Cryptography and Encryption
Cryptography is the science that serves to secure private messages from third parties. It is used to achieve various goals, primarily:
- Confidentiality - protection against data reading
- Data integrity - protection against data alteration
- Authentication - verification that the data comes from the given party
- Non-repudiation - non-repudiation of message authorship
Encryption belongs to the field of cryptography. It is the transformation of data for the purpose of securing it. The source data is referred to as plaintext, and the target (encrypted) data as ciphertext. The result is that only those who know the key can read (decrypt) the encrypted data.
Encryption uses a key. There are also other methods that perform data transformation without using a key.
Hashing or hash functions are mathematical functions that have several rules:
- they create a shorter fixed-length output (hash) from input data of varying lengths
- the same input always has the same output
- different inputs have different outputs
- the input data cannot be obtained from the output
- if the input changes, the output changes significantly
Hashing is used to ensure data integrity by creating a checksum for the data. Examples of hash functions include MD5, SHA, and SHA2.
Encoding transforms data into another format (to make it easier to process). The process is publicly known and can be reversed. An example is storing binary data in text using Base64 encoding, which is used, for example, to store certificates.
Ciphers and Keys
The term cipher refers to (is synonymous with) a cryptographic algorithm, which is a series of clearly defined steps that perform encryption or decryption. Today, primarily publicly known ciphers are used, so security is not in the secrecy of the algorithm but in the strength of the key.
When using a cipher, we need a key, a secret piece of information without which the encrypted message cannot be read. Different types of keys are used:
- shared secret key - known by multiple parties, used in symmetric encryption
- public key - used for encryption in asymmetric encryption
- private key - used for decryption in asymmetric encryption
The key length is important, typically measured in bits. It affects the time required for a brute-force attack on the cipher and thus the security of the encrypted data. Related is the strength of the cipher. Cryptologists determine this by analyzing algorithms and evaluating the effort needed to break them.
Cryptographic Algorithms
Generally, ciphers are divided into two categories based on the use of keys.
Symmetric algorithms use the same secret key for encryption and decryption. The disadvantage is that if we want to pass encrypted data to another person, we must solve the secure transfer of the key to the other party. The main advantage is that they are fast (significantly faster than asymmetric algorithms). They are also referred to as private (symmetric) key encryption. They are further divided into:
- stream ciphers - work with a continuous stream of symbols (character by character), fast, low-resource, an error affects one character, more susceptible to attack, example RC4
- block ciphers - work with fixed-length blocks of symbols (64, 128 bits), example DES, AES, RC5, BLOWFISH
Asymmetric algorithms use two keys. The encryption key is publicly known, so anyone can encrypt data, but only the owner of the private key can decrypt it. It is suitable for smaller data (used for key distribution) because it is computationally intensive. It is also referred to as public key encryption. Examples include RSA, Diffie-Hellman, DSA, ECC (Elliptic-Curve Cryptography).
In practical situations, both algorithms are often combined, where asymmetric cryptography is used to exchange secret keys for symmetric cryptography, which is used to encrypt the actual data. This happens, for example, in the SSL (Secure Sockets Layer) protocol using certificates (these are an example of asymmetric cryptography with a public and private key).
Security of Ciphers
When we want to encrypt some data, we are interested in how secure it will be. This is influenced by several factors. We talk about the security level, which is a measure of the strength that the cipher achieves. It is commonly expressed in bits (n bits means 2n operations to break, in other words, the number of possible keys).
- key length is the upper limit of cipher security, because any public algorithm can be broken by brute force (measured using the fastest known algorithm), depending on the currently available computing power and the type of cipher (symmetric, asymmetric, elliptic), because different types of ciphers have different levels of cryptographic complexity (they have different key sizes for the same level of security, for example, 128-bit security is provided by AES-128 and RSA with a 3072-bit key)
- the lower limit of cipher security can be lower (we try to keep it the same) due to various attacks, vulnerabilities, or deficiencies in the algorithm (3DES was designed with a 168-bit key option, but a known attack reduces it to 112 bits), for asymmetric ciphers there are always attacks faster than brute-force search
Encryption algorithms have a fixed key length. Examples include DES 56 bits, 3DES 112 bits, AES 128, 196, or 256 bits, RSA 1024 or 2048 bits. The shortest keys can be for symmetric algorithms, much longer for asymmetric algorithms. A special case is elliptic curves, which belong to asymmetric algorithms but can have shorter key lengths.
Security of Encrypted Data
When encrypting data in practice, we use an application that supports a certain cipher and key size. In this application, for encryption/decryption, we usually do not directly enter the encryption key (e.g., 256-bit), which is intended for software and thus may not be readable by humans (a binary key has higher security). Instead, we choose a password (or PIN), which is intended for human use (often readable text, thus having lower security). It usually has a different length than the key.
Encryption key is generated in two ways:
- the application generates it and protects access to it with a password
- it is derived from a password using a Key Derivation Function (KDF), which generates a key of a given length, can add salt, address strength, and often uses hash functions
As a result, more may depend on the chosen password (if it can be brute-forced) than on the strength of the chosen algorithm. Nowadays, the recommendation for the number of characters in a password is a complex password of at least 10 characters, a passphrase of at least 15 to 20 characters. Note: Requirements/recommendations for password length are still increasing, see the new wording of the Cybersecurity Decree No. 82/2018 Coll. Identity Management and Verification.
Recommended Cryptographic Algorithms
There are many standards, regulations, and recommendations that define possible cryptographic algorithms. To choose a suitable algorithm, we can also look at statistics and estimates of cipher security and key lengths. Based on this, we can find suitable security for our requirements.
If we need to comply with Czech legislation, we can use Decree No. 316/2014 Coll. - Decree on Security Measures, Cybersecurity Incidents, Reactive Measures, and the Determination of Requirements for Submissions in the Field of Cybersecurity (Cybersecurity Decree), where the minimum requirements for cryptographic algorithms of various categories are listed in Appendix No. 3.
Decree No. 316/2014 Coll. was replaced on May 28, 2018, by Decree No. 82/2018 Coll., which no longer contains an appendix on cryptographic algorithm requirements. The National Cyber and Information Security Agency (NÚKIB) published on November 28, 2018, on its official board the document Recommendations in the Field of Cryptographic Means: Minimum Requirements for Cryptographic Algorithms.
Selection of the most common recommended algorithms:
- symmetric algorithms AES (Advanced Encryption Standard) with key lengths of at least 128 bits
- asymmetric algorithms DSA (Digital Signature Algorithm), RSA (Rivest-Shamir-Adleman), DH (Diffie-Hellman) with key lengths of at least 2048 bits, EC-DSA (Elliptic Curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman) with key lengths of at least 224 bits
- hash functions SHA-2 and SHA-3
When and How to Use Encryption
First, we need to determine what to encrypt. One option (prescribed, for example, in ISO standards) is to classify information (e.g., standard, protected, strictly protected) and encrypt certain categories. Today, we should encrypt personal data (as required by GDPR). Or generally, all information valuable to us.
We use encryption for storing information, i.e., storing it on an electronic data medium (such as a hard drive in a computer or on a disk array, removable data medium, etc.). Information in the network is mostly protected by access control, but in many cases, this is not sufficient. It is significantly safer to also use encryption protection. Disk encryption or file encryption (e.g., encrypted archive using the 7-Zip application) can be used, and removable data media can be encrypted using BitLocker To Go.
Or when transferring information, when we need to transfer information to another place or person. Commonly, this involves transfer over a computer network, but it can also involve transfer on a removable medium. In practice, electronic mail is used, where we can use S/MIME for encryption and signing with a certificate (public key) or send information as an encrypted attachment (file). Some specialized application for communication (e.g., OKsystem Babelnet). Another option is an online file storage, where data is protected during transfer using TLS.
Interesting Links
- howsecureismypassword.net - determines how long it would take to crack the entered password (common dictionaries, brute force)
- www.betterbuys.com/estimating-password-cracking-times - another calculation of password cracking time
- haveibeenpwned.com - searches for email in known data breaches
- www.keylength.com - key strength
Digital Signature vs. Encryption
Asymmetric cryptography uses two keys (public, which is openly distributed, and private, which is known only to the owner). The keys are generated according to a specific cryptographic algorithm (such as RSA or ECC), and the public key can be calculated from the private key. The most well-known use is for
- public key encryption - anyone can encrypt data with the public key, but it can only be decrypted with the private key
- digital signature (authentication) - the private key is used to sign data, and anyone can verify the validity using the public key
Digital signature works by calculating a hash for the data to be signed (using a specific hash function, such as SHA256) and encrypting it with the private key. The resulting encrypted data is the digital signature (the signature also includes a timestamp of when the signature was made). If the data is changed, the signature is invalid.
When verifying the signature, the signature (hash) is decrypted using the public key. Then a hash is calculated for the data (using the given function), and the two hashes are compared. If both values are the same, the signature is valid.
Note: If data is encrypted with the private key, it can only be decrypted with the public key. Conversely, data encrypted with the public key can only be decrypted with the private key.
There are no comments yet.