Cryptography interview questions and answers for developers
Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of third parties called adversaries.
Here is a list of coding interview questions on Cryptography to help you get ready for your next technical interview in 2021.👉 You can check all 27 Cryptography tech interview questions here
🔹 1. What is a key?
In cryptography a key is a piece of information used in combination with an algorithm (a cipher) to transform plaintext into ciphertext (encryption) and vice versa (decryption).
A cipher can be reciprocal if it is used for both encryption and decryption, or non-reciprocal if a transformation to the key is required when using it in reverse.
🔹 2. Explain what is Data Encryption?
Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. Encrypted data is commonly referred to as ciphertext, while unencrypted data is called plaintext.
🔹 3. Why is the Root Certificate important?
A Root SSL certificate is a certificate issued by a trusted certificate authority (CA).
In the SSL ecosystem, anyone can generate a signing key and sign a new certificate with that signature. However, that certificate is not considered valid unless it has been directly or indirectly signed by a trusted CA.
A trusted certificate authority is an entity that has been entitled to verify that someone is effectively who it declares to be. In order for this model to work, all the participants on the game must agree on a set of CA which they trust. All operating systems and most of web browsers ship with a set of trusted CAs.
🔹 4. What is Symmetric Encryption?
Symmetric Encryption is the simplest kind of encryption that involves only one secret key to cipher and decipher information. Symmetric encryption is an old and best-known technique. It uses a secret key that can either be a number, a word or a string of random letters. It is a blended with the plain text of a message to change the content in a particular way. The sender and the recipient should know the secret key that is used to encrypt and decrypt all the messages. Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric encryption. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256.
The main disadvantage of the symmetric key encryption is that all parties involved have to exchange the key used to encrypt the data before they can decrypt it.
🔹 5. What are Confusion and Diffusion in Cryptography?
Confusion means that each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two. The property of confusion hides the relationship between the ciphertext and the key. This property makes it difficult to find the key from the ciphertext and if a single bit in a key is changed, the calculation of the values of most or all of the bits in the ciphertext will be affected. Confusion increases the ambiguity of ciphertext and it is used by both block and stream ciphers.
Diffusion means that if we change a single bit of the plaintext, then (statistically) half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then approximately one half of the plaintext bits should change.2 Since a bit can have only two states, when they are all re-evaluated and changed from one seemingly random position to another, half of the bits will have changed state. The idea of diffusion is to hide the relationship between the ciphertext and the plain text. This will make it hard for an attacker who tries to find out the plain text and it increases the redundancy of plain text by spreading it across the rows and columns; it is achieved through transposition of algorithm and it is used by block ciphers only.
These two properties help to ensure that extracting the key from plaintext-ciphertext pairs is difficult or infeasible.
🔹 6. Explain difference between Hashing and Encryption algorithms
Hash Functions provide a mapping between an arbitrary length input, and a (usually) fixed length (or smaller length) output. A hash function could be considered the same as baking a loaf of bread. You start out with inputs (flour, water, yeast, etc...) and after applying the hash function (mixing + baking), you end up with an output: a loaf of bread.
Going the other way is extraordinarily difficult - you can't really separate the bread back into flour, water, yeast - some of that was lost during the baking process, and you can never tell exactly how much water or flour or yeast was used for a particular loaf, because that information was destroyed by the hashing function (aka the oven).
Many different variants of inputs will theoretically produce identical loaves (e.g. 2 cups of water and 1 tsbp of yeast produce exactly the same loaf as 2.1 cups of water and 0.9tsbp of yeast), but given one of those loaves, you can't tell exactly what combo of inputs produced it.
Encryption Functions provide a 1:1 mapping between an arbitrary length input and output. And they are always reversible. The important thing to note is that it's reversible using some method. And it's always 1:1 for a given key. Encryption could be viewed as a safe deposit box. Whatever you put in there comes back out, as long as you possess the key with which it was locked up in the first place. It's a symmetric operation. Given a key and some input, you get a certain output. Given that output, and the same key, you'll get back the original input. It's a 1:1 mapping.
🔹 7. What is the difference between encryption, encoding, and hashing?
Encryption, encoding and hashing are techniques used for converting the format of data.
- Encryption is used for changing plain text into cipher text so that only authorized entities can understand it. Encryption deals with keys which are used to encrypt and decrypt the data. These keys are used to transform a simple text into a cypher text and the vice versa.
- Encoding is used for changing the data into a special format which makes it usable by external processes. Unlike encryption, the intention of encoding is not related to security. The message is encoded by using an algorithm or scheme.
- In hashing, the data is converted to a message digest or hash, which is usually a number generated from a string of text. Hashing is not reversible as encryption and encoding. The data is converted to a message digest or hash, which is usually a number generated from a string of text. These digests are important as one can easily match the hash of sent and received messages to ensure that both are the same and no tempering is done with the data.
🔹 8. Name the elements of PKI
A typical PKI includes the following key elements:
- A trusted party, called a certificate authority (CA), acts as the root of trust and provides services that authenticate the identity of individuals, computers and other entities
- A registration authority, often called a subordinate CA, certified by a root CA to issue certificates for specific uses permitted by the root
- A certificate database, which stores certificate requests and issues and revokes certificates
- A certificate store, which resides on a local computer as a place to store issued certificates and private keys
🔹 9. What is PKI?
A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party.
Without PKI, sensitive information can still be encrypted (ensuring confidentiality) and exchanged, but there would be no assurance of the identity (authentication) of the other party. Any form of sensitive data exchanged over the Internet is reliant on PKI for security.
🔹 10. Provide an example of non-reciprocal cipher
A simple Caesar cipher transforms each letter of a plaintext message by shifting it a set number of places in a set direction along the basic 26 character Latin alphabet. The encryption and decryption here is not reciprocal as the key must be transformed (-3 to +3) to alter the direction of the shift when moving between encryption and decryption.
🔹 11. Provide an example on Reciprocal cipher
ROT13 (rotate 13) is a specific implementation of the Caesar cipher where the shift is 13 places. Due to the basic Latin alphabet being 26 characters long this means that the direction of the shift does not matter, the result is the same in either direction. They key (13) can be used without transformation.
🔹 12. What is Asymmetric Encryption?
Asymmetric encryption is also known as public key cryptography, which is a relatively new method, compared to symmetric encryption. Asymmetric encryption uses two keys to encrypt a plain text.
- Firstly, a public key must be made public in order to encrypt the data.
- Secondly, a private key used to decrypt the data.
The public key and the private key are not the same thing but they are related. You create your message then encrypt it with the recipient’s public key. After that, if the recipient wants to decrypt your message he/she would have to do it with his/her private key.
Asymmetric encryption is mostly used in day-to-day communication channels, especially over the Internet. Popular asymmetric key encryption algorithm includes EIGamal, RSA, DSA, Elliptic curve techniques, PKCS.
🔹 13. What are pros and cons of Public Key Cryptography?
The advantage of Asymmetric encryption is that it does not force the user to share (secret) keys as symmetric encryption does, therefore removing the necessity of key distribution and 3-rd party/communication channel risk. Asymmetric encryption supports digital signing (via Digital Certificates) which authenticates the recipient identity and make sure that message is not tampered in transit.
The cons of Asymmetric encryption are that it is time-intensive and it requires considerably more effort. Furthermore, you can send encrypted message only if the other person has created key pairs which means the other person must be knowledgeable. Finally, if you lose your private key – you will lose it forever. The private key is irrecoverable which could create a whole series of new problems to deal with.
🔹 14. Explain the role of Digital Certificates in Asymmetric Encryption process
To use asymmetric encryption, there must be a way of discovering public keys. One typical technique is using digital certificates in a client-server model of communication. A certificate is a package of information that identifies a user and a server. It contains information such as an organization’s name, the organization that issued the certificate, the users’ email address and country, and users public key.
When a server and a client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party’s public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder.
🔹 15. Why not use symmetric encryption?
Ok, most of us communicate most of the time with people we already know. Let's say, Alice and Bob probably have physical contact, too. Symmetric encryption therefore is appropriate and simpler than asymmetric – one key instead of four for Alice and Bob. But how do you share the secret key? You tell them in person, read it over the phone, use a One Time Secret or Diffie-Hellman. Why not to use symmetric encryption? Have I missed something?
Arguments to mention:
It's 21 century. You talk to machines more often than you talk to persons. In particular every time you visit an "https://" Web site. How would you, precisely, read a key over the phone with a server to keep it secret from 3-rd party? Public key will help in that case.
Let's imagine you have 1000 friends. If you talk to 1000 persons and use pre-shared symmetric keys, then you have to remember 1000 secret keys. Secret key storage can be hard. With asymmetric encryption you just have to remember only public keys, and that is easy because public keys are public, so they can be "remembered" by being published somewhere, where everybody can see them.
Another example. Suppose you have a symmetric key K. Alice, Bob, and Eve share this key K so that they can all trade encrypted messages. However, Eve gives a copy of K to Mallory (who has malicious intent) without telling anyone. Now the entire network has been compromised, and Mallory can send and read messages as any other member.
If instead, Alice, Bob, and Eve each had their own private keys A, B and E respectively (with public keys A+, B+ and E+), then when Mallory gets ahold of E, all she can do is read messages intended for Eve, and send messages that it looks like Eve encrypted. We go from a situation in which Eve has compromised the entire network, to a situation where Eve's poor choice only affects messages to/from her.
Even if Alice and Bob could have key K1, Bob and Eve could have key K2, Alice and Eve can have key K3. Then if Mallory gets K3, she can still only intercept Alice/Eve communication, nothing else. Group messages can be handled by sending copies encrypted separately. However, then you have to keep track of n private keys instead of (n-1) public keys and 1 private.
Thanks 🙌 for reading and good luck on your next tech interview!
Explore 3800+ dev interview question here 👉 Devinterview.io