EN 
11.09.2024 WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Obecný úvod do šifrování dat

A general introduction to data encryption

Edited 27.05.2019 09:00 | created | Petr Bouška - Samuraj |
A summary of the basics of encryption. Terms, types of cryptographic algorithms (cipher), what algorithms to use, how secure encrypted data is.
displayed: 15 031x (15 006 CZ, 25 EN) | Comments [0]

Cryptography and Encryption

Cryptography is the science that serves to secure private messages from third parties. It is used to achieve various goals, primarily:

  • Confidentiality - protection against data reading
  • Data integrity - protection against data alteration
  • Authentication - verification that the data comes from the given party
  • Non-repudiation - non-repudiation of message authorship

Encryption belongs to the field of cryptography. It is the transformation of data for the purpose of securing it. The source data is referred to as plaintext, and the target (encrypted) data as ciphertext. The result is that only those who know the key can read (decrypt) the encrypted data.

Encryption uses a key. There are also other methods that perform data transformation without using a key.

Hashing or hash functions are mathematical functions that have several rules:

  • they create a shorter fixed-length output (hash) from input data of varying lengths
  • the same input always has the same output
  • different inputs have different outputs
  • the input data cannot be obtained from the output
  • if the input changes, the output changes significantly

Hashing is used to ensure data integrity by creating a checksum for the data. Examples of hash functions include MD5, SHA, and SHA2.

Encoding transforms data into another format (to make it easier to process). The process is publicly known and can be reversed. An example is storing binary data in text using Base64 encoding, which is used, for example, to store certificates.

Ciphers and Keys

The term cipher refers to (is synonymous with) a cryptographic algorithm, which is a series of clearly defined steps that perform encryption or decryption. Today, primarily publicly known ciphers are used, so security is not in the secrecy of the algorithm but in the strength of the key.

When using a cipher, we need a key, a secret piece of information without which the encrypted message cannot be read. Different types of keys are used:

  • shared secret key - known by multiple parties, used in symmetric encryption
  • public key - used for encryption in asymmetric encryption
  • private key - used for decryption in asymmetric encryption

The key length is important, typically measured in bits. It affects the time required for a brute-force attack on the cipher and thus the security of the encrypted data. Related is the strength of the cipher. Cryptologists determine this by analyzing algorithms and evaluating the effort needed to break them.

Cryptographic Algorithms

Generally, ciphers are divided into two categories based on the use of keys.

Symmetric algorithms use the same secret key for encryption and decryption. The disadvantage is that if we want to pass encrypted data to another person, we must solve the secure transfer of the key to the other party. The main advantage is that they are fast (significantly faster than asymmetric algorithms). They are also referred to as private (symmetric) key encryption. They are further divided into:

  • stream ciphers - work with a continuous stream of symbols (character by character), fast, low-resource, an error affects one character, more susceptible to attack, example RC4
  • block ciphers - work with fixed-length blocks of symbols (64, 128 bits), example DES, AES, RC5, BLOWFISH

Asymmetric algorithms use two keys. The encryption key is publicly known, so anyone can encrypt data, but only the owner of the private key can decrypt it. It is suitable for smaller data (used for key distribution) because it is computationally intensive. It is also referred to as public key encryption. Examples include RSA, Diffie-Hellman, DSA, ECC (Elliptic-Curve Cryptography).

In practical situations, both algorithms are often combined, where asymmetric cryptography is used to exchange secret keys for symmetric cryptography, which is used to encrypt the actual data. This happens, for example, in the SSL (Secure Sockets Layer) protocol using certificates (these are an example of asymmetric cryptography with a public and private key).

Security of Ciphers

When we want to encrypt some data, we are interested in how secure it will be. This is influenced by several factors. We talk about the security level, which is a measure of the strength that the cipher achieves. It is commonly expressed in bits (n bits means 2n operations to break, in other words, the number of possible keys).

  • key length is the upper limit of cipher security, because any public algorithm can be broken by brute force (measured using the fastest known algorithm), depending on the currently available computing power and the type of cipher (symmetric, asymmetric, elliptic), because different types of ciphers have different levels of cryptographic complexity (they have different key sizes for the same level of security, for example, 128-bit security is provided by AES-128 and RSA with a 3072-bit key)
  • the lower limit of cipher security can be lower (we try to keep it the same) due to various attacks, vulnerabilities, or deficiencies in the algorithm (3DES was designed with a 168-bit key option, but a known attack reduces it to 112 bits), for asymmetric ciphers there are always attacks faster than brute-force search

Encryption algorithms have a fixed key length. Examples include DES 56 bits, 3DES 112 bits, AES 128, 196, or 256 bits, RSA 1024 or 2048 bits. The shortest keys can be for symmetric algorithms, much longer for asymmetric algorithms. A special case is elliptic curves, which belong to asymmetric algorithms but can have shorter key lengths.

Security of Encrypted Data

When encrypting data in practice, we use an application that supports a certain cipher and key size. In this application, for encryption/decryption, we usually do not directly enter the encryption key (e.g., 256-bit), which is intended for software and thus may not be readable by humans (a binary key has higher security). Instead, we choose a password (or PIN), which is intended for human use (often readable text, thus having lower security). It usually has a different length than the key.

Encryption key is generated in two ways:

  • the application generates it and protects access to it with a password
  • it is derived from a password using a Key Derivation Function (KDF), which generates a key of a given length, can add salt, address strength, and often uses hash functions

As a result, more may depend on the chosen password (if it can be brute-forced) than on the strength of the chosen algorithm. Nowadays, the recommendation for the number of characters in a password is a complex password of at least 10 characters, a passphrase of at least 15 to 20 characters. Note: Requirements/recommendations for password length are still increasing, see the new wording of the Cybersecurity Decree No. 82/2018 Coll. Identity Management and Verification.

Recommended Cryptographic Algorithms

There are many standards, regulations, and recommendations that define possible cryptographic algorithms. To choose a suitable algorithm, we can also look at statistics and estimates of cipher security and key lengths. Based on this, we can find suitable security for our requirements.

If we need to comply with Czech legislation, we can use Decree No. 316/2014 Coll. - Decree on Security Measures, Cybersecurity Incidents, Reactive Measures, and the Determination of Requirements for Submissions in the Field of Cybersecurity (Cybersecurity Decree), where the minimum requirements for cryptographic algorithms of various categories are listed in Appendix No. 3.

Decree No. 316/2014 Coll. was replaced on May 28, 2018, by Decree No. 82/2018 Coll., which no longer contains an appendix on cryptographic algorithm requirements. The National Cyber and Information Security Agency (NÚKIB) published on November 28, 2018, on its official board the document Recommendations in the Field of Cryptographic Means: Minimum Requirements for Cryptographic Algorithms.

Selection of the most common recommended algorithms:

  • symmetric algorithms AES (Advanced Encryption Standard) with key lengths of at least 128 bits
  • asymmetric algorithms DSA (Digital Signature Algorithm), RSA (Rivest-Shamir-Adleman), DH (Diffie-Hellman) with key lengths of at least 2048 bits, EC-DSA (Elliptic Curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman) with key lengths of at least 224 bits
  • hash functions SHA-2 and SHA-3

When and How to Use Encryption

First, we need to determine what to encrypt. One option (prescribed, for example, in ISO standards) is to classify information (e.g., standard, protected, strictly protected) and encrypt certain categories. Today, we should encrypt personal data (as required by GDPR). Or generally, all information valuable to us.

We use encryption for storing information, i.e., storing it on an electronic data medium (such as a hard drive in a computer or on a disk array, removable data medium, etc.). Information in the network is mostly protected by access control, but in many cases, this is not sufficient. It is significantly safer to also use encryption protection. Disk encryption or file encryption (e.g., encrypted archive using the 7-Zip application) can be used, and removable data media can be encrypted using BitLocker To Go.

Or when transferring information, when we need to transfer information to another place or person. Commonly, this involves transfer over a computer network, but it can also involve transfer on a removable medium. In practice, electronic mail is used, where we can use S/MIME for encryption and signing with a certificate (public key) or send information as an encrypted attachment (file). Some specialized application for communication (e.g., OKsystem Babelnet). Another option is an online file storage, where data is protected during transfer using TLS.

Interesting Links

Digital Signature vs. Encryption

Asymmetric cryptography uses two keys (public, which is openly distributed, and private, which is known only to the owner). The keys are generated according to a specific cryptographic algorithm (such as RSA or ECC), and the public key can be calculated from the private key. The most well-known use is for

  • public key encryption - anyone can encrypt data with the public key, but it can only be decrypted with the private key
  • digital signature (authentication) - the private key is used to sign data, and anyone can verify the validity using the public key

Digital signature works by calculating a hash for the data to be signed (using a specific hash function, such as SHA256) and encrypting it with the private key. The resulting encrypted data is the digital signature (the signature also includes a timestamp of when the signature was made). If the data is changed, the signature is invalid.

When verifying the signature, the signature (hash) is decrypted using the public key. Then a hash is calculated for the data (using the given function), and the two hashes are compared. If both values are the same, the signature is valid.

Note: If data is encrypted with the private key, it can only be decrypted with the public key. Conversely, data encrypted with the public key can only be decrypted with the private key.

Author:

Related articles:

Windows OS

Articles dedicated to Microsoft operating systems, both client and server.

SSL/TLS protocol

The Secure Sockets Layer protocol and its successor, Transport Layer Security, are widely used on the Internet to secure the communication of another protocol (such as HTTPS, SMTPS, XMPP) using encryption.

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)