Encryption Technologies and Applications
encryption is the process of transforming ordinary data (plaintext) to an undreadable form of encrypted data (ciphertext)using an algorithm called a cipher combined with a special key to make it unreadable to anyone except those possessing the key. Encryption is used to protect data in transit over networks or stored on permananet media.
The reverse process to make encrypted data readable again (i.e.unencrypted) is called decryption.
Encryption protects data content, but not data integrity (from modification or curruption). Other techniques are used for data integrity and authenticity such as message authentication code (MAC) or a digital signature.
While traditional human message encryption is based on famous “ciphertext” algorithms, modern data encryption is based on mathematical alogorithm processes.
There are two basic ways to encrypt data – using asymmetric and symmetric keys
Public Key Infrastructure (PKI) or Asymmetric Key Encryption
Asymmetric (public-key infrastructure or PKI) encryption is based on a pair of cryptographic keys: one private, known only to the end user (data recipient); one public, known to the opposite party in any exchange (data sender). The process involves encryption of sender data by the public key and decryption of the data by the recipient using the private key; known only to the data recipient.
This public encryption/private decryption is a one-to-one process, only the private key can be used to decrypt data encrypted with the public key. So the public key can be widely distributed with out compromising data encryption.
PKI or asymmetric key encryption is based on a mathematical algorithm known as the NPQ problem (or trapdoor), where N=PxQ, P and Q are two sufficiently large prime numbers. The remainder (or modulus) and exponent (or power) are related to the public and private keys in such a way that only one can be known to the other or at least can only be determined with great difficulty based on the key size. If you’re interested in the technical details, a relatively simpleexplanation is here:
Asymmetric key encryption was developed by Whitfield Diffie and Martin Hellman, and Rivest, Shamir and Adleman based on earlier algrothmic research in England. Since the algorithms for asymmetric key encryption are widely known, the issue with asymmetric key encryption is generating a sufficiently large key that is impossible to break. PKI generation is usually based on a “seed” combined with a (pseudo) random number generator function to generate a key of size usually an even power of 2 (i.e. 256, 512, 1024, 2048 etc). The larger the key, the more secure the encryption. . .
Symmetric Key Encryption
Symmetric key protection, also known as "secret-key" encryption, uses a single key to both encrypt and decrypt data. This means the person encrypting the data must give that key to the recipient before they can decrypt it. Symmetric key encryption, the sender encrypts the message and, if the recipient does not already have a key, sends the key and ciphertext separately to the recipient. The recipient then uses the same key to decrypt the message.
Faster, but less secure than PKI, symmetric encryption is easier to break than asymmetric key encryption. The algorithm that is used to encode the message is easier for attackers to understand, enabling them to more easily decode the message. If an attacker intercepts the key, they can decrypt the message.
The problem is keeping the symmetric key private or secure. Key exchange algorithms become part of the symmetric key encryption process (Diffie-Hellman key exchange protocol). Symmetric key algorithms tend to be more “obscure” than private key algorithms. So the idea is to make both the symmetric key and algorithm a secret.
Symmetric key’s use is primarily for bulk data transfer or session based security. Anything requiring protection of relatively unimportant data or for a short period of time. Symmetric keys are usually limited distribution to a number of trusted individuals for static keys; or are on a per-session basis for dynamically generated keys. (e.g. TLS/SSL).
Digital Signatures
One feature of PKI is that the public -> private keys can also be used in the opposite direction private-> public. Data encrypted with the private key can be decrypted by the public key (still one-for-one). Encrypting the recipient’s public key with the senders private key, sending the result to to be decrypted by the recipient (and vice-versa) is the basis for Digital Signature technology. So this involves both the sender and recepient exchanging public keys for digitial signatures to ensure data source in both directions.
In the public realm (Internet), public keys, referred to as certificates, are authenticated using external Certificate Authorities. Certificates are statically generated public keys used by Web Sites to encrypt HTTP transmissions (HTTPS, TCP port 443) using SSL/TLS. Because certificates are automatically downloaded by a website (on most public sites), to certify the public key is from who they actually say they are, certificates are usually registered with an external Certificate Authority – (e.g. Verisign).
Private network website encryption typically uses “self certified” authorization of certificates (e.g. Windows Active Directory).
Data Intergity
Encryption obscures data. Digital signatures ensures data source. Neither ensures data integrity – either from modification, corruption or duplication. The computational method for ensuring data intergity is called “hashing”.
A hash value is a numeric value of a fixed length that uniquely identifies data. Hash values are created with a hashing algorithm; a well-defined mathematical procedure that represents a (potentially) large amount of data as a much smaller integer.
.
Hash values are used for verifying the integrity of data sent through insecure channels. The hash value of received data can be compared to the hash value of data when it was sent to determine whether the data was altered.
There are two processes associated with hashing techniques:
Generating a Hash Code
Hash algorithms are fairly common mathematical procedures. They’re beyond the scope of this article but can be found in any reference of computer program algorithms. They usually consist of reading data as a string of bits, converting that string to a number amd performing some mathematical function on them to get a fixed length number. The sender generates a hash value, the receiver performs the same hash function on the received data, recalculates the hash value and compares it against the one received from the sender. .
Verifying a Hash Code
.
Data can be compared to a hash value to determine its integrity. Usually, data is hashed at a certain time and the hash value is protected in some way (encrypted). At a later time, the data can be hashed again and compared to the protected value. If the hash values match, the data has not been altered. If the values do not match, the data has been corrupted.
One of the problems with hashing is it’s wide open to man in the middle attacks. There is nothing stopping someone from intercepting the data, modifying it, and then resending the new message with a new hash. What the receiver gets is a message where the hash code matches the data, even though the data has been modified.
Digital signatures often consist of encrypted hash values. Encrypting hash values is an efficient use of computational and bandwidth resources, because hash values represent a large amount of data as a much smaller numeric value. Depending upon your security requirements, you may choose to encrypt a message's hash value instead of encrypting the message itself.
Message Authentication Codes are a way to prevent this. MACs use symmetric encryption methods to protect the sent hash. Symmetric encryption uses one private session key and both the sender and receiver require to have a copy of thiskey. Essentially a MAC is just an encrypted hash. It’s a combination of an encryption session key and a hashing algorithm.
Hashes can be time-stamped to prevent playback of encrypted sessions captured by a network sniffer.
Encryption Applications
Pretty Good Privacy (PGP)
A product based on the original RSA algorithm. It involves the use of public and private “key rings”. The user generates a key pair (public/private) based on a key “phrase” and selected algorithm. The public key is made available for data senders. If data authentication is required, the sender also sends their public key to the receiver for digital signing. PGP was once open source, now commercial. The open source version is now known as GPG.
Secure Shell (SSH)
Secure Shell or SSH (TCP port 22) allows data to be exchanged using a secure channel between two networked devices. SSH was designed in 1994 as an encrypted replacement for plaintext TELNET, RSH, RCMD and FTP applications over insecure, public networks. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user. SSH is typically used to log directly into a remote machine and execute commands. Encryption can be one-way, requiring user LOGIN or two way for authenticated data transfer without a specific user and password.
SSH supports shell acccess, encrypted tunneling, forwarding TCP ports and X11 connections, transfer of files using the associated SFTP or SCP protocols. All run over TCP prot 22.
SSH 1.2.12 was the last “open source” version of SSH and is the basis for the OPENSSH product; the most popular freeware SSH implementation. SSH1 is considered insecure and obsolete. OpenSSH has managed to incorporate most the more secure SSH2 features. SSH2 is the code set used to establish the SSH Communications Security which is the basis for most commercial SSH products. In 2006, SSH-2 became a proposed Internet standard with the publication by the IETF "secsh" working group.
Kerberos
Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Developed at MIT for Project Athena it provides mutual authentication — both the user and the server verify each other's identity.
Kerberos uses symmetric key cryptography and requires a trusted third party. Some Kerberos extensions use public-key cryptography during certain phases of authentication.
Kerberos uses the symmetric Needham-Schroeder protocol and a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users.
The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions.
Kerberos is the basis for native Microsoft Active Directory security replacing LANMAN and NTLM authentications methods. Note Kerberos combines both asymmetric and symmertic key encryption/authentication technologies.
SSL/TLS
.
Secure Socket Layer (SSL) protocol was originally developed by Netscape - version 1.0 was beta only, version 2.0 was released in February 1995 but contained a number of security flaws, version 3.0 was released in 1996. SSL 3.0 served as the basis for TLS version 1.0 released in 1996, Internet Engineering Task Force (IETF) standard protocol defined in RFC 2246. TLS provides endpoint authentication and communications confidentiality using cryptography over public networks.
In the typical browser cllent, TLS authentication is one way, where only the server is authenticated. At the browser level, only the browser has validated the server's digital signatures of the server certificate's issuing CA-chain (chain of Certification Authorities that guarantee bindings of identification information to public keys. Once validated, the browser displays a security icon ("closed padlock").
Since only a trusted CA can embed a URL in the certificate, this ensures that checking the apparent URL with the URL specified in the certificate is a valid way of identifying the true site.
TLS also supports bilateral connection mode in which both ends of the "conversation" can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party's certificate). This is known as mutual authentication. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario). Typical application is for user authenticatoon / encryption of corporate SSL based Virtual Private Networks (VPN).
TLS involves three basic phases:
- Peer negotiation for algorithm support
- Key exchange and authentication
- Symmetric cipher encryption and message authentication
During the first phase, the client and server negotiate cipher suites, which determine the ciphers to be used, the key exchange and authentication algorithms, as well as the message authentication codes (MACs). The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL.
Typical algorithms are:
- For key exchange: RSA, Diffie-Hellman, ECDH, SRP, PSK
- For authentication: RSA, DSA, ECDSA
- Symmetric ciphers: RC4, Triple DES, AES, IDEA, DES, or RC2 in older versions of SSL.
- For cryptographic hash function: HMAC-MD5 or HMAC-SHA are used for TLS, MD5 and SHA for SSL, MD2 and MD4.for older SSL versions.
Note that SSL/TLS actually combines the two encryption technologies. TLS/SSL asymmetric certificates are used to generate a session-based symmetric encryption key; a key that lasts for the duration of the session only.
In addition to HTTPS, SSL authentication is also becoming the default encryption technology for secure FTP, TELNET and E-Mail protocols.
Virtual Private Networks
Virtual Private Networks (VPNs) are used to connect privately addressed IP networks over a public network. Tunnels can, but don’t have to be encrypted (Encapsulation). VPNs can user shared symmetric key (IPSEC) encrpyted tunnels or asymmetric key (SSL) encrypted tunnels. Discussion of VPN structure is beyond the scope of this document.