Chapter 5: Cryptographer/Cryptanalyst

This chapter will cover two job roles: cryptographer and cryptanalyst, which are blended under the title of cryptographer since the majority of open private sector job postings list cryptographer as the job title in demand. As a cryptographer, you will also be doing cryptanalyst work in attempting to break encryption. In this chapter, you will learn about what cryptographers do, where they might work, and the average salary range for cryptographers in the US. You will also learn about the career progression options and learn common interview questions for the role.

The following topics will be covered in this chapter:

• What is a cryptographer?
• How much can you make in this career?
• What other careers can you do?
• Common interview questions for cryptographers

What is a cryptographer?

Cryptographers write and crack the encryption code used to protect data. In a cryptographer role, you will help to develop better algorithms to help protect data from threats. Depending on the organization you work with, your day-to-day work will vary, but you will be protecting critical data from being stolen, deleted, altered, or copied. Cryptographers also help to develop mathematical and statistical models that can help organizations locate and disrupt threats to their systems.

Some of your day-to-day work as a cryptographer will include identifying weaknesses in existing cryptography systems and identifying ways to better secure them, conducting testing of cryptology theories, improving data security across the organization, deploying symmetric and asymmetric cryptography, managing the organization's encryption implementation especially as it relates to code and third-party products, conducting training of other departments to help them implement better encryption practices, and developing new encryption solutions.

To be successful in a cryptography career, you should have hands-on experience of operating systems and computer networking, and know at least one programming language. You will also need to be familiar with different encryption algorithms, message authentication code (MAC), hashing, number theory, key exchange, data structures, and digital signatures, and have strong mathematical skills in areas such as linear algebra. In addition to these hard skills, you will need soft skills such as the ability to work well in teams, effective communication with different stakeholders, problem-solving and critical thinking skills, and good time management skills.

Full-time cryptography roles are typically found in public sector (government) work. In the US, cryptographers might work for government entities such as the National Security Agency or the Department of Defense.

Certifications available for this career path include the Certified Blockchain Security Professional (CBSP) and the EC-Council Certified Encryption Specialist (ECES).

If you are looking to gain hands-on experience working through cryptography challenges, the Cryptopals website has free challenges around cryptography (https://cryptopals.com/).

SimpliLearn also has free cryptography training available on their YouTube channel at this link: https://youtu.be/C7vmouDOJYM.

How much can you make in this career?

According to ZipRecruiter (https://www.ziprecruiter.com/Salaries/Cryptography-Salary), the average salary for cryptographers in the United States is around $145,000 and varies with the organization that you work for, your location, and years of experience. With just a few years of experience, your salary in the United States can rise above $190,000.

What other careers can you do?

A career as a cryptographer can help you advance into other cybersecurity careers such as a penetration tester, an incident responder, and a malware reverse engineer. This career is also a natural progression into a crypto and blockchain security researcher career, where you may be researching emerging technology and/or threats, contributing to research publications, and developing new approaches to managing threats.

Common interview questions for cryptographers

The following questions are designed to assess your fundamental knowledge of cryptography. In job interviews, you may also be asked to solve cryptography challenges. The hands-on assessment will depend upon the employer and the role you are applying for:

• What is the difference between cryptography, cryptology, and cryptanalysis?

Cryptography is the practice of secure communication techniques. Cryptology is the study of secure communication techniques. Cryptanalysis is the practice of breaking cryptography.

• What is the difference between encoding, hashing, and encryption?

Encoding is just the process of converting data from one format to another. ASCII, Base64, and Unicode are examples of encoding algorithms. In encoding, the same algorithm is used to encode and decode the data, which means an attacker would just need to have the data sample to be able to decode it.

Encryption is the process of using a cryptographic key to scramble your data so it is unreadable. Symmetric encryption involves using a shared key where both the sender and receiver know the key. The shared key is then used to encrypt and decrypt the data. Asymmetric encryption uses a public and private key. The public key is known (hence the name public) and is used to encrypt the data, and the receiver's private key is used to decrypt the data. Rivest-Shamir-Adleman (RSA) is a well-known asymmetric encryption algorithm.

Hashing is a one-way function, where a string of information is run through a hashing algorithm, and it produces a fixed-length output based on the algorithm you are using and the input data. This means that if the input data and the hashing algorithm used remain the same, the output will be the same. Hashing allows you to confirm that the data has not been altered. As an example, if you download files from the Kali Linux website (https://www.kali.org/), you will be able to check whether the hash of the file you have downloaded is the same hash as the original file. This helps you identify whether a malicious hacker might have altered the file from their website.

• What is the difference between asymmetric and symmetric encryption?

Symmetric encryption uses a single private key that both the sender and receiver of the message know. An advantage of symmetric encryption is that it is faster and requires less computation power than asymmetric encryption.

In the following example, Alice wants to send an encrypted message to her friend, Bob. Alice encrypts the message with the shared, private key, which converts (encrypts) the message from the plaintext to ciphertext. When Bob receives the message, he uses the same shared, private key to decrypt the message and read the plaintext message.

Figure 5.1 – Symmetric encryption example

Asymmetric encryption uses a public and private key. The public key is shared by the owner, but their private key must only be known by them. Asymmetric encryption provides confidentiality through encryption and provides authenticity and nonrepudiation through the use of digital signatures.

In the following example, Alice encrypts her plaintext message with Bob's shared public key and when Bob receives the message, he decrypts it with his private key (known only to him) to view the content of the message.

Figure 5.2 – Asymmetric encryption example

• What are some examples of symmetric encryption algorithms?

Some examples are Data Encryption Standard (DES), which used a 56-bit key, Triple-DES (3DES), which replaced DES and used 168 bits, International Data Encryption Algorithm (IDEA), Twofish, Blowfish, Rivest Cipher (RC), and Advanced Encryption Standard (AES), which has key sizes of 128 bits, 192 bits, and 256 bits.

• What are some examples of asymmetric encryption algorithms?

Some examples are Diffie-Hellman, RSA, El Gamal, and elliptic curve cryptography (ECC).

• Name some hashing algorithms.

Some common hashing algorithms you should have knowledge of are the following:

• Message-digest algorithm version 5 (MD5)
• Secure hash algorithm 1 (SHA-1), which has a 160-bit hash value and is no longer a standard for use across organizations
• Secure hash algorithm 2 (SHA-2), which includes the hash functions SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256
• Secure hash algorithm 3 (SHA-3), which includes the hash functions SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, and SHAKE256

• What is steganography?

Steganography is the practice of hiding messages or data within another medium. For example, you could hide a secret message in a photo of your dog using steganography.

Some tools you can use for steganography are Open Stego (https://www.openstego.com/), Quick Stego (http://quickcrypto.com/free-steganography-software.html), and the SNOW steganography tool (https://github.com/mattkwan-zz/snow).

• Can you name some common cryptography attacks?

Common cryptography attacks include known-plaintext attacks, chosen-plaintext attacks, ciphertext-only attacks, replay attacks (typically in the form of man-in-the-middle attacks), and chosen-ciphertext attacks.

• What is PKI?

Public key infrastructure (PKI) is used to describe the policies, software, and other infrastructure needed to manage digital certificates and public key encryption.

PKI is best explained with a simple example. In the following figure, our user, Bob, requests a certificate from a registration authority (RA). The RA then helps to validate the identity of the user and sends a request to the certificate authority (CA) to create a user certificate and keys. Once the CA has created the certificate and keys, it sends it to the user. Bob then submits this certificate to our user, Robyn. Robyn contacts the CA to validate the certificate and Bob's identity. The CA then verifies that the certificate from Bob is valid, so Robyn now trusts Bob.

Figure 5.3 – PKI example

• Can you describe quantum cryptography?

Quantum cryptography uses light particles (photons) to transmit data between locations over fiber optic cables. The sender of the data transmits the light particles through a polarizer that characterizes the particles with one of the four possible bit polarizations:

• Horizontal (0-bit)
• Vertical (1-bit)
• 45 degrees left (0-bit)
• 45 degrees right (1-bit)

The particles then move to a receiver that uses two beam splitters to read the polarization of each particle. The receiver then notifies the sender which beam splitter was used for the particles in the sequence that was sent; the sender compares that information with the sequence of polarizers that was used to send the key and discards any photons that were read with the wrong beam splitter. The remaining sequence of bits becomes the key. This method helps protect data because if anyone eavesdrops on the communication and reads or attempts to copy the data, the state of the photon will change and be detected by the endpoint.

• What is PGP?

Pretty good privacy (PGP) is a protocol that is used to encrypt and decrypt data. It provides authentication and cryptographic privacy. PGP is used to compress data, for digital signing, for the encryption and decryption of messages, emails, files, and directories, and to help improve the privacy of communication via email.

• What is the difference between stream and block ciphers?

In block ciphers, the plaintext input is broken up into fixed-size blocks and the blocks are then encrypted and decrypted as a block.

Examples of block ciphers include the DES and the AES.

In stream ciphers, the plaintext input is encrypted and decrypted by an individual byte. An example of a stream cipher is Rivest cipher 4 (RC4).

A fundamental understanding of symmetric and asymmetric cryptography is critical for cryptography roles, and you also need to be aware of emerging areas, such as quantum cryptography.

Summary

In this chapter, you learned about the cryptography career path and the average salary for this career in the United States. You also learned how working as a cryptographer can be a stepping stone into more advanced careers and learned some of the common interview questions that might be asked of you.

In the next chapter, you will learn about a career as a GRC analyst, including common knowledge-based interview questions you might be asked.