I kinda specialized in network security in uni. It was a lot of fun, and IMO, the easiest course. The final exam was kinda stupid, because if it was open book, I could've gotten full marks with just google, the RFCs and wikipedia, without attending any classes. It's really that simple in theory. I've coded my own really basic encryption software from scratch too, in just a couple of days, it's not that bad.
I'm not sure what you're looking for exactly. Are you trying to do encryption? Are you trying to hack into things? Are you trying to design advanced algorithms? If you're just looking to crack stuff, you don't really want to bother too much with encryption, you'd want to focus more on social engineering. The Art of Deception is a brilliant book on social engineering, highly recommended. If I want to get passwords, I don't try to crack someone's Facebook directly, instead I look for when they enter their passwords on nonsecure sites, and hope that they're the same, or that they follow a similar pattern to their passwords on more secure sites.
I'm not a fan of advanced cryptography...
Stone age (like literally swapping alphabets) take hours to days to crack.
Really basic cryptography takes days for a noob to google and script kiddie around, hours with special military hardware. They say DES is not secure, but it takes a dedicated machine to brute force it in days.
Medium strength cryptography (like Facebook, proxies, that 'medium' setting on your router) take years to crack for a noob, days with special equipment.
Top level cryptography (like Pentagon quality) takes thousands of years to brute force. But a social engineer can get your bank password in hours.
There's not really much difference between years and thousands of years, nobody's going to buy a $200k machine to look at your porn or steal $5k from your piddly bank account. I can sniff out my neighbor's passwords and look at their webcam data, but I can't be arsed because it takes days to find and sift through the raw info (or find a software that does it). I just use really basic security for personal needs and have a difficult password to guess, but
easy to remember.
Instead of giving you a book, I'll just explain the basic concepts, since google sucks at this. And I can just copypasta this to other people asking about the topic
Find out what shared key is. It's just basically that you encrypt and decrypt something with the same key.
Then you have public-key cryptography. It's basically that you encrypt something with one key, and decrypt it with another. Since you're not using the same key to encrypt and decrypt, one of the keys can be given freely in public, while the other is kept private. The drawback of them is that they're extremely slow compared to shared keys. So you want shared keys for normal en/decryption.
You want to pass a shared key to someone, but can't give it out in public because anyone intercepting it can just sniff it and decrypt whatever you're encrypting with it. So, you ask someone for their public key. You encrypt your shared key with that public key and give it to them. Someone in the middle can't get your shared key from that public key because they can't decrypt it. But your intended recipient can decrypt the public key they gave you and pull out the shared key. Then both of you pass messages while en/decrypting with the shared key.
The problem here is that a man in the middle can give you their fake public key, if you don't verify the identity of the sender. So you have authentication servers. And you have authentication servers that authenticate authentication servers. It's all a web of trust, and you have these security conferences where everyone is signing each other's keys.
Then you have hashes, which are basically just a shortened version of something. It's used to verify if the thing is indeed real and not modified along the way. So, I could have a 1MB file hashed to "K#(Cf!". If I send it over the server, I expect a hash on that file to result in "K#(Cf!" if it wasn't modified. Servers usually store hashes of passwords, not passwords themselves. A rogue server admin can't pull your password from the server, they can just pull the hash and try to match hashes.
You can combine hashes to public keys to create signatures to verify identity.
From all that, you get basic tricks like SSL/TLS which is used by banking sites. Just that they're designed in such a way as to foil many other forms of attacks.
Advanced cryptography is simply built around all this stuff. You are basically locking a key with another key, then locking that key with another key, and using some keys a bare minimum to prevent them from getting sniffed. You create this complex tree of keys locked with other keys. And then start changing the keys every once in a while so people who steal them can't figure them out.
The existing algorithms for cryptography actually work very well, so people aren't really inventing new ones. If you want to learn about them, get a Masters in them, because they involve a hell lot of math, more than you'll get from internet forums and textbooks
Steganography... well, I'd just encrypt a message, and sign it.
Wikipedia gives a very good explanation on how it's done along with some tools for it.
Oh, and RSA (the most common form of public-private key algorithms) will probably go obsolete when quantum computers become common. Quantum computers suck for things like gaming, but they'll crack private keys excellently.
Anyway, you can PM me if you have a question, since I don't really lurk the Life Advice subforum
Author
Topic: Cryptography and Steganography. (Read 1105 times)