**Different types of Crypto Algorithms**

If you have been infected with ransomware, are studying cryptography, or are simply trying to secure your setup, it can be quite confusing to understand the different types of encryption. You may see terms such as hashing something on a cyber security website, or RSA and AES on a ransomware’s ransom note. This article seeks to explain the different types of algorithms and the uses of each in a simple to understand terms. Since this is a ransomware support forum, I will also go over how each may be used in a ransomware attack.

**Table of Contents**

- Symmetric Encryption
- Asymmetric Encryption
- Hashing Algorithms
- Bit-sizes of Keys and Blocks
- Conclusion
- Glossary

**Symmetric Encryption**

Symmetric Encryption is the most basic and straightforward type of encryption. It is mainly used to encrypt large files because it requires fewer computations to accomplish.

This type of encryption works with one single key that is used to both encrypt the data and decrypt it. Let’s imagine I am making a simple password manager. It needs to store the passwords somehow, and the easiest way to do this is to have them in a file on the user’s computer. However, it cannot just leave it lying around with the passwords readily readable, because anybody who has access to the computer will then be able to open the file. The passwords are said to be stored in **plaintext**. Most password managers have the user remember a master password that is needed to display the other passwords. This master password is called the **key**. When the password manager is not in use, or until the correct key has been entered, the file contains an illegible mess of symbols, called the **ciphertext**. When I enter my password, the password manager puts the key and the ciphertext through a function called the decrypt function, which yields the plaintext. When I add a new password, the password I put in (the plaintext) and the key are put into the encrypt function, which yields the ciphertext. Here is a graphical representation of this:

As this image shows, the same key is used for both encryption and decryption. If you have taken high school pre-calculus, you will know that these functions are inverses, thus the name **Symmetric** Encryption.

While this is cheap in terms of processing power, it comes at a cost. Namely, if two or more parties want to communicate securely using a symmetric algorithm, they must agree on a securely exchanged key. If the communications channel is monitored, the key itself can be intercepted, making the entire process useless.

Since this is the computationally cheapest way to encrypt files, it is the *main* type of algorithm that is used in ransomware. Algorithms that are symmetric include AES (Advanced Encryption Standard), DES (Data Encryption Standard)(this is old and no longer secure), Blowfish, and Twofish.

**Asymmetric Encryption**

As I’ve explained in the previous section, the main flaw of symmetric ciphers is the necessity to securely exchange a key. In some cases, this is acceptable. In others, however, where the entire communication is intercepted, this is a fatal flaw. As a solution to this problem, cryptographers have invented a second type of encryption algorithm, called **Asymmetric** Encryption. In this type of algorithm, the key used to encrypt is different from the key used to decrypt. Imagine that Alice and Bob want to communicate by sending each other packages, but that Eve reads every message sent. Alice can create a key, called a private key or **privkey** and a lock that is unlockable by that key. The lock is, perhaps counterintuitively, called the public key, or **pubkey**. Now Alice sends the open lock to Bob. He then creates a key for a symmetric algorithm and puts it in a box, which he locks with the lock that Alice sent him. When Alice gets the box, she can open it using the privkey. Eve, however, does not have the privkey so she cannot open the box that Bob sent. Now, Alice has the symmetric key that Bob created, and she can send him messages with it. In the computer world, large prime numbers are used instead of physical locks and keys. This type of algorithm presents two major drawbacks:

- The keys need to be a lot larger for the same amount of security
- It takes a lot more computation to encrypt/decrypt a message of the same size

This is why we only use it to exchange the key, which is then used for all subsequent communication. Here is a graphical representation of asymmetric cryptography:

In this case, the image shows that there is a different key to encrypt and decrypt. What it fails to show is that the privkey can be used to generate the pubkey.

This is generally used to establish secure communications, and malware is no exception. When communicating a key that has been used to encrypt files, ransomware can employ asymmetric cryptography to prevent it from being picked up. Asymmetric algorithms include RSA, ECC, and the Diffie-Hellman algorithm.

**Hashing Algorithms**

Hashing algorithms are different from the other two types of algorithms, in that they do not ever “contain” the plaintext. The idea is that it is a one-way algorithm that can be used to obtain a “checksum” of a message. A hashing function takes only one argument, and returns a fixed-size value, called a **hash**, **checksum**, or **digest**. There are two main takeaways here: the output cannot be used to get the input, and the same input creates the same output. This is not exactly accurate since one can brute force the hash, but I’ll cover breaking cryptography in a different article. For now, let’s focus on the application. Back in the early days of the internet, websites that allowed people to create accounts stored these accounts in plaintext. This was very bad security practice because if the database was ever compromised or hacked, then the hacker could see all of the passwords. Since many people use the same password on different sites, the logins of this website could be tested against other websites to try to compromise more accounts. Then, we turned to hashing. A server that uses hashing (most modern websites) will not store the actual passwords. Rather, it will take a hash of them at the time of the account’s creation, and store that hash. Whenever the user tries to login, the password they provide is hashed and compared against the stored hash. Recall when I said that the same plaintext produces the same hash? That is where this comes in. Without ever knowing the password, the website can determine whether the login is correct or not. But if a hacker manages to obtain the database, they will have to brute force the hashes, which takes time. Meanwhile, a PSA is sent out and the users are asked to change their passwords. Here is a graphical representation of a hashing algorithm:

It is also used to verify the integrity of files. Ransomware can use this, for example, to verify whether the key you supplied is correct. Some hashing algorithms are MD5, SHA-1, SHA-256, and SHA-512.

**Bit-sizes of Keys and Blocks**

When dealing with crypto algorithms, you will probably see something-bit written next to it. For example, you may see AES 256-bit. This can mean one of two things, although normally we can guess.

Most algorithms are called **block ciphers**. This means that they will take a plaintext of a given length, encrypt it, and return a ciphertext of that same length. This is called the **block size** of the cipher. For AES, the standard is 128 **bits**. A bit is a single 1 or 0 in computer storage. In general, 8 bits make up a byte, 1024 bytes make a kilobyte, 1024 kilobytes make a megabyte, and so on. When we have a length in bits, we can convert it to bytes by dividing it by 8. 128/8=16, so our block size is 16 bytes of data. Crypto algorithms accept a key as well as a plaintext. This key also has a defined size. For AES, this can vary. We have standards for 128-bit keys, 192-bit keys, and 256-bit keys. When we see AES 256-bit, we know that this refers to the key because the block is always 128 bits.

Most of the time, our data does not neatly fit within 16 bytes. There are different ways around this, and poor implementations can have weaknesses that can allow data to leak through. However, we will discuss this in the breaking cryptography article.

**Conclusion**

As we have seen, there are many several different types of an encryption algorithm. To protect the plaintext, allowing only the entitled recipient to read it, while the third verifies the integrity of the plaintext without ever containing it. All of these can be used by ransomware in their own way, so it is important to be aware of what you are dealing with. I hope this article helped. If you have any questions, leave a comment and I will answer them as soon as I can.