Symmetric and Asymmetric Encryption #
Symmetric Encryption Overview #
- Symmetric encryption uses the same key for both encrypting and decrypting data.
Example: Disk Encryption #
-
A password is defined and used by the disk encryption software to create a symmetric key through a process called key derivation
-
This key will be used for both encrypting and decrypting the data on the disk
-
The encryption software (like BitLocker, VeraCrypt, or LUKS) uses the symmetric key to encrypt the data on the disk
-
To access the data, the symmetric key / or the method to retrieve it, like entering the password must be provided
-
The encryption software uses the key to decrypt the data
Asymmetric Encryption Overview #
-
Asymmetric encryption uses a pair of keys, a public key (which can be shared with anyone) and a private key (which is kept secret).
-
Data can be encrypted with the public key, but only the private key can decrypt it
Example: SSH Key Pair #
-
A SSH key pair is created
-
The public key is placed on the server to you want to connect to
-
The SSH client sends a request to the server to connect
-
The server generates a random challenge and encrypts it using the public key and sends the encrypted challenge back to the SSH client
-
The SSH client uses the private key to decrypt the challenge, only this pricate key can decrypt the challenge successfully
-
The SSH client sends the decrypted result back to the server
-
The server verifies the response and the the client is authenticated
-
Once authenticated, the SSH connection is established
Encoding #
Encoding Overview #
- Encoding is the process of transforming data from one format into another for various purposes, such as data integrity, readability, or compatibility
Example: Kubernetes Secret Base64 Encoding #
-
Kubernetes secrets are stored in base64-encoded format
-
While this is not encryption, it ensures that the secrets are not immediately readable in plain text when viewed in the Kubernetes API or through CLI tools
-
Base64 is easily reversible and does not provide strong security.
-
Base64 encoded data is larger than the original binary data. The output size increases by approximately 33%
Hashing #
Hashing Overview #
-
Hashing is the process of converting input data of any size into a fixed-size string of characters, which typically appears random
-
Hash functions like SHA-256 are designed to produce a fixed-length output, regardless of the input size. SHA-256, for example, always produces a 256-bit (32-byte) hash
-
This works by breaking the input data into fixed-sized blocks and processing them through a compression function
-
The same input will always produce the same hash
-
Hash functions are designed to change drastically even with a tiny change in the input and result in a completely different hash
-
Hash functions are designed to compute the hash quickly, even for large inputs
-
It is practically impossible to reverse-engineer the original input from its hash
Hashing Example #
# Example hashing of a string
echo -n "Hello, it's Juergen" | sha256sum
# Shell output:
cc43908b4cb7c066631891e5151c613d586fb2be622b6d64573abfdf2bb91ff5 -
# Example hashing of a string
echo -n "Hello, it's Juergen. Hi there" | sha256sum
# Shell output:
36b867c9c0455b5951afb58243af4933a9195acfbdc4efd8e6f1cc2bdc11ef5c -