Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Video transcript: Introduction to Cryptography part 2

This is a transcript for a video linked here: Introduction to Cryptography part 2.

Video transcript - Introduction to Cryptography part 2

00:00:00.480 --> 00:00:07.200

this is the second of my videos introduction 

to cryptography my earlier video gave an  

00:00:07.200 --> 00:00:12.780

overview of cryptography some of the history 

behind cryptography an example using rot 13.  

00:00:13.380 --> 00:00:18.060

in this video I'll look at the importance of 

cryptography today and some additional Concepts  

00:00:18.060 --> 00:00:25.620

relevant to Modern security so why is cryptography 

so important it's essential to many of the things  

00:00:25.620 --> 00:00:31.140

we do with Computing today helping to keep 

your personal details and credit cards safe  

00:00:31.140 --> 00:00:34.200

to provide him proof that a 

person signed a virtual contract  

00:00:35.940 --> 00:00:41.040

cryptography can be used to protect data 

and helps to provide the three elements  

00:00:41.040 --> 00:00:47.760

of the CIA Triad confidentiality integrity 

and Authentication I've explained about the  

00:00:47.760 --> 00:00:52.320

CIA Triad in another video so check out that 

video if you want to understand more about that  

00:00:53.220 --> 00:01:00.660

cryptography can provide confidentiality keeping 

things secret Integrity proving that data hasn't  

00:01:00.660 --> 00:01:07.860

been altered and authentication proven that 

somebody is who they claim to be cryptography  

00:01:07.860 --> 00:01:12.960

can also provide non-repudiation providing 

assurances that data has come from a known sender  

00:01:14.520 --> 00:01:19.920

whilst cryptography is often associated with 

keeping your credit card details secure when  

00:01:19.920 --> 00:01:24.540

using a website it isn't just limited to 

networking it can be used for data which  

00:01:24.540 --> 00:01:29.220

is at rest typically when it's stored in a 

computer but also includes backup storage  

00:01:29.940 --> 00:01:34.740

when data is in transit such as when it is 

being sent across a network it could also  

00:01:34.740 --> 00:01:39.720

be when data is being moved from data storage to a 

different system that will be processing that data  

00:01:40.440 --> 00:01:44.160

and also when it's been used 

which often means stored in memory

00:01:46.740 --> 00:01:51.540

there are different encryption algorithms that 

are suited to different uses we will look at  

00:01:51.540 --> 00:01:56.580

these in future including symmetric encryption 

and asymmetric encryption as used in public  

00:01:56.580 --> 00:02:02.700

key encryption we can also look at how these are 

used on a daily basis to keep information secure  

00:02:04.380 --> 00:02:11.100

the key to encryption is literally the key 

in modern computer-based cryptography the  

00:02:11.100 --> 00:02:16.020

key is usually a large number the key is 

designed so it is impossible to guess or  

00:02:16.020 --> 00:02:19.620

to work out through Brute Force 

it's usually a very large number  

00:02:20.340 --> 00:02:32.800

a 128 bit key can take the values of 0 to 2 to the 

power 128. or about 3.4 times 10 to the power 38 .  

00:02:33.480 --> 00:02:38.520

there are other important aspects to the key 

which will be explained in this and future videos

00:02:41.640 --> 00:02:48.300

kerckhoffs principle is that cryptography system 

should be secure even if everything except the  

00:02:48.300 --> 00:02:53.340

key is public knowledge this is contrary 

to the alternative practice of keeping  

00:02:53.340 --> 00:02:57.840

security by obscurity where the algorithm 

needs to be kept secret as well as the key

00:03:00.840 --> 00:03:05.940

the words codes and Cipher are often 

used interchangeably although that's  

00:03:05.940 --> 00:03:12.780

not necessarily the case looking at codes whilst 

they can be used to create Secrets they do not  

00:03:12.780 --> 00:03:19.620

always meet the needs of confidentiality 

for example within hospitals they often  

00:03:19.620 --> 00:03:25.740

use code words colors or numbers that indicate 

certain situations their codes that members of  

00:03:25.740 --> 00:03:29.220

Staff understand but which are meaningless 

to most of the visitors in the hospital  

00:03:30.000 --> 00:03:36.720

for example many hospitals in the USA and Canada 

use color codes one example is that code red is  

00:03:36.720 --> 00:03:41.160

often used to indicate fire this can be used to 

inform other members of Staff about the incident  

00:03:41.160 --> 00:03:46.680

without causing panic and this is not however 

confidential as others can understand the code  

00:03:48.660 --> 00:03:54.000

often codes may not relate to security 

or confidentiality at all but just a way  

00:03:54.000 --> 00:03:58.920

of represented information in fact some are 

used to make it easier to understand the code  

00:03:59.520 --> 00:04:03.840

for example Morse code can be used 

to transmit information that can  

00:04:03.840 --> 00:04:06.780

be understood by anyone that has 

learned the morse code alphabet

00:04:09.240 --> 00:04:12.360

some codes are phrases with specific reasonings

00:04:14.400 --> 00:04:20.400

for example during the second world war the 

BBC Radio station radio londres broadcast  

00:04:20.400 --> 00:04:27.120

messages to the French Resistance these were 

sentences or phrases which communicated a  

00:04:27.120 --> 00:04:30.900

certain message to the resistance 

because these were in code and not  

00:04:30.900 --> 00:04:35.640

Cipher there was no way to linguistically 

or mathematically try and decrypt them the  

00:04:35.640 --> 00:04:39.240

only way to understand them was to have been 

told their meaning such as through a code book

00:04:41.280 --> 00:04:46.620

ciphers are a secret way of writing or 

a form of secret code normally through  

00:04:46.620 --> 00:04:51.660

changing individual characters a rough 

approximation is that ciphers often work  

00:04:51.660 --> 00:04:56.940

on individual letters whereas codes after work 

in entire words but that's not always the case  

00:04:58.620 --> 00:05:03.960

ciphers do normally relate to security but 

that does not mean they are always secure  

00:05:05.940 --> 00:05:12.180

this shares the program I created using rot 

13 Cipher it's a cipher designed to obscure a  

00:05:12.180 --> 00:05:16.980

message but reversing the code is so trivial 

you would not consider the data to be secure  

00:05:17.760 --> 00:05:21.780

for more details about rot 13 see my 

earlier video or the corresponding  

00:05:21.780 --> 00:05:25.560

video on penguin tutor where I 

created this Cipher application

00:05:27.600 --> 00:05:33.120

links are included in the description the 

use Link when we're talking about ciphers  

00:05:33.120 --> 00:05:39.120

we're looking at ways of encrypting data in 

a secure way to provide secure encryption  

00:05:39.120 --> 00:05:45.120

then we need two factors a computationally 

complex algorithm and long cryptographic Keys  

00:05:45.960 --> 00:05:50.040

algorithms should be designed in a way that 

knowing the algorithm should not allow anyone  

00:05:50.040 --> 00:05:55.260

to understand the message unless they also know 

the key in fact it's normal for the algorithm  

00:05:55.260 --> 00:06:00.840

to be made publicly available and have it open to 

scrutiny by others can help to make it more secure  

00:06:01.680 --> 00:06:05.880

I'll be looking at some of the different 

algorithms in a future video but in this  

00:06:05.880 --> 00:06:09.840

video I'll be looking at Keys the key 

is a very important part of encryption  

00:06:09.840 --> 00:06:14.580

and could say they are key to keeping 

the data secure it's now pun intended

00:06:17.460 --> 00:06:22.980

cryptographic keys can be either symmetric 

or asymmetric with pros and cons to each  

00:06:24.840 --> 00:06:30.000

algorithms using symmetric keys are 

often called a shared secret this is  

00:06:30.000 --> 00:06:34.080

because the key used for encrypting and 

decrypting the data has to be the same  

00:06:34.080 --> 00:06:38.040

and both parties must therefore 

know the key they share the key

00:06:40.080 --> 00:06:46.020

the encryption is performed using a secret 

key the result in cipher text is past the  

00:06:46.020 --> 00:06:52.200

recipient the recipient then uses the same 

secret key to decode the message this is  

00:06:52.200 --> 00:06:57.540

fast and with a sufficiently large key can be 

very difficult to break however it has a few  

00:06:57.540 --> 00:07:02.280

weaknesses one being that there needs to be a 

way of sharing the secret key in a secure way  

00:07:03.360 --> 00:07:10.080

also it does not implement non-repudiation and 

it's not scalable as you need a pair of keys for  

00:07:10.080 --> 00:07:15.420

every two people that you want to communicate 

together or if you shared the key then you  

00:07:15.420 --> 00:07:19.560

would need to regenerate and redistribute 

Keys whenever but somebody left that group  

00:07:20.220 --> 00:07:25.080

asymmetric key based algorithms use 

different keys for the sender and recipient  

00:07:26.940 --> 00:07:33.360

the private and public keys are related but unique 

the private key is one that you need to keep  

00:07:33.360 --> 00:07:39.000

private it is used for decrypting the messages 

received and it can also be used to prove the  

00:07:39.000 --> 00:07:45.600

origin of the email the non-repudiation aspect 

this needs to be kept secret if others get your  

00:07:45.600 --> 00:07:50.760

private key then they can read messages intended 

for you they can also use it to impersonate you  

00:07:52.080 --> 00:07:58.620

the public key does not need the same protection 

in fact it is designed to be distributed it is  

00:07:58.620 --> 00:08:05.100

used for encryption the messages it is also 

needed to validate who sent a message this is  

00:08:05.100 --> 00:08:11.100

the key that should be shared although you also 

need to make sure the key is received as intended  

00:08:12.900 --> 00:08:19.320

to explain this better I'm going to use Alice 

and Bob I introduced these in the last video so  

00:08:19.320 --> 00:08:27.480

this is just a quick recap Alice wants to send 

an encrypted message to Bob Bob should then be  

00:08:27.480 --> 00:08:33.840

able to decrypt that message and read it there's 

also Eve who is trying to ease drop on the message  

00:08:34.440 --> 00:08:39.000

we want to ensure that even if Eve sees all 

the messages then she cannot understand them

00:08:41.160 --> 00:08:46.440

Alis wants to send a message to Bob to be able 

to encrypt that she needs Bob's public key  

00:08:47.340 --> 00:08:54.060

this message can then be sent when Bob receives 

the email he then uses his private key to decrypt  

00:08:54.060 --> 00:09:00.540

the message note that both of these are Bob's Keys 

Alice's key is not needed to secure the message  

00:09:01.320 --> 00:09:05.520

although may be needed if it's necessary to prove 

that she was the one that sent the message we'll  

00:09:05.520 --> 00:09:11.760

cover that later the only person that can read 

the encrypted message is Bob as it was his public  

00:09:11.760 --> 00:09:17.700

key that was used this includes Alice once she's 

encrypted it she does not have the key to decrypt  

00:09:17.700 --> 00:09:23.400

it if Bob wants to send a response to Alice then 

he would need to use Alice's public key instead

00:09:26.100 --> 00:09:30.900

the public key can be shared with as many people 

as you want to communicate with so unlike the  

00:09:30.900 --> 00:09:36.900

symmetric Keys you only need one pair of keys 

the public key that you share and the private key  

00:09:36.900 --> 00:09:43.920

that you keep Secret users can be removed more 

easily from the asymmetric systems as you just  

00:09:43.920 --> 00:09:50.400

need to remove that key key generation is only 

required if it uses private key is compromised

00:09:52.440 --> 00:10:01.860

it can provide Integrity authentication and 

non-repudiation key distribution is simplified and  

00:10:01.860 --> 00:10:08.640

now existing communication link needs to exist as 

you can share the public key the main disadvantage  

00:10:08.640 --> 00:10:14.880

is that it is slow one way to overcome this 

performance issue is to use asymmetric encryption  

00:10:14.880 --> 00:10:21.000

to then share a symmetric key this benefits from 

the advantages of asymmetric key algorithm but  

00:10:21.000 --> 00:10:26.160

with the speed Advantage from using symmetric 

key algorithm after you've exchanged that key

00:10:29.520 --> 00:10:35.940

the previous examples showed encryption used to 

keep something secret but cryptography can also  

00:10:35.940 --> 00:10:42.420

be used to provide integrity and non-repudiation 

a hash is a one-way algorithm sometimes called the  

00:10:42.420 --> 00:10:49.020

message digest or a digital fingerprint it is used 

to prove a file is uncorrupted since the hash was  

00:10:49.020 --> 00:10:55.980

generated a small change to file should create a 

large change to the hash proving that the file has  

00:10:55.980 --> 00:11:02.280

been tampered with it's extremely difficult if 

not impossible to derive a message from a hash  

00:11:02.280 --> 00:11:07.260

function and it's highly likely that two different 

messages will produce the same hash value

00:11:09.720 --> 00:11:15.120

to perform non-repudiation then the hash value 

needs to be converted to a digital signature  

00:11:15.660 --> 00:11:21.900

this is essentially an encrypted hash value to 

prove who sent the message note that digital  

00:11:21.900 --> 00:11:28.800

signatures and encryption can and often are used 

together in this example I refer to data which  

00:11:28.800 --> 00:11:35.100

may or may not have been encrypted so Alice who 

is wanting to send a signed message first passes  

00:11:35.100 --> 00:11:41.100

the data through a hashing algorithm she then 

encrypts that hash using her own private key and  

00:11:41.100 --> 00:11:49.200

then sends both the data and the signature onto 

Bob receives the data and the digital signature  

00:11:49.920 --> 00:11:55.800

he can generate his own hash using the same 

hashing algorithm he then decrypts the signature  

00:11:55.800 --> 00:12:01.140

he was sent using Alice's public key and compares 

the hash value to see if they are the same  

00:12:01.920 --> 00:12:07.980

if so then that proves that Alice must have 

sent the message note that Alice's public key  

00:12:07.980 --> 00:12:14.700

is used to decrypt the signature this means that 

anyone can see the hash value but as the hash is a  

00:12:14.700 --> 00:12:20.100

one-way function it is not possible to know what 

the original message is just from the signature

00:12:25.560 --> 00:12:30.540

this video has covered the theory of a number 

of different cryptographic methods including  

00:12:30.540 --> 00:12:35.160

the importance of keys in Secure encryption 

algorithms and the difference between symmetric  

00:12:35.160 --> 00:12:41.220

and asymmetric key based algorithms also explained 

about how hashes can be used to prove that a  

00:12:41.220 --> 00:12:46.080

document hasn't been tampered with and digital 

signatures can be used to provide non-repudiation  

00:12:47.880 --> 00:12:53.520

this has now provided the basis for some practical 

examples which I'll be showing in future videos if  

00:12:53.520 --> 00:12:57.480

you've learned something new then please give this 

video a like and help YouTube to share it with  

00:12:57.480 --> 00:13:03.960

others if you haven't already subscribed please do 

so and click the notification icon to get notified  

00:13:03.960 --> 00:13:09.180

about my future videos thanks for watching I 

look forward to seeing you in a future video

Previous Application Security Testing
Application Security Testing