Cryptography - An Introduction

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
76
Best answers
4
Reaction score
88
Cryptography Basics


Since I see lots of wrong assumptions about what IT-Security actually is and how it is practiced i thought I'd write a "small" thread on the topic to help you make your OT and personal data more secure.

Please be aware that i will just talk about basics and not go deeper into the matter. You are welcome to ask or google(or duckduckgo) for further information on certain topics.

Let's start with some basics. I know it's boring theory, but you will need to know this to understand further explanations.

Security goals

Core security goals: CIA
  • Confidentiality: Protection of unauthorized retrieval of Information
  • Integrity: Protection of unauthorized modification of data
  • Availability: Protection of unauthorized disturbance of the usability of functions
Additional goals
  • Accountability: Proof of the originality of the identity of the subject/object¹
  • Authenticity: Protection of unallowed denial of performed actions
  • Privacy: Anonymity; Securing the untraceability; Protection of personal data
Encryption & Hashing
Encryption and Hashing often get mixed up. In the following I will explain Encryption and Hashing as well as differences between those.

Encryption
explanation: An encryption algorithm maps a plaintext to a ciphertext. The point of encryption is to ensure confidentiality. Without the key to decrypt the message, it is basically impossible to get the plaintext out of the ciphertext. Now there are 2 typs of encryption, symmetric encryption and asymmetric encryption.

Symmetric Encryption
Symmetric encryption has one key to encrypt and the same to decrypt. This key must be held secret for the purpose of third parties being unable to decrypt your message. An example for a symmetric encryption is AES. It is the standard symmetric algorithm and used in many protocols like TLS, WPA2 or SSH. I will not go deeper into the matter since I do not think it is relevant at this point.

Asymmetric Encryption
Asymmetric encryption works with a public and a private key. The public keys purpose is to encrypt the plaintext and only the private key is able to decrypt the message. So the private key must be kept secret while the public key can be sent to the partner so he is able to encrypt the message.
An example would is RSA, DH or ECC.
ECC (Elliptic Curves) are a very good alternative to the normal suspects of asymmetric encryption. Algorithms based on ECC can be way smaller for the same amount of security. For example A 2048Bit key in RSA has the same level of security as a 224Bit key in ECC.
I will dedicate an own post just for the topic of RSA, since it is the algorithm used to secure the Tibia connection and I will go deeper into the mathematics behind it.
I know it might be annoying to have a different RSA key for every server and therefore (so far) a different client per OT, but it is a necessary effort to make the ot scene more secure.

Hashing
A hashing algorithm maps a plaintext to a hash. It's purpose is to ensure the integrity and authenticity. There are different algorithms to hash text. The most known are MD5, SHA1, SHA2 and now even SHA3. The most common ones are sadly still SHA1 and MD5. Those are old, broken and cracked. They are outdated and should not be used anymore. You might as well transfer your data in plaintext if you use those. Instead you should always use a SHA2 (SHA256 or SHA512) or even a SHA3 algorithm.
Salt
Salts are texts that are added to passwords so that attackers have no possibility to use the information even if they get the hashed password. It also makes rainbow table attacks impossible since a hashed password like "password123" is not going to be the hash it would usually be, but a different one with the added salt. Use salt on your ot!

Signatures
Signing your messages gives you the possibility of ensuring accountability. Signatures are usually done using the asymmetric private key and verified using the public key. You sign your message using the key so that your partner knows the message was sent by you and noone else.

SSL (TLS)
Now on this topic we will really only scratch the surface since it is quite complicated when we go into the technological part of it. TLS is the more advanced version of the well known SSL, which is basically not supported anymore. It is what you know by https instead of http.
It's purpose is to secure the connection between a website and its' users. It uses different algorithms to negitoate the most secure connection possible, make sure the user is who he says he is and only hand out the information allowed to be given to the user. Its' security goals are integrity and confidentiality. It is a very important feature to have on your website and easy to implement.
For a few years now, big companies have gathered together to make the Internet more secure and support Let's Encrypt in their work of handing out free TLS Certificates to any website. So use their service and protect your website and its' users!
If you use it please also make sure to enforce the https use and redirect any http requests to https.


¹objects are assets that are worth being protected; subjects are active units allowed to use objects
 
Last edited:
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
76
Best answers
4
Reaction score
88
RSA
Now we are going to talk about RSA, this is gonna be a little bit more complicated since I'm going to explain the mathematics behind it.

First of all some definitions:
  • p & q are big prime numbers
  • n is the rsaModulus n=pq
  • x is the plaintext
  • y is the cryptotext
  • e is the public key
  • d is the private key
  • Zn ϵ {0,1, ... , n-1}
  • k is just a number you'll get and use in step 5 but is irrelevant for the encryption
Preperation
  1. Choose 2 large, secret, primenumbers p and q (>512Bit, better >2048Bit)
  2. Calculate the rsaModulus n = pq , n is going to be public
  3. Calculate φ(n) = (p-1)(q-1)
  4. Choose public exponent e ϵ {1,2,...,φ(n)-1} so that gcd(φ(n), e) = 1
  5. Calculate the private exponent d, so that ed+kφ(n) = gcd(φ(n), e) = 1 using the extended euclidean algorithm

The Encryption
You got the plaintext x and and public key (n, e)
Encryption E(x,e) = xe mod n = y with x,y ϵ Zn

The Decryption
You got the cryptotext y and the private key d
Decryption D(y,d) = yd mod n = x


Problems
Now this is textbook RSA, but is it actually secure? Well kinda. First of all it is really complicated choosing "good" prime numbers. Signing with RSA alone is quite insecure though since once the plaintext of x1 and x2 as well as their signatures are known it is possible to produce a valid signature without knowledge of d. (x1x2)d = sig1sig2 mod n = sig3. The solution to that is using a hash algorithm in combination with RSA.
 
OP
Merrok

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
76
Best answers
4
Reaction score
88
A few additional tipps to protect your data

Passwords:

Always use different passwords and always use complicated ones. I know it is a pain in the ass but it is necessary these days and there are tricks to keep your passwords rememberable but secure at the same time. For instance if you want to be able to remember your passwords use small tricks like if you are born in the year 2000 and like nike, dont add that simply to your password, you can for example add it in a hidden way like "[email protected]!kE2*10e3". It might seem random, but it is not. To be able to remember all your different passwords simply use a password management software, protected by a password and with encrypted storage.

Social Engineering
Whilst you can ensure that your technologie is relatively save, the biggest vulnerability is still the human being. Do not give your login data to anyone, no company or OT for that matter will ever ask you for your login data. Do not click links any random person sends you. Do not trust a phone call who tells you, there is a problem with your $software and you need to do certain stuff they tell you to do. Never leave your pc unlocked and unwatched. An attack takes about 2 seconds. Belive me, I've done it.
In short: do not trust anyone!

Keep your OS updated
Always use the latest Long Time Support, stable version of software. Most viruses or worms do not work on the latest version of your operation system since it has already been patched. Some exploits are even patched before the virus itself is written. There are very few unpatchable exploits and even those get blocked using a different way, even though that often times causes loss of performance.

EU-GDPR, Safe Harbour
I thought of talking about the EU-GDPR and the Safe Harbour Privacy Shield as well, but i think it's best if you simply do the research on those yourself. They are important to know about though.


I have been inactive in this community for about a decade and in this time IT-Security in the Internet has changed alot, but it does not seem to change quite enough here. Following simple procedures makes your OT as well as your personal data alot more secure, so i appeal to your sense of reason, use TLS, use your own encryption key for your server, use up to date hashing algorithms, use secure passwords and all in all, use the knowledge you have just gathered to make the Internet a more secure place for everyone. :)
 
Last edited:
Top