Skip to main content

7 Cryptographic Techniques You Should Know

A brief explanation of the following seven topics.

  1. Hash
  2. Salt (Pepper)
  3. HMAC
  4. Symmetric Encryption
  5. Keypairs
  6. Asymmetric Encryption
  7. Signing

1. Hashing

Hashing is the process of converting data of arbitrary length into a fixed-length string. This conversion follows the rules below. The resulting string is called a hash value.

  1. If the input is the same, the hash value will be the same.
  2. If the inputs differ, the hash values will always differ — in other words, a unique hash value is assigned to each input.
  3. The original input cannot be reverse-engineered from the hash value.

There are various hashing methods, with MD5 and SHA-256 being well-known examples.

Purpose

As a fundamental security technique, hashing has many uses. A simple example is storing passwords. When a website stores user passwords, saving them in plain text poses a risk in the event of a data breach. By storing hash values instead, even if the data is leaked, it becomes much harder to recover the actual passwords. During communication, hashing on the client side before sending also helps reduce risk.

2. Salt (and Pepper)

Salt is an additional step performed when hashing passwords before storage, as described above. The reason salt is used is that simply hashing a password can be extremely problematic in certain situations — specifically when the password is a very commonly used word. For example, the hash value of the string password is 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8. By preparing a large number of such hash values and comparing them against a target hash, an attacker can efficiently recover the plain text. This is known as a rainbow table attack.

As a countermeasure, a random string is appended to the input before hashing, causing the hash value to change randomly. This is called a salt. However, a weakness of salt is that the appended string needs to be recorded in the database, which means it could potentially be leaked.

Pepper is an idea to overcome the weakness of salt. It simply involves storing the appended string in a location with a higher security level than the database.

3. HMAC

HMAC (Hash-Based Message Authentication Code) is a mechanism for authenticating the sender and detecting data tampering during communication. As a prerequisite, the sender and receiver agree on a shared key. The sender then hashes the data combined with the shared key, hashes the result again to produce a MAC value, and sends this MAC value along with the data. The receiver can then compute the MAC value from the received data and the shared key to verify integrity. This works because the MAC values of both parties will only match when both the data and the shared key are identical. If the MAC values differ, it means either the key is wrong or the message has been altered since it was sent.

message = "Hello World"
key = "secret"
mac = hmac.new(key, message)

message_sent = "Hello World!!"
if hmac.new(key, message_sent) != mac:
    print("Altered message")

4. Symmetric Encryption

Symmetric encryption is a mechanism for protecting data during communication, similar to HMAC. As the name "symmetric" implies, it uses the same key for both encryption and decryption. With HMAC alone, if data is intercepted during transmission, it can still be read. Encryption prevents this by making the data unreadable, and the receiver can then decrypt it to access the data. The decryption key must be shared between the sender and receiver in advance. AES-256 is a well-known algorithm of this type.

5. Key Pairs

Asymmetric encryption, unlike symmetric encryption, uses different keys for encryption and decryption. The key used by the sender for encryption is called the public key, and the key used by the receiver for decryption is called the private key. The public key and private key form a pair — data encrypted with the public key can be decrypted with the private key, and data encrypted with the private key can be decrypted with the public key. By having a separate public key, the risk of key leakage through key sharing is avoided. RSA is a well-known algorithm of this type.

6. Asymmetric Encryption

In asymmetric encryption, particularly in the SSL protocol, data sent by a website to a client is encrypted with the public key, and the client decrypts it with the private key to securely read the data.

7. Signing

Signing is a mechanism for proving the identity of a data sender. While encryption makes data unreadable, there are cases where verifying the trustworthiness of the sender matters more than protecting the content. Signing is used in such cases. It utilizes asymmetric encryption. The sender generates a signature from the data and their private key, and sends it along with the data. The receiver verifies the signature using the data and the public key to confirm whether the signature is valid. If the signature is valid, the identity of the sender is proven.