# Cryptography
### Objectives

* Compare and contrast cryptographic ciphers.
* Summarize cryptographic modes of operation.
* Summarize cryptographic use cases and weaknesses.
* Summarize other cryptographic technologies.

A cipher is the particular operations performed to encode or decode data. Modern cryptographic systems make use of symmetric and asymmetric cipher types to encode and decode data. 

Cryptography - Secret writing art of ecoding and decoding data
* Plain text - unencrypted data
* Ciphertext - encrypted message
* Cipher - Process/algo used in encoding and decoding
* Cryptoanalysis - art of cracking crypto systems

### Hashing - 
* Simplest
* produces fixed output kength from any plain text length
* output reffered to as checksum, message digest, hash
* designed so that it is impossible to recover the plaintext data from the digest (one-way) and so that different inputs are unlikely to produce the same output (with a reduced chance of a collision).
* Avalache - small effect on plain text > diff in output
* Collision resistance
* PreImage resistance  
* Plain text cannot be recovered

Popular algos - 
* Secure Hash Algorith(SHA) - Strongest algo, popular variant is SHA-256
* Message Digest Algorithm(MD5) - produces a 128-bit digest

### Encryption ciphers and keys
Enables encoding and decoding using a key

#### Substitution ciphers
A substitution cipher involves replacing units (a letter or blocks of letters) in the plaintext with different ciphertext.
* ROT13 (an example of a Caesar cipher) rotates each letter 13 places (so A becomes N for instance). The ciphertext "Uryyb Jbeyq" means "Hello World".

#### Transportation Ciphers
In a transposition cipher stay the same in plaintext and ciphertext, but their order is changed, according to some mechanism. Consider how the ciphertext "HLOOLELWRD" has been produced:
~~~ text
H L O O L

E L W R D
~~~
#### Keys and secret Ciphers
Encryption ciphers use a key to increase the security of the process. For example, if you consider the Caesar cipher ROT13, you should realize that the key is 13. You could use 17 to achieve a different ciphertext from the same method.
Attempting to hide details of the cipher (a secret algorithm) amounts to "security by obscurity." Modern ciphers are made stronger by being open to review (cryptanalysis) by third-party researchers.

### Symmetric Encryption
One in which encryption and decryption are both performed by the same secret key. '
* Stream Ciphers - each byte or bit of data in the plaintext is encrypted one at a time. 
* Block ciphers - he plaintext is divided into equal-size blocks (usually 128-bit).

The Advanced Encryption Standard (AES) is the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key. 

### Asymmetric Encryption / Public Key Cryptography Algorithms
With an asymmetric cipher, operations are performed by two different but related public and private keys in a key pair. 
* To prove identity
* Too much computational power
* Cannot be larger than key size
* mostly used for authentication and non-repudiation and for key agreement and exchange. Key agreement/exchange refers to settling on a secret symmetric key to use for bulk encryption without anyone else discovering it.

Ron Rivest, Adi Shamir, and Leonard Adleman published the RSA cipher in 1977 [text](rsa.com).
Trapdoor Function -  it is easy to perform using the public key, but difficult to reverse without knowing the private key.

Elliptic curve cryptography (ECC) is another type of trapdoor function that can be used in public key cryptography ciphers. ECC used with a key size of 256 bits is very approximately comparable to RSA with a key size of 2048 bits.

RSA key pair security depends on the difficulty of finding the prime factors of very large integers (modular exponentiation). ECC depends on the discrete logarithm problem.
Overview of the differences btwn the two [link](blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography).


### Cyrogtaphic Modes of Operation
A mode of operation is a means of using a cipher within a product to achieve a security goal, such as confidentiality or integrity. 

#### Digital signatures
Public key cryptography can only be used with very small messages, however. Hashing proves integrity by computing a unique checksum from input. These two cryptographic functions can be combined to authenticate a sender and prove the integrity of a message, with a digital signature.

#### Digital Envelopes and Key Exchange
A digital envelope allows the sender and recipient to exchange a symmetric encryption key securely by using public key
* A Obtains Public key
* A encrypts the message using secret cipher key, AES,session key
* A encrypts session key using B`s public key
* A attaches encrypted session key to ciphertext message in digital envelope and sends to B
* B uses private key to decrypt session key
* B uses session key to decrypt ciphertext message

#### Digital certificates
Only the intended recipient can decrypt a message in public/private key 
Only issue is trusting the source of public key. 
A third party, Certificate Authority(CA), validates owner of public key by issuing the subject with certificate.
If both trust CA,  they can also trust the public key wrapped in the subject's certificate. 
The process of issuing and verifying certificates is called public key infrastructure (PKI).

#### Perect Forward Secrecy
In this key exchange model, if data from a session were recorded and then later the server's private key were compromised, it could be used to decrypt the session key and recover the confidential session data.
This risk from RSA key exchange is mitigated by ** perfect forward secrecy (PFS). PFS uses Diffie-Hellman (DH) key agreement to create ephemeral session keys without using 
the server's private key. **

Implimented using:
*  Diffie-Hellman Ephemeral mode (DHE or EDH)
*  Elliptic Curve Diffie-Hellman Ephemeral mode (ECDHE)

Bug on private key [link] https://owasp.org/www-community/vulnerabilities/Heartbleed_Bug.

#### Cipher Suites and Modes of Operation
The combination of ciphers supported is referred to as a cipher suite. 
* Signature algorithm - Assert the identity of the server's public key and facilitate authentication.
* A key exchange/agreement algorithm, used to derive the same bulk encryption symmetric key.

In [6]:
### hashing using sha256
import hashlib

# Input data
input_data = "Hello, World!"

def hashh(i):
    # Create a hashlib object using SHA-256
    hash_object = hashlib.sha256()

    # Update the object with the input data
    hash_object.update(i.encode('utf-8'))

    # Get the hash value
    hash_value = hash_object.hexdigest()

print(hashh(input_data) == hashh(input_data))



Hash Value: dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f
Hash Value_2: dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f
True


In [1]:
### symmetric encryption
from cryptography.fernet import Fernet

# Generate a random symmetric key
key = Fernet.generate_key()

# Initialize the Fernet cipher with the key
cipher_suite = Fernet(key)

# Data to be encrypted
data_to_encrypt = b"Hello, this is a secret message!"

# Encrypt the data
encrypted_data = cipher_suite.encrypt(data_to_encrypt)

# Decrypt the data
decrypted_data = cipher_suite.decrypt(encrypted_data)

print("Original Data:", data_to_encrypt)
print("Encrypted Data:", encrypted_data)
print("Decrypted Data:", decrypted_data.decode('utf-8'))


Original Data: b'Hello, this is a secret message!'
Encrypted Data: b'gAAAAABlIHWnJHzsHfSGL2KnNNgLIdX8jbB9JX4g_LRT5MPiQr_kse9PbLGv-VEI7OvY8D_66KkOb3n31TCcbdrvb1p2UBGRebGNK9AF4jsWgjedb17UyNTsbjPuWqeQk7msKmXVUxyt'
Decrypted Data: Hello, this is a secret message!


In [2]:
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes

# Generate a new RSA key pair
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)

# Serialize the public key
public_key = private_key.public_key()
public_key_pem = public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)

# Encrypt a message using the public key
message = b"Hello, World!"
ciphertext = public_key.encrypt(
    message,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)

# Decrypt the ciphertext using the private key
plaintext = private_key.decrypt(
    ciphertext,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)
print(f'Encrypted Message {ciphertext}')
print("Original Message:", message.decode('utf-8'))
print("Decrypted Message:", plaintext.decode('utf-8'))


Encrypted Message b"\x1e\xc3\x14k\xcb]\xe0mR\x14\x80\xee\xf4N\x1fH\xc9\xf7W\xff\x88?\xc73\xa8\xb4_<\xd0\x92\xd4,\xbc\xc7\x98\xb1\xff\xc2\x03\x16\xa3\x0bU\xf6\xf8\xbc\xc0\xcb\xdej\x18\xecL\xef\x10\xbaj\xcbT\xdd\xc3\xe1%\x99\x17y!&\x07#\xb0x(\xc5(\xf7\x03\xd8W@\xc8\xde\x7f\xe6\xd07\xfe7X\xc4~\xec\x98\x1fh%\xc2#'N\x8b\x9b\x8f\x8a\x8f}\xfbNX\xa6v-\x1a\xef\x10\x7f\x9d\xa1P\x96\xd5w\x1b\xc0\xd2P\x1d\x93K\xa9\xc1*xV\xda-%\x97\xf6?X\xeb\xfd\xb5\xf5\xd0\x0c{)K\x88\x15\x80y\xe3\x06w\x93\xff_Yt('\x13n\xc0\x8b\xac\xcc\x03\xe1?\xb8G,\xdf\x11\xbcr\xae\x92\xcd\x04L\x84\xbe\xa8\x07#\x0b\xde\x07\x99\xd0M\x1b\\\xf1\x94\xfe\xd2%\x0e\xba\xa4\x18\xd8\xf0\xf4\xcc\x8cO\x12r\xa9\xa2\\y\xe5\xe4\x05\xa4\xf5\xf9\x0f\xef\xcc+\x10O)\x9e|\xed\xbf\xd5\xa9g\x8eJ\xbd\x93j\xe5g\x87\x8c\xf1\x93zu\xe8%\x13X"
Original Message: Hello, World!
Decrypted Message: Hello, World!
