Category: Cryptography

Cryptography

How Cryptography is Essential Feature in BlockChain

718
06 Feb 2019

In blockchain technology, cryptography is primarily used for two purposes:

  1. To secure the identity of the sender for any transactions.
  2. To ensure the past/historical records cannot be tampered with.

Blockchain technology widely uses cryptography as a means of protecting the identities of users, ensuring transactions are done safely and securing all information and storages of value. This gives anyone using blockchain the complete confidence that once something is recorded on a blockchain, it is done so legitimately and in a manner that preserves its security.

Despite being founded upon a similar framework, the type of cryptography used in blockchain, namely public-key cryptography, is considerably better suited to the functions associated with the technology than symmetric-key cryptography.

PKC – ( public key cryptography) Rather than using a single key for encryption and decryption, as is the case with symmetric key cryptography, separate keys (a public key and a private key) are used.

Although in public-key cryptography a digital signature is produced, this secures the integrity of the data shown. Via a mathematical algorithm, it combines a user’s’ private key with the data that they wish to sign. 

Since the actual data is a part of the digital signature, the network doesn’t recognize it as valid if any part of it is tampered. Editing even the slightest aspect of the data reshapes the whole signature, thus making it false and obsolete. This makes blockchain technology capable of guaranteeing that any data being recorded onto it is true, accurate and untampered with.

Digital signatures are the key feature in Blockchain where the data recorded its immutability. 

How to test:

The basic question that arises is how we test cryptography within blockchain. There are various techniques and methodologies used by our team:

SHA-256: To test the digest, SHA-256 generates unique 256 bits i.e 32 bytes signature for a text.  1st it can be verified that it’s creating 32 bytes output. Secondly link the hash message to the original, the receipt can be re-hash and compared to the original hash. If they match, it indicates that the message is unchanged and there is no data loss in transmission.

Similarly there are SHA-512, SHA-1, and SHA-3 etc.

Merkle tree testing in ethereum platform can be accomplished by verifying the hashes of a block and state root for each level. One need to be careful to see that child level is actually making its 1 level up parent. Other factor that needs to be taken care is the Orphan child level should be a valid one. Traversing to and fro the hash tree should be feasible and not broken

Penetration testing in ethereum platform:  There are lots of tools available in market both open source and customized versions. One such tool which needs a mention is “SlowHTTPTest” that simulates application layer denial of service attacks. One needs to test both Header and Body of the HTTP requests through exposed API endpoints. Based on the response time, it can be verified that the concurrent requests are being processed or there is a denial of service. This way we can confirm how vulnerable the app to slow http attacks in their default configurations.

There are lots many features and ways to ensure that security is not jeopardized for any applications and is hacker free almost.  We at MagicBlockchainQA, with thorough knowledge and vast industry experience ensure testing satisfies the following areas

  • Confidentiality − It protects any disclosure of information to unintended recipients.
  • Integrity It allows accurate and correct desired information get transferred from senders to its intended receivers.
  • Authentication − the identity of the user is verified and confirmed.
  • Authorization − It specifies access rights and permissions to the users and resources.
  • Availability − It enables the readiness of the information on requirement.
  • Non-repudiation It ensures that there is no denial from the sender or the receiver for having sent or received any particular message.

To know more about BlockChain testing and our services please contact us at www.magicblockchainqa.com.

Drop in your comments or queries, at https://www.magicblockchainqa.com/call-us/

Thanks for reading.

Refrences: https://www.garykessler.net/library/crypto.html              

   https://www.tutorialspoint.com/security_testing/index.htm

 

Cryptography

Cryptography Algorithms and Models

845
30 Jan 2019

What is Cryptography?

In simple layman’s term Cryptography is an art of secret writing. It is necessary when communication in over untrusted network

Major functions of cryptography can be classified in following

  • Privacy & confidentiality: To ensure that no one can read or access the message except for  the intended receiver
  • Authentication: The process of proving one’s identity.
  • Integrity: To ensure that the receiver that his received message are not being altered from the original message
  • Non-repudiation: A mechanism to cross-check that the sender really sent this message.
  • Key exchange: The process by which crypto keys are shared between sender and receiver.

In cryptography “plaintext” is called as unencrypted data. This plaintext is then encrypted into cipher text, which in turn can be decrypted back into plaintext. The encryption and decryption is done depending on the type of cryptography scheme and some form of key.

The usual formula for implementing cryptography is

C = Ek(P)
P = Dk(C)

Here P denotes plaintext, C = cipher text, E = the encryption method, D = the decryption method, and k = the key.

TYPES OF CRYPTOGRAPHIC ALGORITHMS

Commonly used algorithms are:

  • Secret Key Cryptography (SKC): This algorithm uses a single key for both encryption and decryption; also called symmetric encryption. Primarily it’s been used for privacy and confidentiality of data. As shown in Figure 1A, the sender uses the key to encrypt the plaintext and sends the cipher text to the receiver. The receiver then applies the same key for message decryption and recovers the plaintext. In this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The Main challenge with this approach is the distribution of the key (more on that later in the discussion of public key cryptography).
  • Public Key Cryptography (PKC): This algorithm uses one key for encryption and another for decryption; also called asymmetric encryption. Primarily it’s been used for authentication, non-repudiation, and key exchange. Public key cryptography is known as the most significant new development in cryptography. The Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. Here the one key is used to encrypt the plaintext and another key is used to decrypt the cipher text. The important thing to keep in mind is that it does not matter which key is applied first, but both the keys are required for the process to work (Figure 1B). Usually in PKC, one of the keys is designated as the public key and may be advertised as widely as the owner wants. Another key is designated as the private key and is never revealed to another party.
  • Hash Functions: This algorithm uses a mathematical transformation to irreversibly “encrypt” information, providing a digital fingerprint. Primarily used for message integrity. Hash functions, also called message digests and one-way encryption, and are algorithms that, in essence, use no key (Figure 1C). Usually, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are mainly used to provide a digital fingerprint of a file’s contents which ensures that the file has not been altered by an intruder or virus. Hash functions are widely & commonly used for password encryption by many operating systems. Hash functions, thus provide a mechanism to ensure the integrity of a file.

TRUST MODELS in Cryptography

Secure use of cryptography requires trust. Even though secret key cryptography can ensure message confidentiality and hash codes can ensure integrity, cannot perform without trust. Hence there are number of trust models used for various cryptographic schemes. This section will explore three of them:

  • There is web of trust employed by Pretty Good Privacy (PGP) users, which used their own set of trusted public keys.
  • Kerberos, another method of secret key distribution scheme uses a trusted third party.
  • Certificates, which usually allow a set of trusted third parties to authenticate each other & its users.

The above trust models differ in complexity, general applicability, scope, and scalability. However it’s hard to define which one is better than the others; everything it depends upon your application.

The PGP’s web of trust is very easy to maintain and is based on the reality of users as people. The model has its own limitation; imagine just how many public keys can a single user reliably store and maintain? There can be chances that you are using the “wrong” computer when you want to send a message and can’t access your key? How easily can a key is revoked if it is compromised?

Kerberos on the other hand has overcomes many of the problems of PGP’s web of trust, for e.g.  It is scalable and has a very large scope. However, here only there is a limitation that it also requires that the Kerberos server have a priori knowledge of all client systems prior to any transactions, thus making it unfeasible for client/server in e-commerce world.

Certificates and the collection of CAs will form a PKI. In the early days of the Internet, every host had to maintain a list of every other host; the Domain Name System (DNS) for this purpose introduced the distributed database and DNS is one of the key reasons that the Internet has grown as it has.

Certificates and PKI benefits are associated with electronic commerce, the applications for PKI are much broader and include secure electronic mail, payments and electronic checks, Electronic Data Interchange (EDI), secure transfer of Domain Name System (DNS) and routing information, electronic forms, and digitally signed documents.

Interested to learn more? Watch out this space for our next blog on cryptography testing and how it forms an essential component of BlockChain.

Drop in your comments or queries, at https://www.magicblockchainqa.com/call-us/

Thanks for reading.

Refrences: https://www.garykessler.net/library/crypto.html                  https://www.tutorialspoint.com/security_testing/index.htm

Sharmistha Ghosh

Sr Consultant - Magic BlockchainQA

As a managing consultant at Magic Finserv, Sharmistha is actively involved as Test architect, providing testing solutions for Blockchain applications and building capabilities within the organisation.



Official Integration Partners


	MythX Logo- Magic BlockchainQA

Security Testing


Securitize, Magic BlockchainQA Integration Partner

Platform Partner