## Cryptography and Encryption

**Cryptography** is the science that serves to * secure private messages* from third parties. It is used to achieve various goals, primarily:

- protection against data reading*Confidentiality*- protection against data alteration*Data integrity*- verification that the data comes from the given party*Authentication*- non-repudiation of message authorship*Non-repudiation*

**Encryption** belongs to the field of cryptography. It is the * transformation of data* for the purpose of securing it. The source data is referred to as

**, and the target (encrypted) data as**

*plaintext***. The result is that only those who know the**

*ciphertext**can read (decrypt) the encrypted data.*

**key**Encryption uses a **key**. There are also other methods that perform data transformation without using a key.

**Hashing** or ** hash functions** are mathematical functions that have several rules:

- they create a shorter fixed-length output (hash) from input data of varying lengths
- the same input always has the same output
- different inputs have different outputs
- the input data cannot be obtained from the output
- if the input changes, the output changes significantly

Hashing is used to ensure data integrity by creating a checksum for the data. Examples of *hash functions* include **MD5**, **SHA**, and **SHA2**.

**Encoding** transforms data into another format (to make it easier to process). The process is publicly known and can be reversed. An example is storing binary data in text using **Base64** encoding, which is used, for example, to store certificates.

## Ciphers and Keys

The term ** cipher** refers to (is synonymous with) a

**cryptographic algorithm**, which is a series of clearly defined steps that perform

*or*

**encryption***. Today, primarily*

**decryption***are used, so security is not in the secrecy of the algorithm but in the strength of the key.*

**publicly known ciphers**When using a cipher, we need a ** key**, a secret piece of information without which the encrypted message cannot be read. Different types of keys are used:

- known by multiple parties, used in symmetric encryption*shared secret key*- used for encryption in asymmetric encryption*public key*- used for decryption in asymmetric encryption*private key*

The ** key length** is important, typically measured in

*. It affects the time required for a brute-force attack on the cipher and thus the security of the encrypted data. Related is the*

**bits****. Cryptologists determine this by analyzing algorithms and evaluating the effort needed to break them.**

*strength of the cipher*## Cryptographic Algorithms

Generally, ciphers are divided into two categories based on the use of keys.

**Symmetric algorithms** use the ** same secret key** for encryption and decryption. The disadvantage is that if we want to pass encrypted data to another person, we must solve the secure transfer of the key to the other party. The main advantage is that they are fast (significantly faster than asymmetric algorithms). They are also referred to as

**. They are further divided into:**

*private (symmetric) key encryption*- work with a continuous stream of symbols (character by character), fast, low-resource, an error affects one character, more susceptible to attack, example*stream ciphers***RC4**- work with fixed-length blocks of symbols (64, 128 bits), example*block ciphers***DES**,**AES**,**RC5**,**BLOWFISH**

**Asymmetric algorithms** use ** two keys**. The encryption key is publicly known, so anyone can encrypt data, but only the owner of the private key can decrypt it. It is suitable for smaller data (used for key distribution) because it is computationally intensive. It is also referred to as

**. Examples include**

*public key encryption***RSA**,

**Diffie-Hellman**,

**DSA**,

**ECC**(Elliptic-Curve Cryptography).

In practical situations, ** both algorithms are often combined**, where asymmetric cryptography is used to exchange secret keys for symmetric cryptography, which is used to encrypt the actual data. This happens, for example, in the

**(Secure Sockets Layer) protocol using certificates (these are an example of asymmetric cryptography with a public and private key).**

*SSL*## Security of Ciphers

When we want to encrypt some data, we are interested in how secure it will be. This is influenced by several factors. We talk about the **security level**, which is a measure of the strength that the cipher achieves. It is commonly expressed in bits (n bits means 2^{n} operations to break, in other words, the number of possible keys).

**key length**is the, because any public algorithm can be broken by brute force (measured using the fastest known algorithm), depending on the currently available computing power and the type of cipher (symmetric, asymmetric, elliptic), because different types of ciphers have different levels of cryptographic complexity (they have different key sizes for the same level of security, for example, 128-bit security is provided by AES-128 and RSA with a 3072-bit key)*upper limit of cipher security*- the
can be lower (we try to keep it the same) due to various attacks, vulnerabilities, or deficiencies in the algorithm (3DES was designed with a 168-bit key option, but a known attack reduces it to 112 bits), for asymmetric ciphers there are always attacks faster than brute-force search*lower limit of cipher security*

Encryption algorithms have a * fixed key length*. Examples include DES 56 bits, 3DES 112 bits, AES 128, 196, or 256 bits, RSA 1024 or 2048 bits. The shortest keys can be for symmetric algorithms, much longer for asymmetric algorithms. A special case is elliptic curves, which belong to asymmetric algorithms but can have shorter key lengths.

## Security of Encrypted Data

When encrypting data in practice, we use an ** application** that supports a

**and**

*certain cipher***. In this application, for**

*key size***, we usually do not directly enter the**

*encryption/decryption***(e.g., 256-bit), which is intended for software and thus may not be readable by humans (a binary key has higher security). Instead, we choose a**

*encryption key***password**(or PIN), which is intended for human use (often readable text, thus having lower security). It usually has a different length than the key.

** Encryption key** is generated in two ways:

and protects access to it with a password*the application generates it*using a*it is derived from a password*(KDF), which generates a key of a given length, can add salt, address strength, and often uses hash functions*Key Derivation Function*

As a result, more may depend on the chosen password (if it can be brute-forced) than on the strength of the chosen algorithm. Nowadays, the recommendation for the number of characters in a password is a complex password of at least 10 characters, a passphrase of at least 15 to 20 characters. **Note:** Requirements/recommendations for password length are still increasing, see the new wording of the * Cybersecurity Decree* No. 82/2018 Coll. Identity Management and Verification.

## Recommended Cryptographic Algorithms

There are many standards, regulations, and recommendations that define possible cryptographic algorithms. To choose a suitable algorithm, we can also look at statistics and estimates of cipher security and key lengths. Based on this, we can find suitable security for our requirements.

~~If we need to comply with Czech legislation, we can use Decree No. 316/2014 Coll. - ~~*Decree on Security Measures, Cybersecurity Incidents, Reactive Measures, and the Determination of Requirements for Submissions in the Field of Cybersecurity (Cybersecurity Decree)*, where the minimum requirements for cryptographic algorithms of various categories are listed in ** Appendix No. 3**.

Decree No. 316/2014 Coll. was replaced on May 28, 2018, by Decree No. 82/2018 Coll., which no longer contains an appendix on cryptographic algorithm requirements. The * National Cyber and Information Security Agency* (NÚKIB) published on November 28, 2018, on its official board the document Recommendations in the Field of Cryptographic Means: Minimum Requirements for Cryptographic Algorithms.

Selection of the most common recommended algorithms:

AES (Advanced Encryption Standard) with key lengths of at least 128 bits*symmetric algorithms*DSA (Digital Signature Algorithm), RSA (Rivest-Shamir-Adleman), DH (Diffie-Hellman) with key lengths of at least 2048 bits, EC-DSA (Elliptic Curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman) with key lengths of at least 224 bits*asymmetric algorithms*SHA-2 and SHA-3*hash functions*

## When and How to Use Encryption

First, we need to determine **what to encrypt**. One option (prescribed, for example, in ISO standards) is to classify information (e.g., standard, protected, strictly protected) and encrypt certain categories. Today, we should encrypt personal data (as required by GDPR). Or generally, all information valuable to us.

We use encryption for **storing information**, i.e., storing it on an electronic data medium (such as a hard drive in a computer or on a disk array, removable data medium, etc.). Information in the network is mostly protected by access control, but in many cases, this is not sufficient. It is significantly safer to also use encryption protection. Disk encryption or file encryption (e.g., encrypted archive using the 7-Zip application) can be used, and removable data media can be encrypted using ** BitLocker To Go**.

Or when **transferring information**, when we need to transfer information to another place or person. Commonly, this involves transfer over a computer network, but it can also involve transfer on a removable medium. In practice, ** electronic mail** is used, where we can use S/MIME for encryption and signing with a certificate (public key) or send information as an encrypted attachment (file). Some

*for communication (e.g., OKsystem Babelnet). Another option is an online*

**specialized application***, where data is protected during transfer using TLS.*

**file storage**## Interesting Links

- howsecureismypassword.net - determines how long it would take to crack the entered password (common dictionaries, brute force)
- www.betterbuys.com/estimating-password-cracking-times - another calculation of password cracking time
- haveibeenpwned.com - searches for email in known data breaches
- www.keylength.com - key strength

## Digital Signature vs. Encryption

** Asymmetric cryptography** uses two keys (

*public*, which is openly distributed, and

*private*, which is known only to the owner). The keys are generated according to a specific cryptographic algorithm (such as RSA or ECC), and the public key can be calculated from the private key. The most well-known use is for

- anyone can encrypt data with the public key, but it can only be decrypted with the private key**public key encryption**(authentication) - the private key is used to sign data, and anyone can verify the validity using the public key*digital signature*

** Digital signature** works by calculating a

**hash**for the data to be signed (using a specific hash function, such as SHA256) and

**encrypting**it with the private key. The resulting encrypted data is the

**digital signature**(the signature also includes a timestamp of when the signature was made). If the data is changed, the signature is invalid.

When ** verifying the signature**, the signature (hash) is

**decrypted**using the public key. Then a

**hash**is calculated for the data (using the given function), and the two hashes are

**. If both values are the same, the**

*compared***signature is valid**.

** Note:** If data is encrypted with the private key, it can only be decrypted with the public key. Conversely, data encrypted with the public key can only be decrypted with the private key.

There are no comments yet.