1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
#+date: 2020-02-09
#+title: Cryptography Basics
* Similar Article Available
If you haven't already, feel free to read my post on [[./2018-12-08-aes-encryption.html][AES Encryption]].
* What is Cryptography?
In layman's terms, cryptography is a process that can change data from a
readable format into an unreadable format (and vice-versa) through a series of
processes and secrets. More technically, this is the Internet Security
Glossary's definition:
#+BEGIN_QUOTE
[Cryptography is] the mathematical science that deals with transforming data
to render its meaning unintelligible (i.e., to hide its semantic content),
prevent its undetected alteration, or prevent its unauthorized use. If the
transformation is reversible, cryptography also deals with restoring encrypted
data to an intelligible form.
- [[https://tools.ietf.org/html/rfc2828][Internet Security Glossary (2000)]]
#+END_QUOTE
Cryptography cannot offer protection against the loss of data; it simply offers
encryption methods to protect data at-rest and data in-traffic. At a high-level,
encrypted is when plaintext data is encrypted to ciphertext (a secure form of
text that cannot be understood unless decrypted back to plaintext). The
encryption process is completed through the use of a mathematical function that
utilizes one or more values called keys to encrypt or decrypt the data.
* Key Elements of Cryptographic Systems
To create or evaluate a cryptographic system, you need to know the essential
pieces to the system:
- *Encryption Algorithm (Primitive):* A mathematical process that encrypts and
decrypts data.
- *Encryption Key:* A string of bits used within the encryption algorithm as
the secret that allows successful encryption or decryption of data.
- *Key Length (Size):* The maximum number of bits within the encryption key.
It's important to remember that key size is regulated in many countries.
- *Message Digest:* A smaller, fixed-size bit string version of the original
message. This is practically infeasible to reverse, which is why it's commonly
used to verify integrity.
* Symmetric Systems (Secret Key Cryptography)
Symmetric cryptography utilizes a secret, bidirectional key to perform both
encryption and decryption of the data. The most common implementation of
symmetric cryptography is the Advanced Encryption Standard, which uses keys that
are 128 bits to 256 bits in size. This standard came after the National
Institute of Standards and Technology (NIST) decided to retire the Data
Encryption Standard (DES) in 2001.
Since brute force attacks strongly correlate with key length, the 56-bit key
length of DES was considered insecure after it was publicly broken in under 24
hours. However, there is a modern implementation of DES called Triple DES where
the DES method is applied three times to each data block.
The main advantages to symmetric systems are the ease of use, since only one key
is required for both encryption and decryption, and the simplicity of the
algorithms. This helps with bulk data encryption that may unnecessarily waste
time and power using asymmetric systems.
However, symmetric systems have disadvantages to keep in mind. Since the key is
private, it can be difficult to safely distribute keys to communication
partners. Additionally, the key cannot be used to sign messages since it's
necessary to keep the key private.
* Asymmetric Systems (Public Key Cryptography)
Asymmetric cryptography utilizes two keys within the system: a secret key that
is privately-held and a public key that can be distributed freely. The
interesting aspect of asymmetric cryptography is that either key can be used to
encrypt the data, there's no rule that dictates which key must be used for
encryption. Once one key is used to encrypt the data, only the other key can be
used to decrypt the data. This means that if the private key encrypts the data,
only the public key can decrypt the data.
An advantage of this system is that if you successfully decrypt data using one
of the keys, you can be sure of the sender since only the other key could have
encrypted the data.
One of the major implementations of an asymmetric system is a digital signature.
A digital signature can be generated using the sender's private key, or a
one-way hash function and is used to provide assurance for the integrity and
authenticity of the message. A couple common message digest algorithms are
SHA-256 and SHA-512, which securely compress data and produce a 128-bit message
digest.
It should be noted that man-in-the-middle attacks are one of the risks with
digital signatures and public keys. To combat this, applications often use a
public key infrastructure (PKI) to independently authenticate the validity of
signatures and keys.
Due to the large key size and [[https://crypto.stackexchange.com/a/591][inefficient mathematical functions]] of asymmetric
encryption, elliptical curve cryptography (ECC) is often used to increase
security while using fewer resources.
* Applications of Cryptographic Systems
There are quite a few implementations of cryptographic systems around the world.
Here are a few popular examples:
*Transport Layer Security (TLS):* One of the most famous cryptographic
solutions created is TLS, a session-layered or connection-layered internet
protocol that allows for secure communications between browsers and servers.
Using handshakes, peer negotiation, and authentication allows TLS to prevent
eavesdropping and malicious transformation of data. The major reason for TLS
popularity is that a major vulnerability was found in the SSL protocol in 2014.
Instead of SSL, TLS can be used with HTTP to form HTTPS and is the preferred
method for modern web development due to its increased security.
*Secure Hypertext Transfer Protocol (HTTPS):* An application layer protocol
that allows for secure transport of data between servers and web clients. One of
the unique parts of HTTPS is that it uses a secured port number instead of the
default web port address.
*Virtual Private Network (VPN):* VPNs are made to securely extend a private
network across public networks by utilizing an encrypted layered tunneling
protocol paired with an authentication method, such as usernames and passwords.
This technology originally allowed remote employees to access their company's
data but have evolved into one of the top choices for anyone who wishes to mask
their sensitive personal data.
*Internet Protocol Security (IPSec):* This protocol suite facilitates
communication between two or more hosts or subnets by authenticating and
encrypting the data packets. IPSec is used in a lot of VPNs to establish the VPN
connection through the transport and tunnel mode encryption methods. IPSec
encrypts just the data portion of packets in the transport methods, but it
encrypts both the data and headers in the tunnel method (introducing an
additional header for authentication).
*Secure Shell (SSH):* SSH is another network protocol used to protect network
services by authenticating users through a secure channel. This protocol is
often used for command-line (shell) functions such as remote shell commands,
logins, and file transfers.
*Kerberos:* Developed by MIT, Kerberos is a computer-network authentication
protocol that works on the basis of tickets to allow nodes communicating over a
non-secure network to prove their identity to one another securely. This is most
commonly used in business environments when used as the authentication and
encryption method for Windows Active Directory (AD).
* Cybersecurity Controls
If you're someone who needs solutions on how to control risks associated with
utilizing a crytograhpic system, start with a few basic controls:
- *Policies:* A policy on the use of cryptographic controls for protection
of information is implemented and is in accordance with organizational
objectives.
- *Key management:* A policy on the use, protection and lifetime of
cryptographic keys is implemented through the entire application lifecycle.
- *Key size:* The organization has researched the optimal key size for their
purposes, considering national laws, required processing power, and
longevity of the solution.
- *Algorithm selection:* Implemented algorithms are sufficiently appropriate
for the business of the organization, robust, and align with recommended
guidelines.
- *Protocol configuration:* Protocols have been reviewed and configured
suitable to the purpose of the business.
|
