In broad terms, an algorithm is a step-by-step procedure for solving a problem. For example, suppose your problem is that you are unable to bake cookies that are exactly like Grandma's. What is needed is an algorithmher secret recipe. With the recipe card in hand, you have the ingredients and the sequence of events that are required to achieve the desired result. In encryption, the algorithm is what is used to define how the encryption will be applied, how the data held inside is encrypted, and how the data is unencrypted on the other end. Think of the algorithm as the guidebook to how any particular encryption method is applied. Most people wouldn't understand or don't really need to know the internal details of how an encryption algorithm works. However, knowing the fundamental design of any given encryption algorithm can provide insights into how it will perform as well as how secure it is. With this information you can select which algorithm is going to do the job for your given situation, because some algorithms are better suited than others, given different tasks . The three different types of cryptographic algorithms include the following:
Each of these algorithms is discussed in further detail in the following sections. HashingA hash is a generated summary from a mathematical rule or algorithm and is used to verify the integrity of files. In other words, hashing algorithms are not encryption methods but provide added security to systems to ensure that data has not been tampered with. Keep in mind that hashing is one-way. Although you can create a hash from a document, you cannot re-create the document from the hash. If this all sounds confusing, the following example should help clear things up. Suppose you want to send an email to a friend, and you also want to ensure that during transit, it cannot be read or unknowingly altered . You would first utilize software that generates a hash (a summary or tag) of the message to accompany the email and then encrypt both the hash and the message. After receiving the email, the recipient's software decrypts the message and the hash and then produces another hash from the received email. The two hashes are then compared, and a match would indicate that the message was not tampered with. Alternatively, any change in the original message would produce a change in the hash on the recipient's machine. Common hash algorithms include the following:
Both SHA and the MD series are similar in design; however, keep in mind that because of the higher bit strength of the SHA-1 algorithm, it will be in the range of 20% to 30% slower to process than the MD family of algorithms.
As you can determine from the different versions of Message Digest listed, there has been some refinements to the algorithm over the years . The most commonly used are MD4 and MD5, which are both faster than MD2. Both MD4 and MD5 produce a 128-bit hash; however, the hash used in MD4 was successfully broken a while back. This spurred the development of MD5, which features a redeveloped cipher that makes it stronger than the MD4 algorithm while still featuring a 128-bit hash. Although MD5 is the more common hashing algorithm, SHA-1 is quickly being embraced by those outside of the U.S. government.
Symmetric AlgorithmsSymmetric key algorithms and asymmetric key algorithms (discussed in the following section) are the two fundamental types of encryption algorithms. Symmetric key algorithms use the same key to encrypt and decrypt a message. A drawback of this particular situation is that every party participating in communications must have the exact same key on the other end to compare the information. If the key is compromised at any point, it is impossible to guarantee that a secure connection has commenced. Additionally, to use symmetric key algorithms, two parties must first exchange the encryption key, which can present difficulties in doing so securely. Despite these drawbacks however, symmetric key algorithms are easier to implement over other methods and are typically faster.
Even given the possible risks involved with symmetric key encryption, the method is used quite often in today's society mainly for its simplicity and ease of deployment. On top of that, it is generally considered very strong as long as the source and destination that house the key information are kept secure. Symmetric key encryption can be divided into the following two categories:
A multitude of symmetric key algorithms are used today. The more commonly used algorithms include the following:
Table 8.1 provides a comparison of the algorithms just mentioned, as well as some lesser-known ones. Additionally, notice the differences between the various types of RC algorithms.
Table 8.1. A Comparison of Symmetric Key Algorithms
Asymmetric AlgorithmsAs mentioned earlier in this chapter, two major types of algorithms are used today: symmetric, which has one key kept private at all times, and asymmetric, which has two keys (a public one and a private one). Both the public key and private key are mathematically related , yet it is computationally infeasible to try and determine the private key based on the information from the public key. In the asymmetric algorithm, there is always a public key that is made available to whoever is going to encrypt the data sent to the holder of the private key. The private key is maintained on the host system or application. Quite often, the public encryption key is made available in a number of fashions , such as via email or centralized servers that host a pseudo address book of published public encryption keys. Figure 8.1 illustrates the asymmetric encryption process. Figure 8.1. An example of asymmetric encryption.
As an example of asymmetric encryption, we'll use the secure exchange of an email. When someone wants to send a secure email to another, he or she obtains the target user's public encryption key and encrypts the message using this key. Because the message can only be unencrypted with the private key, only the target user can read the information held within. Ideally, for this system to work well, everyone should have access to everyone else's public keys.
Wide arrays of asymmetric algorithms have been designed; however, very few have gained the widespread acceptance as seen with symmetric algorithms. Some things to keep in mind while reading about the following few asymmetric algorithms are that some have unique features, including built-in digital signatures (which you will learn more about later). Also, because of the additional computational overhead generated by using a public and private key for encryption/decryption, far more resources are required to use asymmetric algorithms. The one environment where public key encryption has proven very useful is on networks such as the Internet. This is primarily because the public key is all that needs to be distributed. Because nothing harmful can be done with the public key, it is useful over unsecured networks where data can pass through many hands and is vulnerable to interception and abuse. Symmetric encryption works fine over the Internet as well, but the limitations on providing the key securely to everyone who requires it can be difficult. The following are some of the more popular asymmetric encryption algorithms:
Throughout this section on different encryption algorithms, you have learned how each type performs . One thing you haven't seen yet is how bit strengths compare to each other when looking at asymmetric and symmetric algorithms in general. The following list reveals why symmetric algorithms are favored for most applications and why asymmetric algorithms are widely considered very secure but often too complex and resource intensive for every environment.
As you can see, there is a dramatic difference in the strength and, consequently, the overall size of asymmetric encryption keys. For most environments today, 128-bit strength is considered adequate; therefore, symmetric encryption may often suffice. If you want to simplify how you distribute keys, however, asymmetric encryption may be the better choice. As you can imagine, you will have to look at many aspects to determine which method or combination of methods should be used. The following sections of this chapter reveal how encryption can help augment security. |