Modern Cryptography
What is Cryptography?
Cryptography is the science of protecting information by transforming it into a format that is unreadable to anyone who does not have the key to decipher it. It is one of the most fundamental tools in information security, ensuring confidentiality, integrity and authenticity of data.
Types of Cryptography
1. Symmetric Cryptography
Uses the same key to encrypt and decrypt information. It is fast and efficient for large volumes of data.
- AES (Advanced Encryption Standard): Current standard, used in 128, 192 or 256 bits
- ChaCha20: Modern alternative to AES, optimized for mobile devices
- 3DES: Legacy, in the process of being deprecated
- Blowfish: Predecessor of AES, still used in specific applications
2. Asymmetric Cryptography
Uses a key pair: a public one to encrypt and a private one to decrypt. Fundamental for digital signatures and secure key exchange.
- RSA: Widely used, security based on factoring prime numbers
- ECC (Elliptic Curve Cryptography): More efficient than RSA with smaller keys
- DSA: Digital Signature Algorithm for digital signatures
- Ed25519: Modern implementation of elliptic curves
3. Hash Functions
Transform data of any size into a fixed-size output. Used for integrity and secure password storage.
- SHA-256/SHA-512: SHA-2 family, current standard
- SHA-3: Most recent standard, alternative to SHA-2
- BLAKE2/BLAKE3: Faster than SHA, growing adoption
- bcrypt/Argon2: Specialized for password hashing
Public Key Infrastructure (PKI)
PKI is a framework that manages digital certificates and public key cryptography, essential for secure authentication and encrypted communications.
PKI Components
- Certificate Authority (CA): Issues and revokes digital certificates
- Registration Authority (RA): Verifies identities before issuance
- Digital Certificates: X.509 bind public keys to identities
- CRL/OCSP: Revocation lists and certificate status
TLS/SSL
Transport Layer Security (TLS) and its predecessor SSL are cryptographic protocols that ensure secure communications over the internet.
TLS Best Practices
- Use exclusively TLS 1.2 or TLS 1.3
- Disable weak cipher suites (RC4, DES, 3DES)
- Implement Perfect Forward Secrecy (PFS)
- Use certificates of 2048 bits or higher
- Enable HSTS (HTTP Strict Transport Security)
- Implement Certificate Pinning in critical applications
Key Management
The security of any cryptographic system depends critically on the proper management of cryptographic keys.
Key Lifecycle
- Generation: Use cryptographically secure generators (CSPRNG)
- Storage: HSMs for critical keys, vaults for applications
- Distribution: Secure channels, key exchange protocols
- Rotation: Defined periodicity, automation recommended
- Revocation: Clear procedures for compromise
- Destruction: Secure elimination at the end of the lifecycle
Hardware Security Modules (HSM)
HSMs are physical devices that generate, store and protect cryptographic keys with FIPS 140-2/3 certification.
- Protection against key extraction
- Hardware-accelerated cryptographic operations
- Regulatory compliance (PCI-DSS, LGPD)
- Cloud HSM for cloud environments
Cryptography in Different Contexts
Data at Rest
- Full Disk Encryption (FDE) with BitLocker, LUKS
- Database encryption (TDE - Transparent Data Encryption)
- File-level encryption for sensitive data
- Mandatory backup encryption
Data in Transit
- TLS/SSL for web communications
- IPSec for site-to-site VPNs
- SSH for remote administration
- STARTTLS for email (SMTP, IMAP)
Data in Use
- Homomorphic Encryption (still experimental)
- Secure Enclaves (Intel SGX, AMD SEV)
- Confidential Computing
Post-Quantum Cryptography
Quantum computers threaten current algorithms such as RSA and ECC. NIST is standardizing algorithms resistant to quantum attacks:
- CRYSTALS-Kyber: Key encapsulation
- CRYSTALS-Dilithium: Digital signatures
- SPHINCS+: Hash-based signatures
- FALCON: Compact signatures
Compliance and Regulations
- LGPD/GDPR: Cryptography recommended for personal data
- PCI-DSS: Cryptography mandatory for card data
- HIPAA: Cryptography for medical records
- FIPS 140-2/3: Standards for cryptographic modules
Common Vulnerabilities and Attacks
- Man-in-the-Middle: Interception of unprotected keys
- Padding Oracle: Exploitation of padding errors
- Timing Attacks: Analysis of operation timing
- Side-Channel Attacks: Extraction via power/EM consumption
- Rainbow Tables: Pre-computation of weak hashes
Best Practices
- Never implement your own cryptography, use tested libraries
- Keep cryptographic libraries up to date
- Use random salts for password hashing
- Implement key stretching (PBKDF2, bcrypt, Argon2)
- Use cryptographically secure random numbers
- Document cryptographic design decisions
- Perform audits of cryptographic implementations
- Plan for crypto-agility for algorithm migration
Tools and Libraries
- OpenSSL: Complete cryptographic toolkit
- libsodium: Modern and easy-to-use library
- Bouncy Castle: Implementation in Java and C#
- Cryptography.io: Python library
- AWS KMS/Azure Key Vault: Cloud key management
- HashiCorp Vault: Secret and key management
Cryptography is fundamental to protecting data in all states. A robust strategy combines appropriate algorithms, rigorous key management, correct implementation and compliance with standards. With the threat of quantum computing, organizations must begin planning the transition to post-quantum cryptography while maintaining current best practices.
