Cryptograph deals mainly with the conversion of plain text to ciphertext so that it is not decipherable by ordinary person who does not know the key or code to decipher the same. Obviously this is a very useful tool which is used to convey information in a safe manner. It has been in popular use even before the advent of computer systems. Mainly such systems use a cipher as well as a key to convert plain text to cipher text. The cipher refers to the encryption algorithm which is a sort of platform upon which the text is converted and the key can be compared to a catalyst which helps to make the encryption stronger and non-guessable by anyone.
The main characteristic features of a good cipher or an encryption algorithm include their ability to produce an avalanche effect which effectively means that only a minor change in the plain text produces major changes in the cipher text. This in turn ensures that guesswork is minimized or possibly eliminated from the scheme of things by anyone using attack methods such as brute force.
The keys used for encryption and decryption of the data could either be same or different and based on this, the cipher can be either classified as being symmetric or asymmetric. The former uses same keys both ways whilst the latter relies on the use of different set of keys for encryption and decryption of the data. Some of the commonly used encryption algorithms and their types are listed as follows:
- Data Encryption Standard (56 bits) DES – Symmetric
- Advanced Encryption Standard (128 bits) AES – Symmetric
- Rivest Shamir Aldeman (RAS) – Asymmetric
- Elgamal Encryption Standard (EES) – Asymmetric
The above given examples are quite less in number and there are several more types of algorithms in both categories. One point worth noting here is that the asymmetric version of the algorithm is more slow than the other mainly due to more complex computations involved because of the different keys used for encryption and decryption.
From the OSI model point of view, encryption can be done at any layer right from the layer 2 or the data link layer to the layer 7 of the hierarchy. Some of the examples of protocols used for encryption at the various layers of the OSI model include
- SSL or secured socket layer which acts at the layer 4 or transport layer
- RDP or remote desktop protocol which acts at the application layers
Whenever the data is flowing in the encrypted format, the attackers also known as the cryptanalysts, will not be in a position to read the cipher-text because they possess neither the encryption key nor the encryption algorithm, both of which would be needed to decrypt this coded transmission.
Ideally speaking, it is nearly impossible to break the code because the hacker would be required to use brute force attack method which involves using every possible key in the universe which at least is impossible theoretically speaking.
In actual practice however in a Cisco network or any network security architecture for that matter, it is always strived to achieve a balance between the usability and security.
Too much complexity would involve higher costs and complication so there is a balance between the two, yet it must be ensured that the keys are reasonably difficult to break such that a knowledgeable attacker cannot access our sensitive information.
Methods of attack
Brute force – in this method the hacker uses all the possible key combinations to decrypt the cipher text and convert it into plain text for deciphering of the message which is being transmitted. This method is becoming increasingly difficult to use with modern cryptographic systems since the amount of time, money, resources and energy that would be required to break the code would not normally justify the efforts put in to this effect.
Sometimes the attacker take up several different pieces of cipher text which have been generated by the same cryptographic system in order to analyze them for a common pattern which might lead to a clue for their breaking. Even this technique is very difficult with the modern systems which are devised in such a ways to as to elude any attempts of statistical analysis. A similar technique is used in combination with brute force and is known as meet in the middle attack.
Meet-in-the-middle method – in this method, the attacker uses a combination of brute force as well as a limited knowledge of the plain text which can be much more practical approach than a pure brute force attack, since the universe of keys is drastically reduced by this method making it relatively easier compared to a situation where it is only guesswork and no prior knowledge of the plain text sections.
Basically in this situation the attacker not only gets hold of a portion of the plaintext but also of the corresponding ciphertext. In this way the plain text is tried and converted in the original ciphertext by combination and permutation of keys in order to guess the correct key.
Birthday method – you might think that birthdays are only useful for celebration, but you will be surprised to know that a simple observation could come in handy for breaking codes related to encryption. The observation states that when a room is filled with 23 people, the chances of two of those people sharing the same birthday are greater than 50%, and this is also known as the birthday paradox. This information is used in the hashing domain and this can be used to discover collisions in hash functions.
Known plaintext/ciphertext method – if you know a plaintext and then you know the ciphertext which results from that plaintext, then there is a probability that you can try to find out the key which results in the production of the given ciphertext from the known plaintext. This is established by using techniques to find out a correlation between the two.
Techniques for Encryption
Several techniques are employed by cryptographic experts in order to make the data as secure as possible. Basically these techniques can fall under two main categories.
- Symmetric Encryption Algorithms
- Asymmetric Encryption Algorithms
The former method of symmetric encryption uses the concept of a secret key which is shared by all parties who are exchanging information and data. The sender encrypts the message with that secret key while the receiver deciphers it using the same. Hence it is equivalent to the traditional lock and key system where anyone having the key to the lock can open a room and enter inside. Any party, whether authorized or not, can have access to the data once the secret key is compromised. Hence the strength of this mechanism lies in maintaining secrecy of the key.
The asymmetric algorithm on the other hand uses different keys for encryption and decryption of the data. This way the issues related with key management in terms of retaining key secrecy are minimized, yet it is very slow process compared to the symmetric version since the computations and calculations involved in this type of algorithm are really huge due to the nature of encryption.
Key length used in symmetric algorithms is substantially lower in equally protective asymmetric algorithms. Moreover the data may be encrypted in big chunks known as blocks or smaller chunks known as streams. Let us study a bit about these distinctions briefly.
As the name itself suggests, a block cipher refers to the method wherein the data is encrypted not as a whole but in pieces of fixed or variable length. This is done by algorithms which encrypt the given piece or block of data by processing it along with a secret key to produce a block of encoded data. A simple description of this phenomenon can be seen from the diagram below which shows it in a block diagram in a very simple manner. You can see the inputs on the top and left hand side; the resultant output at the bottom. The output can vary even with slight variation of any one or both of the inputs.
Block Cipher
Normally either 64 bit or 128 bit key is used for encryption and usually the block length used is fixed; it is rarely variable.
Another point to be noted in this context is the avalanche affect which refers to a drastic change in the resultant cipher-text upon a slight change in either the key or the plaintext. This is very important to ensure security of encryption and eliminating guesswork to help the hackers who might be interested to break the code.
A block cipher could either be used in confidentiality mode or authentication mode and the NIST has approved a total of 8 blocks – 5 for confidentiality, 1 for authentication and 2 for both. All these modes have different ways of functioning. I would not go into the inner working details of all of them but it would be sufficient to acquaint ourselves to their nomenclature at this stage. These 8 modes of block cipher are:
- ECB – electronic code book – confidentiality mode
- CFB – cipher feedback mode – confidentiality mode
- CTR – counter – confidentiality mode
- GCM – galois counter mode – combined mode
- CMAC – cipher block chaining message authentication code – authentication mode
- CCM – counter with CBC MAC – confidentiality mode
- OFB – output feedback mode – combined mode
- CBC – cipher block code – confidentiality mode
A stream cipher can be thought of as a block cipher where the size of the block is very small – either one bit or one byte. That is the easiest method to understand its description and concept. Stream ciphers encrypt data in chunks of one bit or one byte by combining them with keystreams using XOR operation.
The keystream in turn refers to a pseudorandom cipher bit stream. When this keystreams for a particular block or chunk (actually a bit or byte) are generated independently of the data or previously encrypted data, it is known as synchronous method, while if the keystream is based on previous encryption and data it is referred to as self-synchronizing stream.
One important point worth noting with regards to stream ciphers is the one time pad theory put forth by Shannon. He pointed out and proved in one of his research papers that one time pad is literally a perfect encryption algorithm. It requires nearly infinite amount of computing power and ages of times even if there is a remote probability of breaking the code. One time pad or Vernam cipher is explained mathematically as follows.
Suppose the plaintext is broken down into chunks of bits and each bit is represented as bi then the plain text can be written as:
Plain text = b0 b1 b3 …. bn
Similarly the keystream is also composed of same length of bits and can be represented by:
Keystream = k0 k1 k2 ….. kn
It states that the cipher text which consists of same length of bits can be represented by:
Ciphertext = c0 c1 c2 ….. cn
Where each bit of the cipher text is a bitwise exclusive OR operation between similarly placed bits and is represented as:
ci = bi XOR ki where i lies between 0 and n
Hence as you must have understood the ciphertext produced is statistically independent from the input plaintext. Hence the reason that stream cipher is extremely secure. Yet there are several problems associated with key management in one time pad algorithm.
Once upon a time such a secure system was used in the direct connection Hotline between the White House and the Kremlin but even that has been replaced by a less cumbersome system.
We already took a look at some of the encryption algorithms towards the start of this tutorial. Let us now see which ones fall under the category of symmetric algorithms. The DES, Triple DES, AES, RC4, IDEA all fall under the category of symmetric key algorithms.
Public Key Cryptography
One of the main disadvantages of the symmetric key algorithm is obviously the use of a shared key and the problems associated with sharing the key. It is an old and wise saying that once a secret is known to more than one person, it is not a secret anymore. This may not apply directly to the case of symmetric key algorithms but still is a good indicator of the problems of shared key.
Hence another popular method is to use a public key or a key which does not need to be hidden from the public view. True to its working, the name of such a system is also public key cryptrography. It is also called asymmetric key encryption as opposed to the symmetric key algorithm. So let us study about public key cryptrography in the subsequent sections.
The main difference of this concept from symmetric key algorithm is that the key which is used to encrypt the message is not hidden from public view. Anyone and everyone can have access to that key. Suppose A wants to send a message to B, then A uses a public key which belongs to B and encrypts the message and sends it over any insecure channel such as the Internet without any worries. The encrypted message is received by B and decrypted using another key which is known as the private key for B.
The inside story is that this private key relates to the public key put forth by B in a mathematical manner and the message encrypted by the sender can only be deciphered by using the private key of the receiver. Hence this lends security to the message exchange as there is nothing to hide except of course the private key by the receiver, which is the receiver’s onus.
Public Key Cryptography
This concept can be clearly understood from the figure above where the entire process has been encapsulated in images for the reader to have a clear idea about the same.
There are two main goals or aims which public key cryptography aims to achieve, namely confidentiality of data as well as authentication of the sender. The first part is already what we have discussed above. When the sender encrypts the data with the public key of the receiver, it lends confidentiality to the data since now no one except the receiver can interpret the same without the use of the private key.
The other aspect which is also taken care by using public key cryptography is that of authentication. How do I know that a specific person has sent a message, and not anyone else? This is taken care of by adding a digital signature along with the message. This is quite similar to the concept of human signatures. For example if I send you an important message and sign it in my own handwriting, it would be easy to make out whether I really wrote that letter or not. Similarly when a sender sends a message to the receiver, they also add what is known as a digital signature to it.
This signature verifies and validates the authenticity of the sender and hence serves the purpose of authentication as well. The technique consists of signing the message using the private key of the sender. If the receiver wants to verify that the public key of the sender relates to the private key of the sender, it is just a matter of checking or decrypting the signature with the public key and seeing if it works. These way public keys help a lot in achieving the dual goal of authentication and confidentiality.
The private and public key of a pair are mathematically related but they are mainly one way functions which means that reverse engineering on them is quite difficult if not totally impossible. Obviously that is necessary since if the reverse process was easy, then anyone could simply find the private key associated with any public key and the entire process would be a total failure.
There are several public key cryptography algorithms and we will discuss one very important algorithm namely the RSA algorithm.
The RSA algorithm works by generating a parameter, encrypting the data and final decryption to be read and understood by the receiver. The process is mathematically demonstrated as follows
First two prime numbers are selected let us say x and yThey are multiplied to yield the modulus which is to be made public. So if the modulus is m = x * yA random number is chosen ‘r’ as a public key in the range 0Then a private key p is found such that pd≡1(mod (x-1)(y-1)).
The other processes are using the public key by the sender to encrypt the message and the use of the private of the receiver to decrypt that same message. We will not go into any further mathematical analysis of it.
Some of the drawbacks of using public key encryption are below:
- They are more computationally intensive than symmetric key algorithms
- Since the public key is available publically, it has chances of being attacked for breaking
- If the public key is revoked at any time, it would take time and energy to spread the new key at all places
PKCS Standards
One last thing to be noted is that there are a set of standards maintained by RSA Security and these standards are reviewed periodically. Currently there are 13 active standards known as PKCS # 1 to 15 (number 2 and 4 are obsolete now) and two of them are under development. These standards deal with various areas of cryptography such as password encryption, certification and so forth.