Encryption and its types

Encryption

What is it and why is it necessary?

Goal of Encryption of Internet Traffic
conveys confidentiality to messages while in transit
changes readable text messages into something that cannot be read
discourages anyone from reading or copying the messages

Related Problem
if header information is not encrypted, traffic analysis is possible
traffic analysis - the analysis of header information in order to derive useful information from the headers

Encryption Components

• an algorithm
• a key

Encryption Algorithms
a series of steps that mathematically transforms plain-text or other readable information into unintelligible cipher text.
Cipher text - Data that has been encrypted. Cipher text is unreadable until it has been converted into plain text (decrypted) with a key.

Decryption
The inverse mathematical transformation, which transforms the encrypted cipher text back into something readable, is called decryption.

Encryption Algorithm - Input and Output
a key and plain text are input into an encryption algorithm
cipher text is output from the encryption algorithm

Encryption Keys
a bit string consisting of x number of bits. A 40 bit key is a string consisting of 40 bits
an encryption algorithm can use one of a large number of possible keys
the number of possible keys each algorithm can support depends on the number of bits in the key. The longer the key, the more the possible number of keys

Encryption Key Example
example - if the key length is 40, then 2 to the n, where n is the number of bits in the key, results in 1,000,000,000,000 possible key combinations, with each different key causing the algorithm to produce slightly d ifferent cipher output

Security and Encryption
encryption algorithms are considered secure if the security depends on only one factor - key length
security does not depend on secrecy, inaccessibility, or anything else, only on the key length
if this factor is true, then the only possible attack against the algorithm is a brute force attack

Brute Force Attacks and Security
all key combination must be tried in order to find the correct key
the length of the key determines the possible number of keys available for selection
the longer the key length the longer it takes to discover which key will actually decrypt
specifying a long enough key length makes a brute-force attack non-feasible

Symmetric Encryption
identical keys are used to encrypt and decrypt the message
a message encrypted by one specific symmetric key can only be decrypted by using the same key, it can be decrypted with a different key

Symmetric Keys
a random bit string, n bits long
most often generated on the source computer

Advantages of Using Symmetric Encryption
the encryption process is simple
each trading partner can use the same publicly known encryption algorithm - no need to develop and exchange secret algorithms
security is dependent on the length of the key

Drawbacks of Using Symmetric Encryption
a shared secret key must be agreed upon by both parties
if a user has n trading partners, then n secret keys must be maintained, one for each trading partner
authenticity of origin or receipt cannot be proved because the secret key is shared
management of the symmetric keys becomes problematic

Problems with Management of Symmetric Keys
trading partners must always use the exact same key to decrypt the encrypted message
key exchange is difficult because the exchange itself must be secure with no intervening compromise of the key
management of keys is difficult as numbers of trading partners increases, especially when multiple keys exist for each trading partner

Public Key Cryptography as a Solution for Managing Symmetric Keys
public key cryptography simplifies the management of symmetric keys to the point whereby a symmetric key can be used not only for each trading partner, but for each exchange between trading partners
additionally, public key cryptography can be used to unambiguously establish non-repudiation of origin and receipt

Asymmetric Encryption - (Public Key Cryptography)
based on the concept of a key pair
each half of the pair (one key) can encrypt information that only the other half (one key) can decrypt
the key pair is designated and associated to one, and only one, trading partner

Asymmetric Key Pairs
consists of two keys - one private and one public
private key is secret and only known by the designated trading partner it belongs to
public key is published widely but still associated only with the designated trading partner

Asymmetric Key Uses
confidentiality
digital signatures
both uses depend on the association of a key pair with one, and only one owner of the keys
both uses depend on one of the keys in the key pair being secret from everyone but the owner of the key

Confidentiality Using Asymmetric Key Pairs (Encryption)
Trading Partner A desires to send a confidential message to Trading Partner B
Trading Partner A retrieves Trading Partner B's public key and encrypts the message with it

Confidentiality Using Asymmetric Key Pairs (Decryption)
Trading Partner B receives the message and decrypts the message with the secretly held, private key
The only key that can possibly decrypt a message that is encrypted with Trading Partner B's public key is Trading Partner B's private key

Digital Signatures Using Asymmetric Key Pairs (Encryption)
Trading Partner A desires to send a digitally signed message to Trading Partner B
Trading Partner A uses their own private key to encrypt a part of the message
Trading Partner A sends the encrypted part of the message to B

Digital Signatures Using Asymmetric Key Pairs (Decryption)
Trading Partner B receives Trading Partner A's message and obtains A's public key
Trading Partner B tries to decrypt the encrypted portion of Trading Partner A's message
If it decrypts, Then Trading Partner B knows it has to be from A because the only thing A's public key will decrypt is something encrypted with A's private key and only A has access to that private key

Real World Usage of Asymmetric Encryption
public key encryption algorithms are considerably slower than symmetric key algorithms
rarely used as encryption methodology for bulk messages or parts of messages
normally used in conjunction with a Message Integrity Check (MIC) or to encrypt a symmetric key, where the MIC or symmetric key is what is encrypted using public key encryption algorithms

Speed Comparison - Symmetric vs Asymmetric
software encryption using DES (symmetric key algorithm) is 100 times faster than software encryption using RSA (asymmetric key algorithm) - estimate provided by RSA Data Securities
hardware encryption using DES (symmetric key algorithm) is anywhere from 1,000 to 10,000 times faster than hardware encryption using RSA (asymmetric key algorithm)

Encryption Needs for Confidential Commercial Exchanges
for interoperability between two trading partners
standard encryption algorithm(s)
standard key length(s)
agreed upon beforehand or within an individual transaction

Issues
how secure is the algorithm?
how fast are current implementations of the algorithm?
availability of APIs and/or tools to implement the algorithm
frequency of use of algorithm with other trading partners
sufficient key length to discourage brute force attacks

Common Symmetric Key Algorithms
Data Encryption Standard - DES
Triple DES
RC2 and RC5
IDEA

Block Ciphers vs Stream Ciphers
block ciphers - take a set number of bits, typically 64 bits, and encrypts the them as a single block
stream ciphers - take and encrypt one bit at a time
Most ciphers belong to the block cipher class.

Data Encryption Standard - DES
most widely used commercial encryption algorithm
in the public domain, available to all
a U. S. government encryption standard
security is known and is dependent solely on the key length
data sequenced into 64 bit blocks prior to encryption, each block encrypted

Cipher Block Chaining (CBC)
recommended mode for using DES
each 64 bit block of data is exclusively OR'd with the previous block before encryption
gives added protection by making each cipher-text block depend on each other
changes in the cipher text can be detected

Brute Force Attacks against DES
DES specifies a 56 bit key, so there are 2 to the 56th possible keys
brute force attack means trying every single key (10,000,000,000,000,000) to decrypt 8 bytes of known cipher text into the corresponding plain text

Resources Required to Break DES Key
$1 million dollar hardware based, brute-force attack on DES takes approximately 3.6 hours to recover the DES key
$1 million dollar software based, brute force attack on DES takes approximately 3 years to recover the DES key
above figures attributed to B. Schneier, "E-Mail Security", John Wiley & Sons, 1995

Triple DES
variant on DES which encrypts message 3 times with 2 independent 56 bit keys
effective key length is 112 bits
brute force attack on Triple DES is not feasible

RC2 and RC5
RSA owned proprietary symmetric key algorithms
variable key length makes security configurable
RC2 is a block cipher (similar to DES) and should be used in CBC mode, RC5 is also a block cipher and should be used in CVC Pad mode
Both use 128 bit key but support key masking for configuration of key length

International Data Encryption Algorithm (IDEA)
a block cipher, in the mold of DES
uses a 64-bit block size and a 128-bit key
IDEA in CBC mode is the bulk encryption algorithm used by Pretty Good Privacy (PGP) which makes it the most widely used encryption algorithm for

Key Lengths and Secure Transactions
Algorithms that make a brute force attack not feasible
Triple DES with 2 56 bit keys
RC2 and RC5 with 128 bit keys
IDEA with 128 bit key

Recommendations on Key Lengths
Transactions of minimal or small value - 40 bit RC2 or 56 bit DES
Most commercial applications need a key length of 75 bits
High value transactions Triple-DES, IDEA or 128 bit RC2 or RC5

Conclusions
Encryption is the correct method to implement confidentiality for Internet traffic
Symmetric key algorithms should be chosen for encryption of confidential data
The more bits in the symmetric key, the less probable the compromise of the encrypted data