Linux Cryptography explained (Symmetric encryption & hashes).

CRYPTOGRAPHY

It is the art of protecting information by transforming it (encrypting it) into an unreadable format, called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text. Encrypted messages can sometimes be broken by cryptanalysis, also called code breaking, although modern cryptography techniques are virtually unbreakable.


Symmetric Encryption:
Encryption algorithms that use the same key for encrypting and for decrypting information are called symmetric-key algorithms. The symmetric key is also called a secret key because it is kept as a shared secret between the sender and receiver of information. Otherwise, the confidentiality of the encrypted information is compromised.

Kerckhoff's principle (also called Kerckhoffs' assumption, axiom or law) was stated by Auguste Kerckhoffs in the 19th century: It states --
“a cryptosystem should be secure even if everything about the system, except the key, is public knowledge”.


Symmetric encryption is of two types:
1> Stream ciphers (encrypt the bits of the message one at a time)
2> Block ciphers (take a number of bits and encrypt them as a single unit)

Examples of Commands for encrypting & decrypting files in Linux:
>openssl enc -des3 -salt -a -in myfile.txt -out encryptedfile.des3
>openssl enc -d -des3 -salt -a -in encryptedfile.des3 -out myfile.txt
OR
>gpg -c --cipher-algo des3 myfile.txt
>gpg -d --cipher-algo des3 myfile.gpg


"openssl enc" & gpg r utilities for encryption.
des3 (block cipher) is an algorithm used for encryption. In place of it, aes (Advanced Encryption Standard algorithm approved by NIST in December 2001 uses 128-bit blocks), blowfish, twofish, CAST5 can be used for gpg. Similarly aes, blowfish, aes256,aes192, rc4 are for openssl enc.
a = armour – convert into ASCII (unicode character must be converted into ascii code before encryption)
salt = salt, to add uniqueness to same text(pc takes arbitrary salt value from the present state of cpu such as cursor position, RAM state etc)
Eg. If two person have the same password, their encrypted password will be different, credit goes to salt value. U can see ur password's salt value in /etc/shadow file. It is a part of the encrypted password text that is between $s, like $12Re.jfhrr343!k$
In gpg --ciper-algo is optional.

Cryptographic Hashes:

A "hash" (also called a "digest", and informally a "checksum") is a kind of "signature" for a stream of data that represents the contents.
A hash function takes a string (or 'message') of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

To compute a message digest, issue the command:
>openssl dgst -sha1 /boot/grub/grub.conf

If any one tampers grub, u will be informed (a shell script will do that which will compare previous checksum with present checksum).
openssl dgst is a flexible tool for generating message digest.
In place of grub path, it can be any file.
U may use -md5, -sha, -sha256, -md4, -md2, -ripemd160 algos etc in redhat, in place of -sha1. Of course u have seen -md5 digest, when u r downloading some files, software, OS etc. It is used to confirm that the file downloaded has not been tampered in between while downloading.