Encryption 7D1x4+2eA=

Any encrypted text looks like this: "SA7la/Nv71pw1DShsxAdKg==" and as our today's article explains all about encryption, the title contains the second word in encrypted format which means "Saga". Encryption Saga.

Encryption is a fundamental component of modern digital security, safeguarding data across various platforms and applications. Encryption is essential for protecting sensitive data from unauthorized access. It converts data into a coded format so that, it can only be read by someone with the correct decryption key. As an example, our WhatsApp messages are end-to-end encrypted. That means, only sender and receiver can read the original message which is sent by the sender. The encryption and decryption part is taken care by WhatsApp itself and the sender and receiver need not bother about it.

Encryption uses mathematical models (combination of a mathematical function and a key) to scramble the data, so that only the people who know how to unscramble (decrypt) it, can access and view it in original format. It converts a plaintext message into a coded text (ciphertext). Key is encryption/decryption password. In many countries, encryption is subject to governmental laws and regulations.

Encryption protects "data in transit" over networks from unauthorized interception and manipulation. It also protects the information stored on computers from unauthorized viewing, manipulation and prevents accidental or intentional alterations of data. It helps in verifying authenticity of a transaction or document. Encryption is essential form of access control. However, the protection of keys becomes greatest concern.

There is a technique called "brute force attack" used by hackers in which they use trial and error method to crack passwords, login credentials, and encryption keys. That means, they repeatedly tries to decrypt a piece of ciphertext using all the possible encryption keys until the correct one is found. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations' systems and networks. Encryption should be strong enough to guard against these attacks.?

There are three elements of encryption:?

Encryption algorithm, encryption key and predetermined length of the key.?

While encryption algorithm is a mathematical function which encrypts or decrypts the data, key is a part of algorithm which makes the encryption process unique, like passwords. It is important that, effective password syntax rules are applied, and easily guessed passwords are prohibited. The longer the key length, the more difficult it is for the hackers to succeed in brute force attack.?

Encryption strength is often described in terms of the size of the keys used to perform the encryption. In general, longer keys provide stronger encryption. Key length is measured in bits. For example, 128-bit keys for use with the RC4 symmetric-key cipher supported by SSL provide significantly better cryptographic protection than 40-bit keys for use with the same cipher. Roughly speaking, 128-bit RC4 encryption is 3 x 1026 times stronger than 40-bit RC4 encryption.

There are two types of encryptions:?

symmetric (private key) and asymmetric (public key).

Symmetric encryption:?

Symmetric key systems use a unique key (usually referred to as the secret key) for both encryption and decryption. The key is known as bidirectional because it encrypts as well as decrypts and it must be shared with both sender and receiver of data. That means a same key is used for encryption and decryption and hence, it is called symmetric.?

Advantages of symmetric key systems over asymmetric ones are that they are shorter and can be easily remembered. They are less complicated, thousand times faster and suited for bulk data encryption. However, a symmetric key cannot be used to sign electronic documents because the mechanism is based on a shared secret key. Also, key distribution is a challenge. It also does not implement non-repudiation. The algorithm is not scalable and key needs to be re-generated often. One major disadvantage is that, sender needs to send or share the private key to receiver somehow. If it gets into someone's hands, he/she can decrypt everything.?

Symmetric cryptography process at a glance:

Sender:?

Original Message --> Encrypt (using Private Key) --> Ciphertext (encrypted message)

Receiver:?

Ciphertext (encrypted message) --> Decrypt? (using same Private Key) --> Original Message?

There are two methods of symmetric encryption:?

Stream cyphers and block cyphers

Stream ciphers:?

It works on a single bit at a time. It encrypts data on the fly, byte by byte. Nowadays, in modern cryptography, it is not much used. Still RC4 (Rivest Cypher 4) is widely used among all other stream cyphers, particularly in software and in SSL/TLS protocol sessions. SSL/TLS are nothing but protocols used to ensure security on internet. HTTPS protects the data on intenet using wither SSL or TLS protocols. RC4 is used in varied applications because of its simplicity, speed, and simplified implementation in both software and hardware.?

Block cyphers:?

It works at a fixed-length group of bits called block. Hence, the data comes in chunks. The usual size of each block is 64 bits, 128 bits and 256 bits.?

Following are types of block cyphers:?

• DES (data Encryption Standards)
• Triple DES
• IDEA (International Data Encryption Algorithm)
• RC5 (Rivest Cypher 5)
• AES (Advanced Encryption Standard)
• Blowfish.

AES Vs DES: The most common symmetric key cryptographic system used to be the Data Encryption Standard (DES). DES is based on a public algorithm approved by NIST and employs keys of 56 bits (plus 8 bits used for parity checking). The bits in the plaintext are processed one 64-bit block at a time. DES was withdrawn by NIST because its entire key space can be brute forced by a moderately large computer system within a relatively short period of time. Extensions of DES (Triple DES or 3DES) were proposed to extend the DES standard while retaining backward compatibility. In 2001, NIST replaced DES with the Advanced Encryption Standard (AES), a public algorithm that supports keys from 128 bits to 256 bits in size.?

Rivest Cipher 5: RC5 is a symmetric algorithm patented by Rivest, Shamir, and Adleman (RSA) Data Security, the people who developed the RSA symmetric algorithm. RC5 is a block cipher of variable block sizes (32, 64, or 128 bits) that uses key sizes between 0 (zero) length and 2,040 bits.

The Twofish algorithm: It was developed by Bruce Schneier (also the creator of Blowfish) was another one of the AES finalists. Like Rijndael, Twofish is a block cipher. It operates on 128-bit blocks of data and is capable of using cryptographic keys up to 256 bits in length.

How to handle the major challenge (sharing the key) in symmetric cryptography?

The many methods used to exchange secret keys securely such as offline distribution, public key encryption, and the Diffie-Hellman key exchange algorithm and Quantum Cryptography.

Offline Distribution:?

The most technically simple method involves the physical exchange of key material. One party provides the other party with a sheet of paper or piece of storage media containing the secret key. In many hardware encryption devices, this key material comes in the form of an electronic device that resembles an actual key that is inserted into the encryption device. However, every offline key distribution method has its own inherent?flaws. If keying material is sent through the mail, it might be intercepted. Telephones can be tapped. Papers containing keys might be inadvertently thrown in the trash or lost.?

Sharing the private key using asymmetric key encryption:?

To understand this topic, you must scroll down and read asymmetric encryption explanations first and then come back here. As the asymmetric key encryption is most secure and interception-free, it can be used for private key distribution/sharing. Once the link is successfully established and the parties are satisfied as to each other’s identity, they exchange a private key over the secure public key link. They then switch communications from the asymmetric algorithm to the symmetric algorithm and enjoy the benefits of symmetric cryptography like less complicated, faster and suited for bulk-data encryption.?

Diffie-Hellman method of key exchange:??

In some cases, neither public key encryption nor offline distribution is sufficient or feasible. Two parties might need to communicate with each other, but they have no physical means to exchange key material, and there is no public key infrastructure in place to facilitate the exchange of secret keys. In situations like this, key exchange algorithms like the Diffie-Hellman algorithm prove to be extremely useful mechanisms. Please note that, DH is not an encryption algorithm.?

Assume prime number q. Select alpha such that is is primitive root of q and alpha should be less than q.

A is primitive root of P if A mod P, A(square) mod P, A(cube) mod P,....,A(p-1) mod P should give results as 1,2,3....,P-1

Assume Xa = Private key of user a, which must be less than q

Calculate Ya = Public key of user a = alpha(Xa) mod q

Assume Xb = Private key of user b, which must be less than q

Calculate Yb = Public key of user b = alpha(Xb) mod q

At A: K = Yb(Xa) mod q

At B: K = Ya(Xb) mod q

Both K values should be equal, so that we can say that the exchanges are successful.

Quantum Cryptography:

Quantum cryptography refers to the possibility of using properties of quantum computing (computer technology based on quantum theory) for?cryptographic purposes. Quantum key distribution (QKD) is the most important application. QKD schemes allow distribution of a shared encryption key between two parties who can detect when another unauthorized party is eavesdropping on the key exchange channel. And when this happens, the channel is disturbed, and the exchanged key is tagged as compromised. It’s considered potentially unbreakable because it’s based on the laws of physics rather than mathematical algorithms.?

For example, say two persons, Ashok and Richa, want to communicate securely. They use a quantum channel to send particles of light (photons) to each other. These photons are prepared in quantum states that represent bits of information. Any attempt to eavesdrop on the channel will disturb these quantum states due to the no-cloning theorem, which states that it’s impossible to create an identical copy of an unknown quantum state. This disturbance can be detected, allowing Ashok and Richa to know if their key exchange has been compromised.

Asymmetric encryption:?

In public key cryptography, two keys work together as a pair. They are inversely related to each other, based on mathematical integer factorization. One of the keys is kept private while the other one is publicly disclosed. In this technique, both sender and receiver has pair of public and private key. That means, sender has his own public key and private key, the receiver also has his own public key and private key. There may be more than one senders and receivers in a network. Hence, everyone keeps their public key on a public key infrastructure server.?

Asymmetric cryptography process at a glance:

Sender:?

Original Message --> Encrypt (using Public Key of receiver) --> Ciphertext (encrypted message)

Receiver:?

Ciphertext (encrypted message) --> Decrypt? (using Private Key of receiver) --> Original Message?

Note: It is also possible to encrypt using private key and decrypt using public key, though it isn't feasible.

Major advantage of this technique is that, there is no need of private key sharing. And as key pair is used, even though public key is known to each other, unauthorized decryption is not possible during transit because receiver's private key is not shared with anyone (and sender also). Still the private key of receiver decrypts the message successfully because the receiver's public key and private key are related to each other and encryption by sender is done by receiver's public key.

Other advantages of asymmetric encryption are they provide integrity, authenticity and non-repudiation also unlike symmetric which only assures confidentiality. However, bulk encryption is not possible here because it uses small blocks of data and also use digital signatures, digital envelopes and digital certificates. Hence, asymmetric encryption are slower.?

Now in asymmetric cryptography, anyone on network knows public key of the other. So, what is it, which can assure that the sender is the intended (desired/expected) sender only? So if receiver B is expecting message from A only, and instead C sends him message (because public key of B is known to everyone and hence C also knows it), then what is the mechanism with which B gets assurance that A has sent him the message and not C? Okay, so consider this! If A uses his own private key to encrypt message and sends it to B, and B can decrypt it using public key of A then B gets assurance that it has come from A only. But, but.... others on network also has public key of A and they can also decrypt the message which is only sent for B by A. Then what? The answer is adding a digital signature in the process!!

Digital signature is part of Public Key Infrastructure.?

Public Key Infrastructure (PKI) is a framework that establishes a level of trust by linking public keys with the identities of entities, such as individuals, organizations, or devices. This system enables secure, encrypted communication over the internet and verifies the authenticity of the entities involved.?

So, before we understand the world of PKI (digital signature or envelope or certificate or certification authority etc), we must know what is hashing.?

Hashing is widely used in storing passwords on servers. Passwords are converted into a value which will never be decrypted. Only hashed values of passwords are stored on servers. Hashing is the process of scrambling a piece of information or data beyond recognition. Hashing are designed to be irreversible. When data is passed in hash function, the output is called hash value or "digest". In hashing, there is no decryption key and nothing can convert the digest back into original data. Hashing can be studied in more detail later.?

A typical digest looks like this: 6c569aabbf7775ef8fc5705a9f1f9b2f

Coming back to PKI, Public key systems are still vulnerable to man-in-the-middle (MITM) attacks in which the public keys are tampered with by an attacker (the man in the middle) controlling the communication channel. If this attacker replaces a genuine public key with his own key, any party sending a message to the owner of the tampered public key would instead be using the attacker’s public key. This attacker is now able to intercept, read and modify any such message by decrypting and re-encrypting it using the genuine public key.?

The problem lies in the fact that the tampering of the public key cannot be detected by either the sender or the recipient. In other words, there is no guarantee of a binding between the public key and the identity of the owner. To solve this problem, a trusted third party is introduced into the scheme from which any signed document is considered automatically authentic by the sender and the recipient. In the first place, this trusted party identifies the holder of a public key (the subject) and then signs this public key while appending details of the subject’s identity.?

The resulting document is known as the public (or digital) certificate of the subject. The trusted third party is called a certification authority (CA). When a CA is introduced in a signature scheme it is known as public key infrastructure (PKI).?

As well as issuing certificates, the CA maintains a list of compromised certificates (i.e., those whose private key has been leaked or lost) called the certificate revocation list (CRL). In some cases, certificates may also be marked as revoked in the CRL when the owner of the certificate voluntarily declares not to use the corresponding key pair any longer. This allows a party to reject a signed document when the signature was generated after the private key has been compromised or revoked.

When is PKI required?

One of the most common applications of the PKI framework is Secure Sockets Layer (SSL) protocols. SSL and its successor, Transport Layer Security (TLS) help establish the authenticated and encrypted links between different networked computers used in PKI. The applications of these protocols can extend to a number of activities, most of which are browser-related.?

Below are a few of the modern uses of PKI:

• Digital signature software/applications
• Email encryption
• Internet of things (IoT) security
• Network security
• Server-hosted communication protection
• Password recovery
• File description
• Smart card authentication
• Web communications security

How SSL works?

Secure Sockets Layer (SSL) is a communication protocol, or set of rules, that creates a secure connection between two devices or applications on a network. It’s important to establish trust and authenticate the other party before you share credentials or data over the internet. When a computer connects to a website, the computer's web-browser will ask website to identify itself. Then web server will send a copy of SSl-certificate to computer. It is used to authenticate, the identity of website. This way it will know, that the website you are visiting is trustworthy. Web browser sends message to web server. Web server respond back with acknowledgement. Now, the encrypted data can be exchanged.

What is TLS?

TLS (transport layer protocol) is an updated, more secure version of SSL. We still refer to our security certificates as SSL because it’s a more common term, but when you?buy SSL?from DigiCert, you get the most trusted, up-to-date TLS certificates. Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities. TLS authenticates more efficiently and continues to support encrypted communication channels. Due to slow cultural change, most TLS certificates are incorrectly named SSL certificates. Even if your certificate brands itself as an SSL certificate, it will already support both SSL and TLS protocols.

Digital Signatures:

Digitally signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation. I have already written a separate article on non-repudiation. You can refer to that if you want to understand it in detail. Digitally signed messages also assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification (a third party altering the meaning of the message) and unintentional modification (because of faults in the communications process, such as electrical interference). Digital signature algorithms rely on a combination of public key cryptography and hashing functions.

Sender Ashok creates "digest" of document by applying hash function. The digest is further encrypted using private key of sender. The use of private key ensures that sender is the authentic sender. This way a "signed digest" is created. This digital signature is then transmitted with the message. (message + digital signature is transmitted). Now the receiver Richa uses Ashok's public key to decrypt the message. If it gets decrypted successfully, the signature is valid. Then by applying hashing algorithm to the original message, she will check whether the digests are equal or not? The message digest computed by receiver and the message digest (got by decryption on digital signature) need to be same for ensuring integrity.

Digital Envelopes:

Similar to a digital signature, a digital envelope is an electronic “container” that can be used to protect data or a message through the use of encryption and data authentication. The message is first encoded using symmetric encryption and then the code to decode the message is secured using public key encryption. This provides a more convenient option for encryption.

Digital Certificates:

We can say that digital certificates are truly the endorsed copies of individual's public keys. When users verify that the certificate was signed by a certification Authority (CA), they know that the public key is legitimate. Digital certificates contain specific identifying information. A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key. Like a driver’s license, a passport, or other commonly used personal IDs, a certificate provides generally recognized proof of a person’s identity. Public-key cryptography uses certificates to address the problem of impersonation.?

Certificate authorities:??

These CAs are entities that validate identities and issue certificates. They can be either independent third parties or organizations running their own certificate-issuing server software. The methods used to validate an identity vary depending on the policies of a given CA, just as the methods to validate other forms of identification vary depending on who is issuing the ID and the purpose for which it will be used. In general, before issuing a certificate, the CA must use its published verification procedures for that type of certificate to ensure that an entity requesting a certificate is in?fact who it claims to be.?

The certificate issued by the CA binds a particular public key to the name of the entity the certificate identifies (such as the name of an employee or a server). Certificates help prevent the use of fake public keys for impersonation. Only the public key certified by the certificate will work with the corresponding private key possessed by the entity identified by the certificate.

Client and server authentication are not the only forms of authentication that certificates support. For example, the digital signature on an email message, combined with the certificate that identifies the sender, provide strong evidence that the person identified by that certificate did indeed send that message. Similarly, a digital signature on an HTML form, combined with a certificate that identifies the signer, can provide evidence, after the fact, that the person identified by that certificate did agree to the contents of the form. In addition to authentication, the digital signature in both cases?ensures a degree of non-repudiation; that is, a digital signature makes it difficult for the signer to claim later not to have sent the email or the form.?Client authentication is an essential element of network security within most intranets or extranets. The sections that follow contrast two forms of client authentication:

Password-Based Authentication:?

Almost all server software permits client authentication by means of a name and password. For example, a server might?require a user to type a name and password before granting access to the server. The server maintains a list of names and passwords; if a particular?name is on the list, and if the user types the correct password, the server grants access.

Certificate-Based Authentication:?

Client authentication based on certificates is part of the SSL protocol. The client digitally signs a randomly generated piece of data and sends both the certificate and the signed data across the network. The server uses techniques of public-key cryptography to validate the signature and confirm the validity of the certificate.