6.1 Compare and contrast basic concepts of cryptography. Flashcards
Symmetric Algorithms
Symmetric encryption is a common encryption method that involves using the same key to encrypt and decrypt the message
Pros:
The advantage of symmetric encryption is that it is much faster than asymmetric encryption. If you are going to encrypt a large amount of information, you get a performance benefit by using symmetric encryption rather than asymmetric encryption.
Cons:
There are two major disadvantages to using symmetric encryption.
First, how do you communicate the key to the party who needs to decrypt the message? You must ensure that whatever way you communicate the key, it is sent in a
secure manner.
The second disadvantage to symmetric encryption is the number of keys required to ensure confidentiality among all persons. This means that in order to have three people encrypt messages for one another, you need to have three different symmetric keys for each person for secure communications. The number of keys dramatically rises as you increase the number of people who need to communicate. The following formula is used to calculate the number of symmetric keys that are required:
Keys = people × (people – 1) / 2
Modes of Operation
\+ Electronic Codebook (ECB) \+ Cipher Block Chaining (CBC) \+ Cipher FeedBack (CFB) \+ Output FeedBack (OFB) \+ Counter Mode (CTM) \+ Galois/Counter Mode (GCM)
Asymmetric Algorithms
Asymmetric encryption involves using two mathematically related keys to perform the encryption and decryption process. There are two main points to remember about asymmetric encryption:
Whatever one key in the pair does, the other key undoes that operation.
The two keys are related, but you cannot derive one key from the other.
Remember that when using asymmetric encryption, the message (or data) is encrypted with the recipient’s public key. And also remember that to ensure nonrepudiation, the message is signed using the sender’s private key.
Pros:
1) The advantage of asymmetric encryption is the fact that you can securely communicate the public keys to other parties, unlike with symmetric encryption. In the asymmetric system, you are free to give out the public key while the private key stays with the user.
2) Key management is also a benefit to using asymmetric encryption. You saw that with symmetric encryption, as the number of users increases, the number of keys rises dramatically. With asymmetric encryption, you need only a key pair per user for each user to be able to encrypt messages for all other users.
Cons:
The disadvantage of asymmetric encryption is that it is slower than symmetric encryption. If performance is a key factor, symmetric encryption may be the better alternative.
Hashing
Hashing is an important cryptography service because it is designed to ensure the integrity of data or a message. The integrity deals with ensuring that the information has not been tampered with since it was created or sent to a recipient.
Salt, IV, nonce
Salt
A salt is a random value that is generated and combined with the data before the data is hashed. This is a technique to ensure that the same data input (typically a password) would generate different hash values when the password hashes are generated.
IV
Initialization vector, or IV, is a random value generated that is used with the encryption key to encrypt data. The purpose of joining the IV with the key is to ensure that if a hacker were to access to the encrypted data, they could not compare different parts of the encrypted data to try to determine the key value. The IV is giving randomness to each segment of data that is encrypted with the same key.
Nonce
A nonce is a random number that is generated, only used once, and typically applied to authentication traffic. The typical scenario for a nonce is at the beginning of the authentication process.
The client sends a request to the server for a nonce value. The server sends a random number to the client, which then uses that to hash the password (with a hashing algorithm) and send the hashed authentication information across the network to the server.
A nonce can also be used with encryption as a way to ensure that the keystream is unique with each message sent. In this case, the encryption key + nonce value would be used to encrypt data sent (the message). Since each message will use a unique nonce, each message is technically encrypted with a different key.
Elliptic Curve
This is a newer asymmetric algorithm that is based on Diffie-Hellman for key exchange and the Digital Signature Algorithm (DSA) for signing messages.
Weak/Deprecated Algorithms
While we are on the topic of algorithms, I want to stress a point about working with different encryption algorithms. Always ensure that you are selecting the most secure algorithm to get the job done. Do some research and be aware of which algorithms are weaker than others and have been deprecated (no longer recommended for use). For example, 3DES was a popular symmetric encryption algorithm for many years but has been replaced by AES.
Key Exchange (Bonus: In-Band vs. Out-of-Band Key Exchange)
Key exchange is an important topic in relation to symmetric cryptography. There are two primary approaches to key exchange: inband key exchange and out-of-band key exchange. In-band key exchange essentially means that the key is exchanged within the same communications channel that is going to be encrypted. IPSec, which will be discussed later in this chapter, uses in-band key exchange. Out-of-band key exchange means that some other channel, other than the one that is going to be secured, is used to exchange the key.
Digital Signatures
A digital signature is created on a message in order to prove the integrity of the sender of the message. Because the signature is created using a person’s private key and only that person has access to their private key, it proves the sender is who they say they are.
Diffusion
Diffusion is ensuring that the repeating of characters in the plain text will not help someone decipher the ciphertext (data after it is encrypted). Transposition is a feature that provides diffusion.
Confusion
Confusion is the principle of ensuring that the relationship between the encryption key and the data after it is encrypted is as complex as possible so it is difficult to figure out. Substitution is an example of a cryptography feature that implements confusion.
Collision
Hashing protocols are known to create collisions, which is when two different pieces of data create the same hash value
Steganography
Steganography is a cryptography concept that involves a person hiding text information inside graphic files. A number of steganography applications can be used to modify a graphic file and hide text documents in the graphic file.
Obfuscation
Obfuscation is the concept of making something complicated on purpose to make it difficult to understand. For example, in order to hide the details of the cryptographic implementation of a product, you could make sure that the documentation for that product is hard to understand.
Stream vs. Block
Stream cipher algorithms encrypt data one bit at a time. Plain text bits are converted into encrypted ciphertext. This method is usually not as secure as block cipher techniques, discussed next, but it generally executes faster. In addition, the ciphertext is always the same size as the original plain text and is less prone to errors. If an error occurs during the encryption process, usually this affects only a single bit instead of the whole string. In contrast, when block ciphers contain errors, the entire block becomes unintelligible. The plain text bits are typically encrypted with the bits of a key by using an exclusive OR (XOR) function (described shortly).
Instead of encrypting a bit at a time, block cipher algorithms encrypt data in blocks. Block ciphers have more overhead than stream ciphers. This overhead is provided separately, depending on the implementation and the block size that can be modified (the most common size is 64 bits). Because a block cipher handles encryption at a higher level, it is generally more secure. The downside is that the execution takes longer.
