9.4 Cryptography Fundamentals

Why Cryptography Is on the CEH

Cryptography is its own domain on the CEH. Questions test definitions and properties — which algorithm provides confidentiality, which provides integrity, which solves key distribution — not implementation math. The fastest way to answer is to know the security service each primitive provides: confidentiality (encryption), integrity (hashing), authentication (HMAC/signatures), and non-repudiation (digital signatures). Match the service the scenario needs to the primitive that provides it.

Symmetric vs Asymmetric Encryption

Symmetric (secret-key) encryption uses the same key to encrypt and decrypt. It is fast and ideal for bulk data, but both parties must already share the key — the key distribution problem — and the number of keys explodes as parties are added (n(n-1)/2 keys for n parties).

Asymmetric (public-key) encryption uses a mathematically linked key pair: a public key (shared freely) and a private key (kept secret). Data encrypted with one key is decrypted only with the other. It is far slower but solves key distribution and enables digital signatures.

In practice, real systems are hybrid: slow asymmetric crypto securely exchanges a symmetric session key, then fast symmetric crypto encrypts the bulk data. TLS works exactly this way.

Core Symmetric and Asymmetric Algorithms

• AES (Advanced Encryption Standard) — the standard symmetric block cipher; 128-bit block with 128/192/256-bit keys (the Rijndael algorithm). It replaced the weak/broken DES and is the default for bulk encryption today.
• DES (Data Encryption Standard) — legacy 56-bit-key block cipher, now insecure and brute-forceable in hours; do not use.
• 3DES (Triple DES) — applies DES three times for an effective ~112-bit strength; deprecated and slow, retained only for legacy compatibility.
• RSA — asymmetric algorithm based on the difficulty of factoring large composite numbers; used for key transport and digital signatures (use 2048-bit keys or larger).
• Diffie-Hellman (DH) — asymmetric key agreement based on the discrete logarithm problem; establishes a shared key but does not itself encrypt or authenticate.
• ECC (Elliptic Curve Cryptography) — asymmetric scheme that delivers equivalent strength to RSA at much smaller key sizes (a 256-bit ECC key is comparable to a 3072-bit RSA key), making it efficient for mobile and constrained devices.

Hashing, HMAC, and Salting

A cryptographic hash function is a one-way function producing a fixed-length digest. Properties: deterministic, irreversible (preimage-resistant), collision-resistant, and the avalanche effect — a tiny input change drastically changes the output. A hash provides integrity, not confidentiality.

• HMAC (Hash-based Message Authentication Code) combines a hash with a secret key to provide integrity plus authentication — proving the message was not altered and came from a party holding the shared key.
• Salting adds unique random data to each password before hashing so identical passwords hash differently. This defeats precomputed rainbow-table attacks and slows mass cracking. Pair salting with a slow, purpose-built password hash (bcrypt, scrypt, Argon2, PBKDF2) — never a fast bare hash.

Diffie-Hellman Key Exchange (Concept)

Diffie-Hellman lets two parties agree on a shared secret over an insecure channel without ever transmitting the secret itself. Each party combines public values with its own private value so both independently compute the same shared key, while an eavesdropper who sees only the public exchange cannot. It provides key agreement only — not encryption or authentication — so it is typically authenticated by signatures or certificates (otherwise it is vulnerable to man-in-the-middle).

Ephemeral Diffie-Hellman (DHE/ECDHE) generates fresh keys per session, providing forward secrecy so a future key compromise cannot decrypt past sessions.

Block Ciphers, Stream Ciphers, and Modes

Symmetric ciphers come in two forms. A block cipher (AES, DES, 3DES) encrypts fixed-size blocks; a stream cipher (ChaCha20, the broken RC4) encrypts a continuous keystream bit-by-bit, useful for real-time data. Block ciphers need a mode of operation to handle data longer than one block, and the mode choice matters for security:

• ECB (Electronic Codebook) — encrypts each block independently; identical plaintext blocks produce identical ciphertext, leaking patterns. Avoid ECB.
• CBC (Cipher Block Chaining) — chains each block with the previous using an Initialization Vector (IV), hiding patterns but vulnerable to padding-oracle attacks if unauthenticated.
• CTR / GCM — counter-based modes; GCM (Galois/Counter Mode) is AEAD, providing confidentiality and integrity in one step, and is the modern default.

The exam trap: ECB is insecure because it reveals structure, while AES-GCM (authenticated encryption) is the recommended choice.

The Four Security Services (Summary)

Map each goal to its primitive: confidentiality = encryption (AES/RSA); integrity = hashing (SHA-2/3); authentication = HMAC or digital signatures; non-repudiation = digital signatures only (a shared symmetric key cannot provide non-repudiation because both parties hold it).