Cryptography
Discover how encryption and hashing can be used when authenticating APIs, storing passwords, and transmitting HTTPS messages.
End-to-end encryption
As of 2023, the Cryptographic Failures category sits at the number two position on the OWASP Top Ten, shifting up one position from 2017. This category was previously known as Sensitive Data Exposure but was renamed because the old name represents a broad symptom rather than a root cause.
Cryptography is defined as the practice and study of secure communication in the presence of malicious behavior. The crypto prefix is especially popular these days because cryptographic techniques enable cryptocurrency technologies. A huge area of cryptography has to do with encryption and hashing. Encryption and hashing are ways of converting information into secret code that hides the original meaning so that only authorized senders and receivers can understand the underlying data. The primary difference between encryption and hashing is that encryption is a reversible action—we can get the original input back from the encrypted output, while we can’t do that with hashing.
Symmetric encryption and hashing
When using encryption, we first need to decide how to encode or scramble our data. Let's say we have a message, "hello world", that we want to hide from potential eavesdroppers and attackers. While it should never be used in production, we can use the Caesar cipher (famously used by Julius Caesar) to demonstrate symmetric encryption, which uses a single key to encrypt and decrypt data. The Caesar cipher works by replacing each letter with another letter that is a fixed number of positions down the alphabet from the starting letter.
Using the key in the screenshot above, "hello world" becomes "ebiil tloia" using a right shift of 23. In order to get back to our original message, we can just use a left shift of 23. This is a very weak example of symmetric encryption since the key is easy to guess. Keys should be random and generated cryptographically, making them much harder to guess. Similarly, if a password is used as a key, then it must be converted via an appropriate Password-Based Key Derivation Function (PBKDF) first. A key derivation function is a special type of function that takes a password and converts it into a symmetric key suitable for cryptography.
A hash-based message authentication code (HMAC) with SHA-256 (HS256) is an example of a symmetric-keyed hashing algorithm that uses one secret key. It is sometimes used to generate JSON Web Tokens (JWTs), which are commonly used for API authentication. We’ll be using JWTs as examples throughout this lesson, but keep in mind that they represent just one use case of symmetric and asymmetric cryptography. ...