key is used in the generation of the signature and the public key in the verification of the signature.

And French law in all this?

For a long time, the use of encryption tools was very restricted by French law, to the point that cryptology software could be considered weapons of war! The law for confidence in the digital economy of June 21, 2004 completely freed the use of these tools, well, with a few nuances. The use, import and export of a means of cryptology to sign, authenticate and control integrity is completely free and there is no procedure to follow. On the other hand, there are still restrictions on the tools used to encrypt data, they can be used freely but it is always necessary to make a declaration or request authorization for their import/export to/outside the European Union. Legally, downloading cryptography software from a site outside the European Union is considered an import... but we shouldn't be picking on you knowing that the Central Directorate for Information Systems Security (DCSSI), a state body which has since been replaced by the National Agency for Information Systems Security (ANSSI) has officially authorized the use of GnuPG and OpenSSL .

ANSSI is the organization in France reporting directly to the Prime Minister which is in charge of the security of information systems of major government departments (but not only) and of all cryptology matters in France (approval, expertise, etc.).

Some interesting links

If you want to learn more about cryptology, here are some interesting links on the subject:

https://fr.wikipedia.org/wiki/Portail:Cryptologie   the cryptology portal on Wikipedia

http://www.futura-sciences.com/sciences/dossiers/mathematiques-cryptologie-art-codes-secrets-1817/   the art of secret codes

https://www.ssi.gouv.fr/particulier/actualite/crypto-le-webdoc/ the ANSSI webdoc on cryptology

http://www.ssi.gouv.fr/administration/reglementation/controle-reglementaire-sur-la-cryptographie a summary of the regulations on the ANSSI website

Encryption by concealment

There is another method of encryption that does not use any algorithm (or almost) and is much more subtle, it is encryption by dissimulation, it consists of hiding a message in a completely harmless plain text. A very famous example is a letter that Georges Sand, who as everyone knows is a woman, addresses to Alfred de Musset:

Je suis très émue de vous dire que j'ai
bien compris l'autre soir que vous aviez
toujours une envie folle de me faire
danser. Je garde le souvenir de votre
baiser et je voudrais bien que ce soit là
une preuve que je puisse être aimée par
vous. Je suis prête à vous montrer mon
affection toute désintéressée et sans
calcul, et si vous voulez me voir aussi
vous dévoiler sans artifice mon âme toute
nue, venez me faire une visite. Nous
causerons en amis, franchement. Je vous
prouverai que je suis la femme sincère,
capable de vous offrir l'affection la plus
profonde comme la plus étroite en amitié,
en un mot la meilleure preuve dont vous
puissiez rêver, puisque votre âme est
libre. Pensez que la solitude où j'habite
est bien longue, bien dure et souvent
difficile. Ainsi, en y songeant, j'ai l'âme
grosse. Accourez donc vite et venez me la
faire oublier par l'amour où je veux me
mettre.

So? Come on, it's not difficult, start reading the first line then skip a line to read the next one and so on ;-)

In French

Je suis très émue de vous dire que j'ai
toujours une envie folle de me faire
baiser et je voudrais bien que ce soit là
vous. Je suis prête à vous montrer mon
calcul, et si vous voulez me voir aussi
nue, venez me faire une visite. Nous
prouverai que je suis la femme sincère,
profonde comme la plus étroite en amitié,
puissiez rêver, puisque votre âme est
est bien longue, bien dure et souvent
grosse. Accourez donc vite et venez me la
mettre.

In English

I am very moved to tell you that I still have a mad desire to be fucked and I would like it to be you. I am ready to show you my calculation, and if you want to see me also naked, come and visit me. We will prove that I am the sincere woman, deep as the closest in friendship, can dream, since your soul is is very long, very hard and often big. So run quickly and come and put it on me.

[ Back to FUNIX home page ] [ Back to top of page ]