A bunch of cryptography questions

Support
1

Hello I have some questions about cryptography.

First of all I understand a few concepts such as Caesar’s encryption, which is what symmetric encryption is based on (I think).

Caesar's encryption.

Assume you have a text message that you want to hide from any viewers, this encryption in its simple form shifts all the lyrics a certain number (n) in the alphabet, in this case the encryption key is “n”.

This one is really simple to decipher, so another option is to shift the first letter “n” number of lyrics and the second “m” number, then the third letter uses again the “n” number of shift and so on. In this case the encryption key would be [n,m].

This can still be deciphered but it becomes harder the longer the key you use.

I don’t know how this translates to files, but as far as I know this is the basic idea but using other algorithms.

Symmetric encryption.

The symmetric encryption is basically a function that takes an encryption key and an some input. It transform the input into some output that can only be transformed back to the same input only with the provided encryption key. This is basically what is used for bitlocker or keepass or similar apps.

Asymmetric encryption. + Question

The asymmetric encryption is a function that somehow uses some key to encrypt but needs another key to decrypt, the so called public key and private key respectively. The public is used to encrypt but only the private key can decrypt it.

This one is used by ssh or when you first communicate with a web page, for communicating with servers or any other computer. The steps for this communication are the next:

  1. The client sends the public key to the server.
  2. The server makes a message and encrypts it with the client public key.
  3. Sends the message to the client.
  4. The client decrypt de message using its own private key and sends it back to the server.
  5. If the decrypted message matches the one generated by the server then the client identity is confirmed.
  6. The process repeats to confirms the servers identity. In order for this to work, the client (you) must know the public key from the server you want to connect to.
    ----- ** Questions **
  7. I don’t know from here but I think what happens is the next:
  8. Since the connection is confirmed between this two, one of each uses the public key to encrypt the symmetric they will use to communicate.

I don’t know how does this protect from communicating using unsecured internet connections such us public Wi-Fi.

Hash algorithm. + Question

** Description **

In addition, I know what is a hash algorithm, very very short, it is a function that takes any input and returns a string that uniquely identifies such input. This allows the user to know that the downloaded file is the intended one and it is what is used to identify the packages you download for example. A safe (for now) hash algorithm is sha256 and an unsafe one is MD5.

** Question **

When a package is downloaded I receive with it the SHA256 associated, my pc now computes the SHA256 if it matches, then the package is correctly downloaded, but how does the computer trust that the received SHA256 is the correct one and not a compromised one? I think it is related to manjaro-keyring package but I don’t know for sure.

Certificates and HTTPS. + Question

** Definition **

As far as I know a certificate it is “something” that confirms that “another” is what it says it is.

For this purpose, the certificate authorities exists, an entity whose job is to confirm that another one is the one it says it is. Example of a CA is Let’s Encrypt.

** Questions **

From here I am guessing based on what I have seen in Mozillas > Privacy and security > Certificates tab and on things I have read on wikipedia.

Certificates are used by web pages, for example, manjaro.org generates a public key and asks Let’s Encrypt to confirm that this key belongs to manjaro.org. When I connect to manjaro.org, the server sends me the public key and the CA, my browser connects to Let’s Encrypt and asks if that public key belongs to manjaro.org, now the Asymmetric encryption begins using an HTTP connection, until the Symmetric key is set and then the HTTPS connection is established using such key.

  • I have read that the CA signs the public key. ¿What does it refer to?
  • In order for this to work, the client must trust Let’s Encrypt CA ¿right?
OpenPGP GnuPG and Kleopatra Questions
  • What are OpenPGP and GnuPG?
  • I have seen that Kleopatra allows to encrypt emails aswell. I know it is a GUI for OpenPGP and GnuPG so i am pretty sure it should be one of its capabilities. How does this work?
Hardware Encryption Questions
  • How do hardware like YubiKey work to confirm my identity?

Thank you very much in advance.

2

I always encrypt everything with ROT-13.

Twice.

Just to be sure.

:face_with_hand_over_mouth:

5 Likes
3

No one really understands cryptography, ok some do (at least a little) but you kinda need to be a cryptographer to understand it properly.

You’re probably best asking on a cryptography site, you’ll likely get better and more complete answers (except for the Manjaro specific one).

https://crypto.stackexchange.com/

The communication is encrypted. Theoretically you’ve confirmed that the computer you’re communicating with is the one you mean to communicate with - though not if you carelessly trust a new fingerprint.

This Veritasium video contains a dumbed down explanation using paint. Not sure how useful it might be.

Asymmetric encryption, public/private keys.

When you open Kleopatra it gives you a link for information.

You give the public key to someone, they can then use it to encrypt the text to create cyphertext, then they send the cyphertext to you and you use the private key to decrypt it.

Same in reverse, you use their public key to encrypt the response and they use their private key to decrypt it.

As the private keys aren’t shared no one else can decrypt it. Except possibly well funded spy agencies.

2 Likes