 So I'm going to ask you because I want to understand what is cryptography, what have you heard about it, what do you think about it, what are your thoughts on it. So it involves encrypting and decrypting information. Using hashes. Using hashes. Study of effectively hiding information. Study of effectively hiding information. Study of effectively hiding information. Do you guys use this? You use cryptography? Not intentionally. Do you use it though? Your ASU email, all that is done over TLS and encrypted connection. Anything else? Do you like it? Do you use it? Does any actively use it? Do you think that incidentally when you're doing things you are using cryptography, but is any actively encrypting things or signing? Or hashing things? It's not a good call, yeah? I just signed, I get good commits. Signing, get good commits. So why do you do that? So nobody mentioned signing yet. What's signing? Well, it's proving that I'm the person that made the command to get anybody to do the station. They have no email. Signing a message would mean that you are proving that you actually made that message. Especially important for code commits to open source projects because somebody could pretend to be you and commit. Anybody else use it? Secondary password. You're talking about token, RSA token. So does anybody have this for a bank or something? Like a dedicated hardware token? With a constantly changing number on it that you put in? Or anybody use two-factor authentication on Gmail or Dropbox uses it? A lot of people, I do too. That's all cryptography in the cryptography area. Cool, so nobody said my favorite one yet. I'll get to it in a second, I guess. Basically cryptography is all of these things. So originally it was the study of essentially the name comes from the Greek words for hidden or secret and writing or study if you want to do cryptography or cryptology. Kind of the core, I mean the core driving force in the beginning was really about keeping information secret or hidden. So this is similar to how we talked about the need for organizations to keep things secret when we talked about access control. Cryptography you can kind of think of as what's the mechanism to how to actually do that. When we talk about encryption, if I send a note to somebody, how can I make sure that only that person can actually read it and nobody else can? So we need to talk about some terminology. You mentioned encryption, so what's encryption? That's tricky, so that's good one. The range on this thing is not really good. We'll stand here. Now that we have that awesome backboard there. So essentially trying to transform a message so that its meaning is concealed. So it basically goes what you're saying. So encoding or transforming or doing something to a message to try to conceal its meaning. It may not always be successful, right? So that's kind of an important thing to keep in mind. Just because something says it's encrypted, if you don't really understand what it's doing, how it's doing it and why, that doesn't guarantee that it's actually encrypted. That nobody except the person you want to can read that information. So what's decryption? So taking some encrypted message and transforming it back into the original form. So you can make an encryption, take some message, transform it into hopefully some gibberish that nobody can understand. Decryption takes that gibberish and transforms it into something that people can understand. So crypto system will just kind of broadly define as a system that describes kind of how to encrypt or decrypt messages. So this could be, and again just because it has the word crypto in the name here does not mean that it actually, so I could develop a crypto system that does nothing, right? It doesn't transform the message at all and then I can take, I can encrypt and I can decrypt. And if you don't know what I'm doing, that's not if you're doing anything, you'll believe that it's encrypted. So plaintext is usually what we refer to a message in its original form. So we get some, the crypto system gets a message in plaintext and it's trying to usually transform that through encryption to some kind of ciphertext, which would be a message in encrypted form. Yes, there are a lot of weird terms. Yes, we need to know and understand them so we can talk about them and talk about crypto systems. A cryptographer is a person who invents encryption algorithms. I'm going to take this time and I'm going to harp on this a lot actually because I think it's really important. Unless you very actually know what you're doing, you are not a cryptographer. Or a cryptographer, sorry, a cryptographer. I was like, yeah, you're probably not. Maybe you're really into maps, I don't know. But a cryptographer, in inventing and rolling your own and creating your own crypto system almost always ends in failure almost every single time. I don't know the example here, I'll bring it up later, but there's a very decent example of this. Really, so we want to study and understand cryptography and crypto systems so we can understand how to use them safely. Part of using them safely is knowing that you should not be ever designing your home. And that one time you're like, oh, but maybe I can do, don't do it. Don't do it, go back to the drawing board and do something else, do something different. These things are insanely easy to mess up. I mean, it's all, yeah, I'll get that in a second. So Cryptatalyst is somebody who has a pretty cool job as a code breaker, whose entire job is to try to break encryption algorithms. So either the algorithms themselves, or I think the other important thing is the implementation. So that's another huge thing. And that's honestly where a lot of the flaws come from. Is you can have the most perfectly secure design and algorithm that's mathematically throughable to be resistant to quantum cryptography or quantum cryptanalysis. But once you actually implement it, if there's flaws there, then it renders the whole thing moved. So this is, that implementation is a huge part. So why do we want cryptography? Why do we want to keep things secret? What does that mean less in terms of security? Why are we talking about this in a security course? Yeah, so it allows us to kind of control, let's say control information in some sense, where we can maybe release information out there, or we could say that it keeps confidential data confidential, right? So I have some communication that's only directed to you, should be confidential only to you. I can actually send that, and I actually don't have to worry about everyone else reading this message, because I know that you're the only person who can decrypt that message. And so I guarantee confidentiality in this sense. So it does, sorry I don't know, I'm going to call you GitHub developer. Does our GitHub developer care about the confidentiality of his GitHub commits? Actually the opposite of what you're doing, right? If you're just committing to a private repo and not telling you about them, you're not really making a big contribution to open source software, right? So what do you care about then? Yeah, so nobody else can pretend to be you, or can even not pretending to be you, let's say it's your original commit, but maybe they modify it in transit to insert some backdoor along the way. So we really care about integrity in those cases, right? So we care that nobody's modifying or changing the data in a way that we don't know about. So cryptography, especially with signings, we'll get to a lot to do with integrity. We're going to go back to authentication, because we kind of, we remember authentication, we talk about an access control is trying to figure out who you are in the system, and access control is about what you can do. And so we'll see what I want to learn about crypto first or cryptography first, and then we'll go to authentication. So as we'll see there. And also we're talking about this a little bit is non-repudiation. So for you to actually say a message. And so that you all know that, yes, I actually said that message. So if I tell my stockbroker to buy 100 shares of Enron, and then after I do that the stock price takes, I go, well, I got hacked. I never sent that message. I must be somebody spoofing my email. There's cryptographic ways that they can say, assuming I made the message that way that they can prove, no, you actually made this message. You made this order. Cool. So crypto system, we should think of, so think of kind of modeling it, right? We're kind of thinking, and models are really just ways to think about systems, right? So any crypto system has to have these five components, some set of plaintexts, so some kind of universe of plaintexts, some set of keys, some set of ciphertexts, and encryption functions. So an encryption function E, that will take in a plaintext and a key and output a ciphertext. So that will essentially map messages with a key into some ciphertext. And finally we have D, which is a set of decryption functions which take in ciphertext and a key and will output the message. As everyone is familiar with this, the syntax of the functions here, so it's basically the x on the arrow. So it basically is defining, E is a set of functions, so the function signature of each of these functions in E is kind of, you can think, inputs are any plaintext and any key, and then the output is something, so the input is something from m, something from k, and the output is something from c, right? So think of this like a type signature, you write a function called encrypt which takes in a message, which is a plaintext message, and takes in a key and outputs ciphertext. So really decryption is exactly the same way, but takes in a ciphertext and a key and outputs a message. So for instance, so the Caesar cipher, okay, wait, before we get to this, so is anybody, so I actually, maybe I should have said this before my rant, but has anybody actually created a crypto system before in their lives? Yeah, in one sense. Like a computer one or a written one? A written one. A written one? Would you like to share it? You don't have to, or maybe the context. So you take the first half of the letters of the alphabet, and then you lay them and replace them with the second half of the letters of the alphabet. Works super great. Cool. Let's move on. I think we'll look at that. I guess we'll rock 13. It became z. Oh, so you flipped it this way. Yeah, okay, I see. Because otherwise if you stacked it on top this way, A would be n or n or whatever. Yeah, so that's cool, like I'm flipping. That's cool. Anybody else? See it's like fourth or fifth grade, or we would write a sentence and it would be the first letter of the sentences, the first letter of the words in the sentence would then be the actual message. I'm trying to hide a message by adding a bunch of pregnant gibberish. It did not work very well. I won't talk about that. So one of the most famous ciphers, and kind of on the boldest, is the Caesar cipher. So the name actually comes from Julius Caesar, and I have this quote from, apparently from a Roman text, or a Roman history person. That's not right. Historian, there you go. I know this word. If he had anything confidential to say, he wrote it in cipher. That is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these and get at their meaning, he must substitute the fourth letter of the alphabet, meaning the D for A, and so on with the other ones. So similarly, a similar kind of scheme of essentially shifting the letters of the alphabet, in this case, forward four, wait, forward three. And so we can actually, so we'll get into this, an example of this, but we can model this essentially in our modeling way that where M is all the letters that we want to encrypt, K would be, all of your keys would essentially be integers. So an integer that would tell you how much to shift the alphabet, E would be a function. So for the K and all letters M, so to make encryption out of a Caesar-Cyber encryption from K for a letter M, you take M mod K mod 26. So let's just say shift it to the right, so add, and then the mod makes sure when we loop around, so if we're adding to Z, we'll loop around to the back to the start. And with K, subtract, so it's moving backwards. And the ciphertext language is the same as the messages, right? So we're not, our alphabet there is not changing our ciphertext and our messages. Alright, so when we come back, we'll learn how to attack this.