This series of texts aims to compose thoughts and deepen understanding of how people apply cryptography to cyber security. I am yet to find where the research will lead. That said, wondering through the technologies spawns those happy “now I get it” moments, with a sense of admiration for the developers of crypto systems.
Cryptographic algorithms can be mathematically intensive and mind taxing. Thus, I will attempt to skim the surface enough to know what, when, why, without going into details. This way will save time and enable enough fundamental understanding to pinpoint weaknesses during penetration tests and how to mitigate risks that arise.
Basic idea of cryptography
The basic idea of cryptography is to provide four services: confidentiality, which is privacy, authentication which is knowing that an identity is a real identity or you are real you, nonrepudiation, which means no later denial that we encrypted a message, and integrity that the message has not been altered in any way. The gist is, we have a key and, using that key, we encrypt information which converts it from a readable form to what looks like a random noise. We then transfer this jumbled data to somebody else and they can decrypt it and get the message out. Anyone listening to the communication cannot find out anything about the information.
In the cryptography domain, the readable data we call Plain Text and its unreadable form we call Cipher Text. Encryption is a method of transforming Plain Text into the Cipher Text. Decryption is a method of transforming Cipher Text back into readable Plain Text.
To keep things simple, there are two principal components of encryption: an algorithm and a key. Conventionally, we make algorithms publicly known to allow many people to scrutinize them and determine if they are strong. And there is a key which is secret and also important to the strength of encryption. An algorithm is like a padlock, and a key is like a key for that padlock.
The algorithm and key combination determines the encryption of a Plain Text, the way it is jumbling the Plain Text characters. If algorithm or key are weak, then the encryption is weak. The strength of an algorithm, is defined both in terms of its key size, as well as its resistance to cryptanalytic attacks.
In the symmetric systems, there is one secret key that both parties share. The sender encrypts information, and the receiver decrypts the encrypted information using the same key.
This key should remain private, but both sender and receiver need to know what this key is. Both actors need to agree on a key that nobody else should be able to guess or eavesdrop, and both actors need to share the key with one another. The problem with that is it is inconvenient or hard to do. Both parties might be physically separated. Sending the key over the Internet will expose it. In order to send the key safely, both actors would need an encrypted connection. But how to establish a secure encrypted connection without a key? That problem has led researches to come up with asymmetric encryption.
Asymmetric Encryption a.k.a. Public Key Cryptography
The asymmetric encryption system is where we generate two keys. A private key, and a public key. The rest goes same as before. We have a Plain Text that we encrypt with one of the keys, and the receiver uses another key to decrypt the Cipher Text. Theoretically, we can’t guess one key from the other (in reality a file containing private key often contains information to generate public key) , but they are linked in a way that anything we encrypt with private key can be decrypted with public key. And anything we encrypt with public key can be decrypted with private key. It is not possible to encrypt and decrypt using the same key.
When we generate a pair of these keys, which are called a key pair, one of them is a public key, and this public key is public. We can publish it everywhere and anyone can have it. The other key of this pair is private and that key we keep secret (private).
Once I have a key pair and you have a key pair, we both have a key pair, we both have public keys. Now, if you want to send me an encrypted message, I don’t have to share anything with you. You know my public key. You can encrypt Plain Text with it and send it to me. You know I can decrypt it because I have my private key.
Having this key pair, I can sign a message with my private key and then publish it. That anyone can verify the message with my public key means I have signed it with my private key, which means it must have been me who made the message, as only I have my private key. Signing data with the sender’s private key we call an open message format, because anyone with a copy of the corresponding public key can verify and read the message.
One more thing we can do with this is when we do both. I sign a message with my private key and encrypt it with your public key, and then send it to you. And if we communicate like this, I know that nobody else is going to read the message. You know that nobody else can read the message and that the message come from me, not an imposter. You also are sure of the message integrity, as any modification to the message requires the keys.
These asymmetric systems help solve the problem of exchanging (agreeing) keys and allow for digital signatures. I save digital signatures for later as they require talking about hashes. We can use public and private keys to send another party our symmetric secret key securely with no one intercepting it.
Selected symmetric algorithms:
- Data Encryption Standard (DES) (Insecure)
- Triple DES (3DES) (Insecure)
- RC4, RC5, RC6 (Insecure)
- Advanced Encryption Standard (AES). AES-256 bit is at the time of writing current standard, fast and pronounced secure enough.
Sometimes beside the name of an algorithm we can see information about bits, for instance AES-256 bits. This information describes a key length (key space, key size), or we can consider it the strength of the algorithm. The higher the number in these algorithms (more locks on the door), the stronger the algorithm, but the slower the algorithm to encrypt and decrypt.
A key length is the number of total possible different keys that we can have in an encryption algorithm. To illustrate, four bits 0 0 0 0 can have values 0 to 1, which will give us 2 times 2 times 2 times 2, which is 16 different key combinations. AES with 256 bits has 2^256 combinations, a number so large that I have no word to describe it.
Keep in mind that there is more to the strength of an algorithm than the size of its key. The strength of an algorithm, is defined both in terms of its key size, as well as its resistance to cryptanalytic attacks.
Selected asymmetric algorithms:
- Rivest-Shamir-Adleman (RSA),
- Elliptic curve cryptosystem (ECC),
- Diffie-Hellman (DH),
- El Gamal.
The most common at the time of writing are RSA, ECC, and DH.
Comparison of symmetric and asymmetric cryptography
There are strengths and weaknesses in both symmetric and asymmetric cryptography.
Compared with symmetric, asymmetric cryptography has better key distribution. We can place our public key on a site and anyone can send us encrypted messages or data that only we can read. If we used a symmetric key, then we would need to give the key secretly to each person individually. That is not scalable. Therefore, asymmetric algorithms have better scalability than symmetric systems.
Public and private key provide authentication and nonrepudiation, but the encryption is substantially slower compared to symmetric systems. If we look at the bit length of asymmetric algorithms, we notice they are a lot higher than symmetric key encryption algorithms.
- 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys,
- 2048-bit RSA keys are equivalent in strength to 112-bit symmetric keys,
- 3072-bit RSA keys are equivalent in strength to 128-bit symmetric keys,
- 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.
This is an indicator of how much slower asymmetric algorithms are. They take much longer and require more computing power to encrypt and decrypt. That’s one reason hybrid systems exist where, like in TLS handshake, public and private keys are used to exchange and agree keys, and symmetric algorithms are used to encrypt data, getting the best of both worlds.
|– Safe key distribution||– Fast|
|– Scalability||– Strong|
|– Authentication and nonrepudiation|
|– Mathematically intensive|
When we use various encryption technologies in combination, we call that a cryptosystem. Cryptosystems provide several security services:
- Confidentiality, which is privacy.
- Authentication, which is knowing that the actor sending a message is who he claims to be
- Nonrepudiation, which means a sender cannot deny that he has sent or encrypted a message
- Integrity, which means ensuring no one altered the message.
We have reviewed the basic idea behind cryptography, core concepts of symmetric and asymmetric algorithms, compared them and mentioned the crypto systems. That is it. In the next parts, we will follow up with hashes and digital signatures, which are based on hashes. Then we will discuss TLS, then HTTPS, Certificate Authorities, and end with an overview of vulnerabilities and attacks on those systems.
- Symmetric-key algorithm – Wikipedia
- Public-key cryptography – Wikipedia
- Advanced Encryption Standard – Wikipedia
- Key size – Wikipedia
- Cryptosystem – Wikipedia
- The Definitive 2019 Guide to Cryptographic Key Sizes and Algorithm Recommendations – Paragon Initiative
- Is the key length the strength of the algorithm? – StackOverflow
- How does public key encryption work? | Public key cryptography and SSL – Cloudflare
- Can we pick which key is private or public in asymmetric encryption? Do the keys actually encrypt and decrypt a cipher text? – Cryptography Stack Exchange
- What happens when encrypting with private key? – Security Stack Exchange