Cryptography and Signature concept must know before jumping to Web 3.0

Why I am writing this article?

Many times it happens we need to implement SSL certificate pinning in the mobile apps. Many of my junior developer friends come to me and ask about the concept behind SSL pinning. In between, I was also exploring Web 3.0 which talks a lot about Public and Private keys which are related to Cryptography and SSL pinning concept.

So I thought to write an article so that it can be shared with people and I save my time explaining the same concept.

However, I will write a separate article on SSL certificate pinning in mobile apps. Before that first understand Cryptography and its type. It is not specific to mobile apps it's a universal concept that needs to be digested.

Cryptography:

It is the practice and study of techniques for secure communication in the presence of adversarial behavior. It can be done in two ways Asymmetric and Symmetric Encryption.

Let's assume a real-life example where Employee A wants to share a message to Employee B but in an encrypted way so no other can able to understand.

Asymmetric encryption:

Asymmetric encryption (also known as asymmetric cryptography) allows users to encrypt information using shared keys. You need to send a message across the internet, but you don’t want anyone but the intended recipient to see what you’ve written. Asymmetric encryption can help you achieve that goal.

a) Confidentiality I.e. Encryption: Both Employee A and Employee B have their own sets of private and public keys and they want to share a message in an encrypted way.

From this, we can make sure the data confidentiality as the only key in the world can decrypt is the Private key of Employee B.

b) Authenticity: Now let's consider Employee A does not care about the confidentiality and anyone can able to read a message. Employee A only wants to make sure Employee B gets the message.

If Employee B can able to decrypt the message from the Public key of Employee A this proves that Employee A must have sent a message to Employee B.

This gives us the authentication.

c) Integrity:

The above scenario also proves that if someone capture the value in the middle and corrupted it. The Employee B when try to decrypt from public key it will get an error. This means that only key in the world can decrypt the message is the Employee A public key and only key in the world can encrypt the Message is Employee A private key. This proves the integrity.

This process B and C is called Signature i.e. Authenticity and Integrity. Asymmetric key can be used to create a Signature and encryption.

Limitations: Asymmetric key can not be used for bulk data as it is slow and more taxing on CPU.

Solution : Symmetric key pair that can used for protecting a bulk data we need to stablised a Symmetric key eiher side of employee.

Symmetric encryption:

Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information.

As Symmetric key is smaller set of data and we can not use Asymmetric key for a large size of data , so we will going to use a Asymmetric key to share a Symmetric key. letss see how->

By using only one Symmetric key both side can send any number of data i.e. called Symmetric encryption.

Hybrid encryption:

This whole concept call Hybrid encryption I.e. use Asymmetric key pair encryption for key exchange and Symmetric key pair encryption to share bulk data. This how SSL / TLS or SSH protect build data transfer.

What about Signature :

Digital signature is a cryptographic value that is calculated from the data and a secret key known only by the signer.

Limitations : Since entire message can not be encrypted by Private key so Asymmetric key pair encryption have some limitation again :(

Solution: We can sign a fixed and representational sample of entire bulk of message i.e. where Hashing Algorithm come into picture. Send along with entire message.

Hashing Algorithm:

A hashing algorithm is a mathematical algorithm that converts an input data array of a certain type and arbitrary length to an output bit string of a fixed length.

If both the digest matches that means?

Message has not change since signed by Employee A. This give us Integrity

Only Employee A would have created a Signature with his private key. This give us Authenticity

So u can not only create signatire for message but also certificate , software or email can also be signed.

Please let me know in case of any query or suggestions.

Thanks so much, guys!!!!