 Hey everybody, this is Brian. Welcome to the 150th Qt tutorial with C++ and GUI programming. Notice I said C++ and GUI programming. We're going to step away from QML for a little bit. One of my passions is cryptography and I've been getting a lot of emails from people. We did do AES 256 with the botan or botan, I can never pronounce that, but it's changed and it keeps changing and unfortunately every time it changes it breaks and then I get like a hundred bajillion emails saying hey it broke, fix it, but I can't really fix it because I never wrote botan, I just wrote a wrapper for it. So we're going to step away from that and we're going to use something called OpenSSL. So this tutorial really won't have any code in it, but it's going to be like an encryption primer. So if you're a cryptography expert you can safely skip this video, but if you're still kind of fuzzy on some technologies by all means, listen, you may learn something or you'll tell me I'm wrong and I'll learn something. But anyways, so botan, botan, whatever it was, fantastic library, not knocking it, it's just every time it changes or you change your OS, you got to recompile it, it just dies. So the most popular library out there is OpenSSL and you can go to OpenSSL.org. Actually, Qt uses OpenSSL under the hood to do the QSSL sockets now. We're not going to really be covering SSL per se. We're actually going to cover those in future tutorials, but we're going to do just hardcore bare bones encryption. And what we're going to cover is the RSA algorithms and AES or advanced encryption standard. So what are these two algorithms? So let's just kind of briefly walk through these. Well, RSA, if you read the description, RSA is an algorithm used by modern computers to encrypt and decrypt messages. It doesn't really tell us much. Well, it's an asymmetric cryptography cryptographic algorithm. Gosh, I cannot pronounce that asymmetric cryptographic algorithm. What does that mean asymmetric? Meaning, there is a whole lot of math that goes into this. And if you read the description, you see there's some heavy math that goes into this. And we're not going to mess with any of that math because I hate math. The devil said put letters in the alphabet. I mean, that's just kind of how I view math. But anyways, what RSA really does is it works with this concept of keys. You have public and private keys. Now, think of a key as exactly what it is. You go to, you know, open the door of your house. You use a key. So the key locks or unlocks depending on what you want. That's why it's called a key. It locks or unlocks it encrypts or decrypts. Now, RSA is different. RSA has two keys. There's a public and a private. That's why it's asymmetrical. Meaning, if you encrypt it with the public key, you cannot decrypt it with the public key. And it sounds a little confusing, but I think this graphic, if we can pick it up, will definitely help. You have a public key and a private key. Now, what's the difference here? A public key would be something that you would generate and you would give to another person. So if you heard of like you go to HTTPS website and you get a certificate, well, that's exactly what it is. It's a public key. So, yeah, like that's an HTTPS right here. So, really, that's all it is. It's just a public key. It's something that you can freely give out to anybody in the world. Now, that seems counterintuitive. Why would you give somebody the key? Because it's asymmetrical. Meaning, if you take the quick brown fox jumps over the lazy dog and encrypt that with the public key, here it's encrypted, if you tried to decrypt it with the public key, it would just be garbage. It would make no sense. Meaning, it's an asymmetrical or one-way encryption. Now, how RSA works is let's say I were to send you a message. I would use your public key or your certificate in this case to encrypt the message. You would get the encrypted data and you would use your private key to decrypt it. Now, private is just that. It's private. You would never give out your private key under any circumstances ever because if you give out your private key, that means anything that's encrypted can be decrypted and that's not good. So that's the foundations of RSA. It gets a lot deeper than that. It's called RSA not because of the company, but because Ron Rivest, Aldi Shamir, and Leonard Alderman actually invented this thing. And there's a lot of math. I mean, it's just insanely complex when you think about it. It just blows my mind that we can do this. But you can also use it to digitally sign messages. It actually creates a hash or a one-way hash like SH1, or MD5, things of that nature. All these things may sound really confusing, but just know they're just bytes. We used Q byte array before. So they're just bytes. So all we're doing is moving bytes around. We're just doing it in an extremely complex fashion. So you might want to read up on PKI or public key infrastructure keys. Now RSA is not PKI. I should just put that out there right now. RSA is the actual algorithm used to create the public and private keys. They are not, however, the algorithm used to distribute the public private keys. You're looking for something like Diffie Helm and Key Exchange, which we are not going to cover. All right. We're also going to cover advanced encryption standard, or AES. AES, also known as the Rindell block cipher. This bad boy is just monolithic. I mean, this is used by governments, including the U.S. government, NSA, CIA, FBI, and every government on the face of the planet, whether you're China, Korea, France, it doesn't matter. You're using AES. Why? Because it's the biggest, baddest encryption method on the block. The problem with AES is it uses blocks. Well, not necessarily a problem. And you can actually use it in a different mode, so it doesn't necessarily use blocks. There's all variations of AES. Someone will argue, no, it's a block cipher, but I've actually seen AES used in a stream cipher. It's crazy. Point being, it's a symmetrical block cipher, meaning you have one key, not two, just one. And that key has to remain private at all times. So, think of this. Why would you use AES versus RSA? What's really the difference here? Well, RSA is meant to, well, encrypt AES keys. You can actually encrypt anything you want with RSA, but did I say RES? I did. RSA, sorry, is used for fast encryption, fast one-way encryption. AES is used for bulk encryption, massive blocks, if you will. So what it'll do is it'll grab blocks or chunk sizes of X number of bits, whether it's 128, 192, or 256, and it randomizes, or I shouldn't say randomizes, it moves those blocks around based on what's called a key and assault in an initialization vector. Now, that's a lot of information I'm throwing at you, so what's really the difference between all of these things? Well, if you read this, which, you know, I don't expect you to, but you can see there's a lot of bit shifting going on. That's really all encryption is, is moving things around. But you're doing it in a very insanely complex fashion, and it has to be mathematically precise, otherwise it just simply won't decrypt. You can see how it's actually used by NSA. But anyways, back on track here. Known attacks, you can actually decrypt things. You can, I'm sure you've seen in the news, the NSA decrypts data all the time. Well, they do that because of people use weak keys. You can do different attacks. Now, this is why you don't use a hash as a key. A lot of people go, I'm going to use a hash. No, because there's this thing called a rainbow table attack, which will go through and precompute every hash known to man. And from that, you get all the hashes, aka you get all the keys. So you don't ever do that. Now, I'm not going to go through all this, but there's some very foundation things you need to understand here. AES uses one key, and that key has to remain private at all times, even when you're encrypting. That may seem impossible. Now, AES also uses what's called an initialization vector or an IV and assault. Now, the IV is, well, it's a vector, meaning it's just a bunch of bytes that are used to kind of tell the algorithm how to function. Think of it, boy, think of it like a doorknob. Okay, you've got a key. Now you've got a doorknob. You put the key in, you got to turn the doorknob to open the door. Well, how you turn that is the initialization vector. Those variant bytes in the vector will determine how the algorithm functions. Also, you have what's called assault. This is a little more complex. What is assault? Let's say you have a key, and you have an initialization vector, and you encrypt a bunch of data. Well, the problem is, over time, you're going to notice patterns because you're using the same key and the same initialization vector. So if I encrypt, let's just say this paragraph 100 times, you're going to notice that you're going to have 100 blocks of data that look identical. Even though they're encrypted, you don't know what it says. You can tell they're identical. And because they're identical, you can deduce a pattern. And because you can deduce a pattern, you can write a program that actually brute forces and finds the key and converts that back to plain text. Thus, the assault was born. What assault does is you can use the same key, the same initialization vector, but it's going to be different every time. So you have the same key, same IV, different assault. And because the assault's different, the data output is going to look completely different. You can think of assault kind of like a mini key. So if you're thinking in the concept of a door, you've got the key that goes into the lock, then you've got the doorknob that turns it. But let's say this is like one of those really weird old doorknobs that you got to jiggle it just right. That's what assault is. So that's a lot of high-level concept. Basically, what we've just gone over between the asymmetric RSA and the symmetric AES is about a two to three week course in cryptography, if you really want to know all the details ins and out. Well, we're programmers. We're lazy. We don't want to know all the details. We just want to make stuff work, correct? All right. So let's kind of look. I've got a demo program and I'm not going to do, you know, hey, look at my program, download my code. I'm actually starting the next video. We're going to write this bad boy from scratch, but I just wanted to show you how it can get kind of complex here. What we've got, and this is a static compile I might add, we've got open SSL, the library. And I've got that out here. Yeah. In my code folder, under libraries, I've got open SSL. And you can just download the source and compile it. I'm not going to go over how to compile it because they have directions out there. And the method of compiling it may change depending on the version. The API inside open SSL should not change, but the way you compile it may change. So I don't want to give you false information. You don't necessarily have to compile this, by the way, you can download it pre-compiled, especially on Windows. That's actually the recommended method. I'm doing static just because I was playing around with cute static builds. And I will do a video in the future on how to static compile, but just know that you have to have the include path, and we're going to cover this in the videos, which point to the actual header files for open SSL. You can see there's the include files. You know, foundations of C++ right there, you need the header files so you know what to include. Then you actually point to the libs. Now, there's two main libs. It's not just one. There's the lib SSL when handles the open SSL library, and then lib crypto, which does all the cryptographic functions, the RSA and the AES. Then internally, we have to do some math. I shouldn't say math, we're just calling functions basically. But it looks like math to me, and I don't like math. Basically, we want to be able to load a public key, load a private key, encrypt with RSA, decrypt with RSA, encrypt with AES, decrypt with AES, etc, etc. And then run a bunch of tests, and you can see I've got a whole bunch of tests that we're calling here. We're going to go over these. We're probably going to have this may end up being three, four, maybe five videos, depending on how complex. I always say that and ends up being like one or two, just because I make really long videos, which I have to stop doing. But I should note, one thing I really wanted to point out, and this is important, is that AES, or I'm sorry, AES, open SSL has a command line. So when you download open SSL, pre-compiled, and you install it, you're not just installing a library, you're installing a command line tool. And here's some examples of that command line. You type open SSL, AES-256, Cypher block chaining, using Assault, using the message digest SHA1, and then in file, out file, that you can do all that on the command line. So the caveat that I wanted is all of this code that we're going to write is going to be backwards compatible with the command line. So if you were to encrypt something with this program, you could decrypt it with the command line. If you encrypt it with the command line, you could decrypt it with this program. That is a real pain in the behind, but we're going to do it simply because I want to go over how this works and show that it can be done. There's a couple little gotchas we have to do here. Let's see, what else did I want to cover in this video? I know I've thrown a lot at you, but you know, encryption is pretty difficult. Oh yeah, we should cover why RSA and why AES. I covered that a little bit. So you have your AES, it's a private key, and you just call it a key. It's always private. You never share that key. Well, then how do you work with it? Let's say I want to encrypt a file and hand that file to you. For you to decrypt that file with AES, you need the key, right? That's where RSA comes in. You would take RSA, and I would use your public key to encrypt the AES key. Because I've used the public key, you can decrypt it with your private key that only you have. See how that works? So you say, hey, Brian, encrypt this file and send it to me. Here's my public key. I say, okay, I take your public key. I generate a random key for the AES. You never want to use a pre permanent static premade key. So I generate random bytes that form this key. I use your public key to encrypt it. I take that public key and I now have all those bytes that we just encrypted. And I hand you the encrypted bytes along with the file that I encrypt using the AES key. Sounds complicated, I know, but we'll go over it. So it's really a two step process. You're going to use AES to encrypt the file. You're going to use RSA to encrypt the AES key. I then hand you the encrypted key. You use your private key to decrypt the AES key. Now, let's say you want multiple files. That's why you would use a random byte generator, which OpenSSL has internally, because you want every single file to have a different salt and to have a different key for AES. And then you use the public and private keys to encrypt decrypt. If it sounds complex, it's because it's insanely complex. It's one of the most complex things on the planet to do short of curing cancer, I think. It's so complex that governments hire massive amounts of people that do top secret work, see, NSA top secret, that all they do is sit there and work on this and try to perfect it and tweak it and break it. And, you know, for example, there was an encryption algorithm called DES. Well, they broke DES. They said, hey, there's a vulnerability. We figured out how to break it. So they said, okay, we'll make it three times stronger. It's now triple DES. Well, it didn't take long for triple DES to be broken either. So AES was born. Don't expect that AES and RSA are going to be the be all and all of encryption. By the time you end up watching this video, they may have already cracked this. But for the time being, this is the best we have. So in future tutorials, botan, botan is going to go the way of the dinosaur, and I'm going to really favor open SSL. There is a lot to open SSL, and it has been heavily criticized as being insanely difficult to use. And you can see from some of the code here, like if I flip into Cypher CPP, I mean, here's AES encrypt. And you can see, I mean, it's not simple. We're doing a lot of stuff. Once you understand the concepts and you understand under the hood what's going on, then it's a little simpler, not much. But it's still, you know, you got to understand what you're doing and why you're doing it. And to be brutally honest, I've spent weeks on this implementation, and I'm not convinced this is even perfect. I'm sure somebody will find a flaw in it. The good news is open SSL is called open SSL because, well, it's open source. So you can go and download the source code for open SSL and read through it. You can tweak it, modify it, wouldn't recommend that, but you can do pretty much anything you want with it. So work has been extra special lately, and I've got, you know, family obligations because it's summertime. So I will try to get these videos out in a timely manner. I know I say that and then it's like a week or two weeks before I do a video, but I will really try. I've just been incredibly busy. And my work phone is vibrating. So that's going to be the end of this video. I hope you found this educational and entertaining. Yes, I know work phone, I'll answer you in a second. If you're like me and you like talking to other programmers, be sure to visit the Voidrums Facebook group. I think we just hit 600 people and the phone just went to voicemail so I can chat for a few more minutes. Anyways, there's like 600 programmers out there, all different languages, not just cute, not just C++. We've got PHP, Java, etc, etc. I just call it, you know, the breeding ground for nerds. We just go in there and we talk computer stuff. So hope to see you in there. Hope to have some good discussions and I'll talk to you later.