# Chapter 2: Cryptography Fundamentals
## Simple Examples and Exercises

### Course: TCPRG4005 - Secure Programming

---

## Learning Objectives

1. **Understand** why you should never roll your own crypto
2. **Analyze** simple cipher weaknesses
3. **Practice** basic cryptographic analysis
4. **Learn** from historical examples

---

## ⚠️ Important Warning

> **Never implement your own cryptographic algorithms in production!**

This notebook is for **educational analysis only**.

In [None]:
# Simple setup for cryptography examples
import string

print("🔐 Chapter 2: Cryptography Fundamentals")
print("Simple examples to demonstrate crypto concepts")
print("=" * 45)

# Example 1: Caesar Cipher

The simplest cipher - shift each letter by a fixed amount.
Let's see how easy it is to break!

In [None]:
# Simple Caesar Cipher implementation
def caesar_shift(text, shift):
    """Shift letters by a fixed amount"""
    result = ""
    for char in text.upper():
        if char.isalpha():
            # Shift the letter
            shifted = ord(char) - ord('A')
            shifted = (shifted + shift) % 26
            result += chr(shifted + ord('A'))
        else:
            result += char
    return result

# Test the Caesar cipher
message = "HELLO"
shift = 3

encrypted = caesar_shift(message, shift)
decrypted = caesar_shift(encrypted, -shift)

print(f"Original:  {message}")
print(f"Encrypted: {encrypted}")
print(f"Decrypted: {decrypted}")

# Caesar Cipher Weakness: Brute Force

Since there are only 25 possible shifts, we can try them all!

In [None]:
# Break Caesar cipher by trying all shifts
def break_caesar(ciphertext):
    """Try all possible Caesar shifts"""
    print(f"Breaking Caesar cipher: {ciphertext}")
    print("-" * 30)
    
    for shift in range(26):
        decrypted = caesar_shift(ciphertext, -shift)
        print(f"Shift {shift:2d}: {decrypted}")

# Attack our encrypted message
break_caesar("KHOOR")  # "HELLO" with shift 3

# Example 2: Letter Frequency Analysis

English letters appear with different frequencies. This breaks substitution ciphers!

In [None]:
# Simple frequency analysis
def count_letters(text):
    """Count how often each letter appears"""
    counts = {}
    for char in text.upper():
        if char.isalpha():
            counts[char] = counts.get(char, 0) + 1
    return counts

# English letter frequencies (approximate %)
english_freq = {
    'E': 12, 'T': 9, 'A': 8, 'O': 7, 'I': 7, 'N': 7, 'S': 6, 'H': 6,
    'R': 6, 'D': 4, 'L': 4, 'C': 3, 'U': 3, 'M': 2, 'W': 2, 'F': 2,
    'G': 2, 'Y': 2, 'P': 2, 'B': 1, 'V': 1, 'K': 1, 'J': 1, 'X': 1, 'Q': 1, 'Z': 1
}

# Test with a simple message
sample_text = "THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG"
letter_counts = count_letters(sample_text)

print("Letter frequencies in our sample:")
for letter in sorted(letter_counts.keys()):
    count = letter_counts[letter]
    print(f"{letter}: {count} times")

print(f"\nMost common letter: {max(letter_counts, key=letter_counts.get)}")
print("In English, 'E' is usually most common!")

# Example 3: Simple Substitution Cipher

Replace each letter with a different letter. Seems secure, but frequency analysis breaks it!

In [None]:
# Simple substitution cipher using a keyword
def create_cipher_alphabet(keyword):
    """Create a cipher alphabet from a keyword"""
    # Remove duplicate letters from keyword
    unique_chars = ""
    for char in keyword.upper():
        if char.isalpha() and char not in unique_chars:
            unique_chars += char
    
    # Add remaining letters
    cipher_alphabet = unique_chars
    for char in "ABCDEFGHIJKLMNOPQRSTUVWXYZ":
        if char not in cipher_alphabet:
            cipher_alphabet += char
    
    return cipher_alphabet

def substitution_encrypt(text, cipher_alphabet):
    """Encrypt using substitution cipher"""
    normal_alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    result = ""
    
    for char in text.upper():
        if char.isalpha():
            pos = ord(char) - ord('A')
            result += cipher_alphabet[pos]
        else:
            result += char
    return result

# Test substitution cipher
keyword = "SECRET"
cipher_alphabet = create_cipher_alphabet(keyword)
normal_alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

print(f"Keyword: {keyword}")
print(f"Normal:  {normal_alphabet}")
print(f"Cipher:  {cipher_alphabet}")
print()

message = "ATTACK AT DAWN"
encrypted = substitution_encrypt(message, cipher_alphabet)

print(f"Original:  {message}")
print(f"Encrypted: {encrypted}")

# Key Lessons from Classical Cryptography

## What We Learned:

1. **Simple ciphers are easily broken** - Caesar cipher has only 25 keys
2. **Patterns reveal secrets** - Letter frequency analysis breaks substitution
3. **Security through obscurity fails** - Knowing the method doesn't help if crypto is strong
4. **Brute force works on weak systems** - Small key spaces are vulnerable

## Modern Implications:

- Use **established algorithms** (AES, RSA)
- Use **proper libraries** (never implement your own)
- Understand **why** things work, not just how
- **Length and randomness** matter for security

# Chapter 2 Exercises

Try these to practice what you've learned!

In [None]:
# Exercise 1: Create a Caesar cipher breaker
def exercise_1():
    """
    Exercise 1: Write a function that automatically finds the most likely
    Caesar cipher shift by looking for common English words
    """
    print("Exercise 1: Smart Caesar Cipher Breaker")
    print("Write a function that finds the shift by looking for 'THE' or 'AND'")
    
    # Test ciphertext (hint: it contains common English words)
    mystery_cipher = "WKH TXLFN EURZQ IRA"
    
    # Your code here:
    # def smart_caesar_break(ciphertext):
    #     # Try each shift and look for common words
    #     return best_shift

exercise_1()

In [None]:
# Exercise 2: Frequency analysis challenge
def exercise_2():
    """
    Exercise 2: Given this substitution cipher, use frequency analysis
    to figure out what letters E, T, and A likely represent
    """
    print("Exercise 2: Frequency Analysis")
    
    # This is English text encrypted with substitution cipher
    mystery_text = "FOD JELNV IQLHR GLY KPNWU LBDQ FOD CGMX RLT"
    
    print(f"Mystery text: {mystery_text}")
    print("Find the frequencies and guess which letters represent E, T, A")
    
    # Your code here - analyze the frequencies!
    letter_counts = count_letters(mystery_text)
    for letter, count in sorted(letter_counts.items(), key=lambda x: x[1], reverse=True):
        print(f"{letter}: {count} times")

exercise_2()

# Chapter 2 Conclusion

## What We Accomplished:

✅ **Understood** why simple ciphers fail

✅ **Practiced** breaking Caesar and substitution ciphers

✅ **Learned** about frequency analysis

✅ **Reinforced** the rule: Never roll your own crypto!

## Key Takeaway:

> **Use established cryptographic libraries and let the experts handle implementation!**

Modern cryptography builds on these lessons to create truly secure systems.

# Bonus: Modern Crypto Libraries

Let's see how to use crypto **properly** with established libraries!

In [1]:
# Example: Proper Secure Random Number Generation
import secrets
import os

print("🎲 Secure Random Number Generation")
print("=" * 40)

# GOOD: Cryptographically secure random
secure_random = secrets.randbits(256)
secure_token = secrets.token_hex(32)
secure_bytes = os.urandom(32)

print(f"Secure 256-bit number: {secure_random}")
print(f"Secure hex token: {secure_token}")
print(f"Secure random bytes: {secure_bytes.hex()}")

print("\n⚠️  NEVER use regular random for crypto!")
print("random.random() is predictable and insecure")

🎲 Secure Random Number Generation
Secure 256-bit number: 21410135570879550540677745764117184563573946993884908226487689029467713836131
Secure hex token: e03dc7813b394d894796e0bb2953e1489733a25a0f91dd0eb6cdf09c5e8d1a56
Secure random bytes: f9f1b99b848022c764a53a14bd25b248b92cb94805702e8ea09e8b61f4752d9c

⚠️  NEVER use regular random for crypto!
random.random() is predictable and insecure


In [2]:
# Example: Proper Password Hashing
import hashlib
import secrets

print("🔐 Password Hashing Best Practices")
print("=" * 40)

def weak_hash_demo(password):
    """DON'T DO THIS - Just for demonstration!"""
    return hashlib.sha256(password.encode()).hexdigest()

def better_hash_demo(password):
    """Better approach with salt"""
    salt = secrets.token_hex(16)
    return salt + hashlib.pbkdf2_hmac('sha256', password.encode(), 
                                      bytes.fromhex(salt), 100000).hex()

# Test with sample password
password = "MySecurePassword123!"

weak = weak_hash_demo(password)
better = better_hash_demo(password)

print(f"❌ Weak (plain SHA256): {weak}")
print(f"✅ Better (PBKDF2+salt): {better}")

print("\n💡 In production, use bcrypt, scrypt, or Argon2!")
print("They handle salting and adaptive costs automatically.")

🔐 Password Hashing Best Practices
❌ Weak (plain SHA256): 3d0efb0e3071066fa0807984c1b3ebe21915ad246309f8e3e642eb6931fc2434
✅ Better (PBKDF2+salt): 2ec036868f5c2e8e866da1d6409e70445455792f0c33a20c2143a9231f451db24eef51557de50e769a926d8ef670f7e3

💡 In production, use bcrypt, scrypt, or Argon2!
They handle salting and adaptive costs automatically.


In [4]:
# Example: Timing Attack Prevention
import hmac
import time

print("⏱️  Timing Attack Prevention")
print("=" * 40)
def timed_compare(compare_func, hash1, hash2):
    start = time.perf_counter()
    result = compare_func(hash1, hash2)
    elapsed = time.perf_counter() - start
    return result, elapsed


def vulnerable_compare(hash1, hash2):
    """VULNERABLE - stops at first difference"""
    return hash1 == hash2

def secure_compare(hash1, hash2):
    """SECURE - constant time comparison"""
    return hmac.compare_digest(hash1, hash2)

# Test with similar hashes
correct_hash = "5d41402abc4b2a76b9719d911017c592"
wrong_hash1 = "5d41402abc4b2a76b9719d911017c593"  # differs at end
wrong_hash2 = "6d41402abc4b2a76b9719d911017c592"  # differs at start

res1, t1 = timed_compare(vulnerable_compare, correct_hash, wrong_hash1)
res2, t2 = timed_compare(vulnerable_compare, correct_hash, wrong_hash2)
print(f"Vulnerable timing (end diff):   {t1:.8f} seconds")
print(f"Vulnerable timing (start diff): {t2:.8f} seconds")

res3, t3 = timed_compare(secure_compare, correct_hash, wrong_hash1)
res4, t4 = timed_compare(secure_compare, correct_hash, wrong_hash2)
print(f"Secure timing (end diff):       {t3:.8f} seconds")
print(f"Secure timing (start diff):     {t4:.8f} seconds\n")
print("Testing vulnerable comparison:")
print(f"Correct vs Wrong(end):   {vulnerable_compare(correct_hash, wrong_hash1)}")
print(f"Correct vs Wrong(start): {vulnerable_compare(correct_hash, wrong_hash2)}")

print("\nTesting secure comparison:")
print(f"Correct vs Wrong(end):   {secure_compare(correct_hash, wrong_hash1)}")
print(f"Correct vs Wrong(start): {secure_compare(correct_hash, wrong_hash2)}")

print("\n💡 Always use hmac.compare_digest() for comparing secrets!")
print("It takes the same time regardless of where differences occur.")

⏱️  Timing Attack Prevention
Vulnerable timing (end diff):   0.00000220 seconds
Vulnerable timing (start diff): 0.00000240 seconds
Secure timing (end diff):       0.00000350 seconds
Secure timing (start diff):     0.00000780 seconds

Testing vulnerable comparison:
Correct vs Wrong(end):   False
Correct vs Wrong(start): False

Testing secure comparison:
Correct vs Wrong(end):   False
Correct vs Wrong(start): False

💡 Always use hmac.compare_digest() for comparing secrets!
It takes the same time regardless of where differences occur.


# 🎯 Modern Crypto Recommendations for Programmers

## **Use These Standards:**

### Symmetric Encryption:
- **AES-256-GCM** (authenticated encryption)
- **ChaCha20-Poly1305** (modern alternative)

### Password Hashing:
- **bcrypt** (most common, well-tested)
- **Argon2** (newest, most secure)
- **scrypt** (memory-hard alternative)

### Random Numbers:
- **secrets.randbits()** (Python)
- **crypto.randomBytes()** (Node.js)
- **RandomNumberGenerator** (C#)

### Libraries to Trust:
- **cryptography** (Python)
- **crypto** (Node.js built-in)
- **System.Security.Cryptography** (C#)
- **Bouncy Castle** (Java/C#)

## **Golden Rules:**
1. ✅ **Use established libraries**
2. ✅ **Generate random IVs/salts**
3. ✅ **Use constant-time comparisons**
4. ✅ **Plan for key rotation**
5. ❌ **Never implement your own crypto**