Algorithms

In broad terms, an algorithm is a step-by-step procedure for solving a problem. For example, suppose your problem is that you are unable to bake cookies that are exactly like Grandma's. What is needed is an algorithmher secret recipe. With the recipe card in hand, you have the ingredients and the sequence of events that are required to achieve the desired result.

In encryption, the algorithm is what is used to define how the encryption will be applied, how the data held inside is encrypted, and how the data is unencrypted on the other end. Think of the algorithm as the guidebook to how any particular encryption method is applied.

Most people wouldn't understand or don't really need to know the internal details of how an encryption algorithm works. However, knowing the fundamental design of any given encryption algorithm can provide insights into how it will perform as well as how secure it is. With this information you can select which algorithm is going to do the job for your given situation, because some algorithms are better suited than others, given different tasks .

The three different types of cryptographic algorithms include the following:

  • Hashing algorithms

  • Symmetric key-based algorithms

  • Asymmetric key-based algorithms

Each of these algorithms is discussed in further detail in the following sections.

Hashing

A hash is a generated summary from a mathematical rule or algorithm and is used to verify the integrity of files. In other words, hashing algorithms are not encryption methods but provide added security to systems to ensure that data has not been tampered with.

Keep in mind that hashing is one-way. Although you can create a hash from a document, you cannot re-create the document from the hash. If this all sounds confusing, the following example should help clear things up. Suppose you want to send an email to a friend, and you also want to ensure that during transit, it cannot be read or unknowingly altered . You would first utilize software that generates a hash (a summary or tag) of the message to accompany the email and then encrypt both the hash and the message. After receiving the email, the recipient's software decrypts the message and the hash and then produces another hash from the received email. The two hashes are then compared, and a match would indicate that the message was not tampered with. Alternatively, any change in the original message would produce a change in the hash on the recipient's machine.

Common hash algorithms include the following:

  • Secure Hash Algorithm ( SHA , SHA -1) Hash algorithms pioneered by the National Security Agency and widely used in the U.S. government. SHA-1 can generate a 160-bit hash from any variable-length string of data, making it very secure but also resource intensive .

  • Message Digest Series Algorithm (MD2, MD4, MD5) A series of encryption algorithms designed to be fast, simple, and secure. The MD series generates a hash of up to 128-bit strength out of any length of data.

Both SHA and the MD series are similar in design; however, keep in mind that because of the higher bit strength of the SHA-1 algorithm, it will be in the range of 20% to 30% slower to process than the MD family of algorithms.

graphics/alert_icon.gif

Hashing within security systems is used to ensure that transmitted messages have not been altered. Be able to identify the common types of hash algorithms.


As you can determine from the different versions of Message Digest listed, there has been some refinements to the algorithm over the years . The most commonly used are MD4 and MD5, which are both faster than MD2. Both MD4 and MD5 produce a 128-bit hash; however, the hash used in MD4 was successfully broken a while back. This spurred the development of MD5, which features a redeveloped cipher that makes it stronger than the MD4 algorithm while still featuring a 128-bit hash. Although MD5 is the more common hashing algorithm, SHA-1 is quickly being embraced by those outside of the U.S. government.

graphics/note_icon.gif

It's worth noting that an alternative to the hash algorithms just mentioned is RIPEMD-160, which has been placed in the public domain by its designers. RIPEMD-160 is a cryptographic hash function designed to replace MD4 and MD5. More information on this algorithm can be found on the RIPEMD-160 home page at www.esat.kuleuven.ac.be/~bosselae/ripemd160.html.


Symmetric Algorithms

Symmetric key algorithms and asymmetric key algorithms (discussed in the following section) are the two fundamental types of encryption algorithms. Symmetric key algorithms use the same key to encrypt and decrypt a message. A drawback of this particular situation is that every party participating in communications must have the exact same key on the other end to compare the information. If the key is compromised at any point, it is impossible to guarantee that a secure connection has commenced. Additionally, to use symmetric key algorithms, two parties must first exchange the encryption key, which can present difficulties in doing so securely. Despite these drawbacks however, symmetric key algorithms are easier to implement over other methods and are typically faster.

graphics/note_icon.gif

Discussions of cryptography use the term key , which does not denote the traditional metal object used with a physical locking device. Instead, the term is analogous, and a cryptography key actually describes a string of bits used for encrypting and decrypting data. These keys can also be thought of as a password or table.


graphics/tip_icon.gif

Symmetric key algorithms are often referred to as secret key algorithms and private key algorithms .


Even given the possible risks involved with symmetric key encryption, the method is used quite often in today's society mainly for its simplicity and ease of deployment. On top of that, it is generally considered very strong as long as the source and destination that house the key information are kept secure.

Symmetric key encryption can be divided into the following two categories:

  • Block ciphers take a number of bits (usually 64 bits) and encrypt them as a single unit.

  • Stream ciphers encrypt a single bit of plaintext at a timethat is, each binary digit in a data stream is encrypted one bit at a time.

graphics/note_icon.gif

It's difficult to discuss encryption methods without using the term bit strength . This term is used to indicate the strength of a particular encryption method or hash. The longer the hash used (measured in bits), the more secure it is. In addition, the more processing time the hash takes to generate, the larger it will be when passing the information over a network. A strong encryption is typically 128 bit. Before recent changes to encryption export controls in 2002, anything this level or higher typically saw limited use outside of North America, with exceptions for some trusted countries around the world. The recently relaxed laws however still limit the export of software using strong encryption to specific foreign countries that perhaps may have a more nefarious use for keeping data or communications locked away.


A multitude of symmetric key algorithms are used today. The more commonly used algorithms include the following:

  • Data Encryption Standard ( DES ) DES was adopted for use by the National Institute of Standards and Technology in 1977. DES is a block cipher that uses a 56-bit key on each 64-bit chuck of data, and it is limited in use because of its relatively short key length limit.

  • Triple Data Encryption Standard (3DES) 3DES, also known as Triple-DES , dramatically improves upon DES by using the DES algorithm three times with three distinct keys. This provides a total bit strength of 168 bits.

  • Advanced Encryption Standard ( AES ) Also called Rijndael , this block cipher has been chosen by the National Institute of Standards and Technology (NIST) to be the successor to DES as the United States' new Advanced Encryption Standard. AES is similar to DES in that it can create keys from 128-bit to 256-bit in length and can perform the encryption and decryption of data up to 128-bit chunks of data (in comparison to the 64-bit chunks of the original DES). And similar to 3DES, the data is passed through three layers , each with a specific task, such as generating random keys based on the data and the bit strength being used. The data is then encrypted with the keys through multiple encryption rounds, like DES, and then the final key is applied to the data.

  • Blowfish Encryption Algorithm Blowfish is a block cipher that can encrypt using any size chunk of data; in addition, Blowfish can also perform encryption with any length encryption key up to 448 bits, making it a very flexible and secure symmetric encryption algorithm.

  • International Data Encryption Algorithm ( IDEA ) Originally created around 1990, IDEA went through several variations before arriving at its final acronym. Originally called the Proposed Encryption Standard (PES), it was later renamed and refined to the Improved Proposed Encryption Standard (IPES). After even more refinement, it was ultimately named IDEA in 1992. In its final form, IDEA is capable of encrypting 64-bit blocks of data at a time and uses a 128-bit strength encryption key. The use of IDEA has been limited primarily because of software patents on the algorithm, which many feel hinder development, research, and education.

  • Rivest Cipher (RC2, RC4, RC5, RC6) As far as widely available commercial applications go, the Rivest Cipher (RC) series of encryption algorithms comprises the most commonly implemented ciphers for encryption security. The RC series (RC2, RC4, RC5, and RC6) are all similarly designed; yet, each version has its own take on the block cipher design, as well as its own capabilities.

Table 8.1 provides a comparison of the algorithms just mentioned, as well as some lesser-known ones. Additionally, notice the differences between the various types of RC algorithms.

graphics/alert_icon.gif

Be sure you understand the differences between various symmetric key algorithms. Note that these are symmetric, and not asymmetric, and be sure to differentiate between stream ciphers and block ciphers.


Table 8.1. A Comparison of Symmetric Key Algorithms

Algorithm

Cipher Type

Key Length

DES

Block

56 bits

Triple-DES (3DES)

Block

168 bits

AES (Rijndael)

Block

128256 bits

Blowfish

Block

1448 bits

IDEA

Block

128 bits

RC2

Block

12048 bits

RC4

Stream

12048 bits

RC5

Block

128256 bits

RC6

Block

128256 bits

CAST

Block

128256 bits

MARS

Block

128256 bits

Serpent

Block

128256 bits

Twofish

Block

128256 bits

Asymmetric Algorithms

As mentioned earlier in this chapter, two major types of algorithms are used today: symmetric, which has one key kept private at all times, and asymmetric, which has two keys (a public one and a private one). Both the public key and private key are mathematically related , yet it is computationally infeasible to try and determine the private key based on the information from the public key. In the asymmetric algorithm, there is always a public key that is made available to whoever is going to encrypt the data sent to the holder of the private key. The private key is maintained on the host system or application. Quite often, the public encryption key is made available in a number of fashions , such as via email or centralized servers that host a pseudo address book of published public encryption keys. Figure 8.1 illustrates the asymmetric encryption process.

Figure 8.1. An example of asymmetric encryption.

graphics/08fig01.gif

graphics/tip_icon.gif

Asymmetric algorithms are often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm.


As an example of asymmetric encryption, we'll use the secure exchange of an email. When someone wants to send a secure email to another, he or she obtains the target user's public encryption key and encrypts the message using this key. Because the message can only be unencrypted with the private key, only the target user can read the information held within. Ideally, for this system to work well, everyone should have access to everyone else's public keys.

graphics/tip_icon.gif

Here are some general rules for asymmetric algorithms:

  • The public key can never decrypt a message that it was used to encrypt.

  • Private keys should never be able to be determined through the public key (if it is designed properly).

  • Each key should be able to decrypt a message made with the other. For instance, if a message is encrypted with the private key, the public key should be able to decrypt it.


Wide arrays of asymmetric algorithms have been designed; however, very few have gained the widespread acceptance as seen with symmetric algorithms. Some things to keep in mind while reading about the following few asymmetric algorithms are that some have unique features, including built-in digital signatures (which you will learn more about later). Also, because of the additional computational overhead generated by using a public and private key for encryption/decryption, far more resources are required to use asymmetric algorithms.

The one environment where public key encryption has proven very useful is on networks such as the Internet. This is primarily because the public key is all that needs to be distributed. Because nothing harmful can be done with the public key, it is useful over unsecured networks where data can pass through many hands and is vulnerable to interception and abuse. Symmetric encryption works fine over the Internet as well, but the limitations on providing the key securely to everyone who requires it can be difficult. The following are some of the more popular asymmetric encryption algorithms:

  • Rivest, Shamir & Adleman Encryption Algorithm ( RSA ) RSA, named after the three men who developed it, is a well-known cryptography system used for encryption and digital signatures. The RSA key may be of any length, and it works by multiplying two large prime numbers . In addition, through other operations in the algorithm, it derives a set of numbersone for the public key and the other for the private key.

  • Diffie-Hellman Key Exchange The Diffie-Hellman Key Exchange (also called exponential key agreement ) is an early key exchange design whereby two parties, without prior arrangements, can agree upon a secret key that is known only to them. The keys are passed in a way that they are not compromised using encryption algorithms to verify that the data is arriving at its intended recipient.

  • El Gamal Encryption Algorithm As an extension to the Diffie-Hellman design, in 1985, Dr. El Gamal took to task the design requirements of utilizing encryption to develop digital signatures. Rather than focusing just on the key design, El Gamal designed a complete public key encryption algorithm using some of the key exchange elements from Diffie-Hellman and incorporating encryption on those keys. The resultant encrypted keys reinforced the security and authenticity of public key encryption design and also helped lead to future advances in asymmetric encryption technology.

  • Elliptic Curve Cryptography ( ECC ) Elliptic Curve Cryptography (ECC) utilizes a method in which elliptic curves can be used to calculate simple but very-difficult-to-break encryption keys to use in general-purpose encryption. One of the key benefits of ECC encryption algorithms is that they have a very compact design because of the advanced mathematics involved in ECC. For instance, an ECC encryption key of 160-bit strength would, in actuality, be equal in strength to a 1024-bit RSA encryption key.

Throughout this section on different encryption algorithms, you have learned how each type performs . One thing you haven't seen yet is how bit strengths compare to each other when looking at asymmetric and symmetric algorithms in general. The following list reveals why symmetric algorithms are favored for most applications and why asymmetric algorithms are widely considered very secure but often too complex and resource intensive for every environment.

  • 64-bit symmetric key strength equals 512-bit asymmetric key strength.

  • 112-bit symmetric key strength equals 1792-bit asymmetric key strength.

  • 128-bit symmetric key strength equals 2304-bit asymmetric key strength.

As you can see, there is a dramatic difference in the strength and, consequently, the overall size of asymmetric encryption keys. For most environments today, 128-bit strength is considered adequate; therefore, symmetric encryption may often suffice. If you want to simplify how you distribute keys, however, asymmetric encryption may be the better choice.

As you can imagine, you will have to look at many aspects to determine which method or combination of methods should be used. The following sections of this chapter reveal how encryption can help augment security.



Security+ Exam Cram 2 (Exam SYO-101)
Security+ Certification Exam Cram 2 (Exam Cram SYO-101)
ISBN: 0789729105
EAN: 2147483647
Year: 2005
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net