Asymmetric Cryptography for Dummies

The entire Internet, with its privacy and security, rests on intricate cryptographic asymmetric algorithms. I will try to explain in an accessible way what it is and how to use it.

Cipher

At its core, asymmetric encryption consists of a pair of keys – public And private. Sometimes they are called open and closed. Exactly couples – Both keys are created and used together. Creates them recipient messages and issues a public key senderand private – keeps it a secret. “Public” – from the Latin word publicus – public, poplicus – people, i.e. public. “Popular”, “pop” – almost the same root. Private – from the word privus – single, individual, i.e. private.

The sender uses the public key to encrypt (close) message. An encrypted message is very difficult to decrypt without a private key, so it is generally safe to transmit it to a recipient over open communication channels. Recipient deciphers (opens) the message with his secret, private key. The word cipher (English ciphers) is derived from the Arabic ṣifr (صفر, sifr), i.e. zero. The word “number” – too.

Certificates

This cipher is attackable. One of these is key substitution or “man-in-the-middle attack“. An attacker can intercept the public key and replace it with his own. The sender will encrypt the message with the attacker’s key, the attacker will read the message, encrypt it with the recipient’s key and forward it to the recipient. In general, it will be embedded between the recipient and the sender.

To solve this problem, you can use a third party – a trusted one. The trustee will confirm that the recipient is who he claims to be. The trusted person signs the certificate, which contains the information to be verified. The sender verifies the authenticity of the certificate and its signature and makes sure that the recipient is correct.

If an attacker shows a certificate under the guise of a recipient, the sender will understand this. For example: in the certificate there is a photograph of the recipient. Then, either the photo does not match the attacker’s photo and the certificate is invalid; or the attacker will create his own certificate, but the substitution will fail.

The certificate is signed according to the same principles as the message, with a public and private key. But – on the contrary, private – signs the message, and public – checks the signature. The trustee also distributes public keys to those who will use them for verification. An example from the analog world: printing. The seal itself is with a trusted one (private key), and the print is on certified paper (public key).

Browser

Automatically, under the hood, all these mechanisms are handled by the browser. For example, chrome:

The web uses http for encryption.sover protocol TLS (and its predecessor, SSL, which is obsolete). The lock icon indicates that the site is secure (i.e. data is transmitted via https). If it says – “Not secure” – it means http without s (secure), the data is transferred in the open, anyone in the message transmission chain can read it without any problems. Passwords, codes and messages that you enter on this site can be read by anyone: provider, comrade major, system administrator, etc.

If https is enabled, but the certificate is not valid, the browser will not let you into the page. In chrome – there is an option to continue at your own risk. Modern certificates contain not only the site domain, but also the validity period. They are issued by trusted certificate authorities. For example, a certificate was issued to Habr before 10/24/23 from “Sectigo ECC Domain Validation Secure Server CA”, and to them, in turn, from the root “USERTrust ECC Certification Authority”. You can view it by clicking on the lock.

To protect data – the site can use a self-signed certificate. In this case, the data will be protected, but subject to an intermediary attack, because. no trusted. Browsers tend to mark such certificates as invalid.

The same mechanisms are generally used by electronic document management systems. For example, you can create a verified electronic signature for yourself and use it to sign electronic documents. In Russian law, there is even a possibility to make such a signature legally significant, as an alternative to a handwritten signature. In organizations, it is quite possible to use a self-signed signature for internal document management in electronic form. If someone uses this practice or plans to implement – let me know, I’m very interested.

Practice

The most popular asymmetric algorithm is RSA, but at the same time it is obsolete. There is a great article on this topic Stop using RSA by @Scratch. To generate keys recommend use 2048-bit RSA or 256-bit ECDSA. But ECDSA is faster and the key size is smaller.

TLS allows you to use different algorithms, the browser and the site themselves “agree” on the encryption algorithm and use the best one possible. To establish communication, asymmetric encryption is used, but the ciphers for transmitting a message (encryption algorithms) are not used asymmetric, but symmetrical. For example, the protocol can be used to encrypt messages. Diffie-Hellman (DH). (A variation of this ADH algorithm is Not recommended). A symmetric cipher is simpler – only one key is needed, which both encrypts and decrypts the message. For example – Caesar’s cipher, each letter in the message is shifted alphabetically by key k. If you encrypt the word “kiya” with k=2 it will be “mkb”, with k=4 “omg”, with k=11…

There are recommended cipher suites for TLS. Recommendations are such And suchare, in general, different. You can check what is used in your browser and what are supported. For example, this one – TLS_CHACHA20_POLY1305_SHA256. Spelled:

TLS- transport layer security (protective transport layer protocol)

CHACHA20_POLY1305 – ChaCha20-Poly1305, AEAD is Authenticated Encryption (AE) with Additional Data (AD). ChaCha20 is a stream cipher, here is an article on the topic. POLY1305 – authentication code, generates a one-time number (nonce), an imitation insert to protect the integrity of the message.

SHA256 is a hashing algorithm with a 256 bit hash.

Implementations of this are usually found in cryptographic libraries. For example, for NET.7 there is a cipher implementation CHACHA20_POLY1305.

An example of an electronic signature

For academic purposes, let’s take ECDSA (Elliptic Curve) to build signature keys, an asymmetric algorithm. There are ready-made online encoders and decoders, let’s use it. Select secp256k1 (curve parameters). I generated public and private keys.

public key

—–BEGIN PUBLIC KEY—–
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEGs+iqyttCXyioLEfV6i8AqTmVtV+zHBY 9v9YgH8y2GpvJbG6rr2pac9UjmAUYvD1WFPvU99g0rGY5Ecrpltnqw==
—–END PUBLIC-KEY—–

Private key

The message will be “Hi!” and signature:

MEYCIQD/EDwwADIfIxn9prpiyeDxysaCmz2l58N0JESJtG+L1wIhANRu9UTYzvYMEvCIKS1RYuskgRaTbAGuxf69DUwSEzaG

To check: insert the public key in the “Public Key”, below in the “For Signature Verification” – the signature and in the “Plain Text Message” – “Hello!” without quotes. Select “Verify Signature” – confirm the signature.

In the future, even on another site, I can confirm that I am the author of this article. For example: http://www.ildar.in/publickeyexample

Message Encryption Example

We will not be able to use symmetric encryption unilaterally, because we need to generate a shared secret key before transmission, with each interlocutor separately. Therefore, for example, I will take the long-suffering RSA. By analogy – site online generator and decoder for RSA.

We generate a pair of keys for 2048 bits. My public key:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhmoR7gzuOtGEJzXKTBfyPH2H9o2cgVRzJ1Jdrhp7k/QAckHY8wP93ofJD7zLnCWHtRIvUa0OVKX895mdG7/PETmz4TKlaHyAxrEG+KGpQyC83 U2hpuc82DjLcDLiW10XwhVVp6Kx/HmT19zjmtuVq8vtetP4chjEW3HiiHBr/TrxTeFcLJ49uBdVc5V7W+Fy83dA45tZLDf2hj/RcgHG3HPDGyL+QgYOMwxZAjptpwOZgqKNB4j84 /kFHfZ9cWsixLUiOk54I1z5bYmn+OmG0oKBBPLcAZZsDzJJyB3D0Bv4MByHyDdBUjDABj/PkpMuTjTEI67XbRNXI29l8gnZjQIDAQAB

With the public key, I will encrypt the message to myself “This is an example of an encrypted message.” (I click Encrypt) and I get the encryption:

fw4FSeYXU6tTrm/ibOqHv7fdwugOPHq9Swql/d2Jh+KGqr4DA9gis4sTiW5FCJsfZoytlZfz4Fw7G5rjVAhmN9t7EZTBRPQ20A182A0fhd702XaVYdCQwxyDPEbgjZlbjD8yrrD1Y+ Q+4nM6S10r0Q+gi0/LjLdx/NVdMlct7APBbroWH3nSDCyOuYes2+8Tonylht4Psjlsyt08+YQ6zeWAd9KPB+DYLFunmoY1nLJE23vTgq950VYI6VO9dVvVJmtcGTdZPVWxfPR8f41Muon9aEN soiXsmwf427cLhmRVsa7VrT3NVYxQcrd8TgqUi1lQZfYaIcdgH76FDKgieA==

Using my private key, I can decrypt this message. Anyone can encrypt a message with this public key and only I can read it (unless the private key is lost or compromised). By analogy, anyone can write their own public key and receive unreadable encryption for anyone else.

Terms

The word cryptography is derived from two other Greek words: kryptos (cryptos) – hidden, secret; And graphene (graphene) – to write. So – a record of something secret, “secret writing”.

Asymmetrical – from Proto-Indo-European prefix *sem- one, together; *meh₁- measure + suffix -τρον (-throne) second declension, means “thematically”. Prefix (prefix) a- means negation. Those. symmetry is something measurable at the same time. And asymmetry is something that is not measurable at the same time. For example, the symmetry of the eyes – something is the same for both eyes. And vice versa – asymmetrical eyes – for each eye – something different. Eye color asymmetry – heterochromia, eyes of different colors.

Many words in Latin are easy to understand simply from their composition, for example, a certificate. Words were formed historically, are engaged in the study etymology. Moreover, words in some languages ​​could be formed from the same word, but in different ways. For example: “secret” – from the word “to cover”, presumably from other Greek κρύπτω (crypto, hide). You can compare the etymology of the word “certificate” and its meaning in dictionaries, catch krinzh and lulz.

Thank you for your attention!