Lesson 1: Understanding Cryptography

Lesson 1: Understanding Cryptography

Cryptography is defined as secret writing, or the enciphering and deciphering of messages in secret code or cipher. With respect to information security, cryptography is a branch of mathematics concerned with transforming or concealing data to provide information security using mathematical algorithms. Cryptography is currently one of the ways that you protect your confidentiality-integrity-availability (C-I-A) triad by providing a method to ensure the following:

  • Confidentiality.

    Confidential means private or secret. Confidentiality ensures that only authorized personnel access information. One way to provide confidentiality is to encrypt data.

  • Integrity.

    Integrity means having an unimpaired condition. Integrity ensures that information is accessed and modified only by those people who are authorized.

  • Nonrepudiation.

    Repudiate means to reject as unauthorized or nonbinding. Nonrepudiation prevents an individual or process from denying performing a task or sending data.

  • Identification and authentication.

    Access control allows access only to those who should have it. This is accomplished through identification and authentication, which ensures that when data is received or accessed, the sender is authorized.

To understand how cryptography helps provide confidentiality, integrity, nonrepudiation, and access control, you must first understand how cryptography works.


After this lesson, you will be able to

  • Understand the basic principles of cryptography

  • Understand what a key is

  • Understand what an algorithm is

  • Understand the difference between a secure hash function, a symmetric key, and an asymmetric key

Estimated lesson time: 20 minutes


Understanding Cryptography and Keys

Cryptography is not a new technology, as it has been around for quite a while. Egyptian hieroglyphs are a form of cryptography, and Julius Caesar used cryptography to send messages that could only be decrypted by the intended recipient. He did this by shifting the alphabet in his messages by three. Figure 3-1 demonstrates this technique using the English alphabet (which has 26 characters) and shifting by 13 rather than three.

figure 3-1 using cryptography to encipher and decipher a message

Figure 3-1. Using cryptography to encipher and decipher a message

Use Figure 3-1 to decipher the following: FRPHEVGL. Even from this simple example, you can see how encryption can be used to "hide" information as it is transferred from one location to another. The clue to deciphering the message is in having the key. A cryptographic key consists of a set of instructions that govern ciphering or deciphering messages, and can include a random or pseudo-random number. In the preceding example the encryption algorithm is C = M K, where C = the cipher text, M = the message to be "hidden," and K = cryptographic key. Knowing the ciphertext is FRPHEVGL, you can reverse the algorithm to decipher the message M = C + K. Knowing the value of the key, you can decipher FRPHEVGL by adding 13 from each letter's place in the alphabet and discover that the plaintext of the message is SECURITY.

In today's computing environment, cryptography is used to scramble or encrypt and then decrypt information. Encryption is the process of encoding plaintext information. This is accomplished by applying an algorithm to the plaintext using a key, which is kept secret. For an encryption algorithm to be considered strong a cryptanalyst, or code breaker, must not be able to break the code, even with complete knowledge of the algorithm and ciphertext. Decryption is the process of decoding the encrypted message. Plaintext is information that is not encrypted. Ciphertext is information that is encrypted. The two types of algorithms that are used today are symmetric algorithms and asymmetric algorithms.

Encryption is used to scramble information so that only the intended recipient or recipients can decipher it, but it is possible to decipher any encrypted information, given enough time and computing power.

Both symmetric and asymmetric algorithms can be used to encrypt and decrypt information, but each does it differently and each is suited for different cryptographic services.

What Is an Algorithm?

An algorithm is a procedure for solving a mathematical problem. This can require that the same procedure be repeated several times to solve the problem, such as when determining the greatest common denominator of two numbers. Figure 3-2 shows how the alphabet shift cipher can be converted into a mathematical problem. The algorithm that is used to encipher the message could be represented as C = M + K, where M is the plaintext message and K is the key.

figure 3-2 creating an algorithm to encipher and decipher a message

Figure 3-2. Creating an algorithm to encipher and decipher a message

Use Figure 3-2 to decipher the following: XJHZWNYD. Remember that the number following 26 is 1 when deciphering this message. You must know the value of the key, which is 5. Knowing that, you can quickly decrypt these letters to read SECURITY.

Without the key, it could take quite a while to decrypt the preceding message, but with the computing power available today, even in personal computers, stronger methods of encrypting are necessary. Encryption algorithms ensure that encrypting information is easy, and the decryption process is impossible to break without knowing the key. This is one of the hallmarks of a good algorithm.

There are three types of encryption that are typically used in information security: hash algorithms, symmetric algorithms, and asymmetric algorithms. Each provides different solutions for protecting your C-I-A triad.

Using a Secure Hash

A hashing algorithm is used to provide data integrity. A hash is a one-way mathematical function (OWF) that creates a fixed-sized value (known as a hash or message digest) based on a variable-sized unit of data. A hashing algorithm will always produce the same hash value based on the same input data and never have two different data units produce the same hash value. Some common hash algorithms currently in use include the MD4, MD5, and SHA-1 algorithms.

Knowing the common hash algorithms that are in use is very helpful information, but in-depth knowledge of these algorithms is not necessary to understand the technology. Hash algorithms involve very complex math, generally reserved for university-level math courses. More information on the MD4 and MD5 algorithms can be found at the RSA Security Web site at http://www.rsasecurity.com, and in RFC 1320 and RFC 1321. (RFC articles can be found at http://www.icann.rfceditor.org.)

A hash of data can be compared to a person's fingerprint. The fingerprint is unique to the person and of a relatively fixed size, but it is not nearly as large as the entire person. A hash is a unique identifier that is virtually unable to be reproduced with different data, and it is part of all of the data it represents. Some of the characteristics of MD4, MD5, and SHA-1 are as follows:

  • MD4.

    Produces a 128 bit message digest (hash), very fast, appropriate for medium security usage.

  • MD5.

    Produces a 128 bit message digest (hash), fast (not as fast as MD4), more secure than MD4, and widely used.

  • SHA-1.

    Produces a 160 bit message digest (hash), standard for the U.S. government, but slower than MD5.

Using Symmetric Algorithms

A symmetric algorithm uses the same key for encrypting and decrypting data, and everyone that is allowed to encrypt and decrypt the data has a copy of the key. This is also known as a shared secret. Symmetric algorithms provide confidentiality by encrypting data or messages. Some of the past and current symmetric key encryption algorithms include Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, and RC4.

More information on the DES, 3DES, and AES algorithms can be found at http://www.csrc.nist.gov/encryption/tkencryption.html.

In the earlier alphabet example, you add 5 to each letter to encrypt, and would subtract 5 letters to decrypt; 5 is the symmetric key. If you shared that secret information with someone else, that person would also be able to encrypt and decrypt messages to and from you. There are advantages and disadvantages to using symmetric keys. Some of the advantages are as follows:

  • Speed.

    The algorithms used with symmetric encryption are relatively fast, so they impact system performance less and are good for encrypting large amounts of data (for instance, data on a hard disk or data being transmitted across a remote access link).

  • Strength.

    Symmetric algorithms are difficult to decipher without the correct algorithm; therefore they are not easy to break. Well-tested symmetric algorithms such as 3DES and AES are nearly impossible to decipher without the correct key. Also, a technique can be used in which encrypted data can be encrypted a second or even third time. This way, if someone does break the encryption, he or she will have access to only more encrypted information.

Some of the disadvantages of using symmetric keys are as follows:

  • Poor key distribution mechanism.

    There is no easy way to securely distribute a shared secret; therefore wide-scale deployment of symmetric keys is difficult.

  • Single key.

    There is a single key (single shared secret); therefore if the secret is compromised, the impact is widespread. Because there is a single key that can be shared with some or many, symmetric keys are not suited to provide integrity, authentication, or nonrepudiation.

Some of the characteristics of specific symmetric keys are as follows:

  • DES.

    56-bit key, U.S. Government standard until 1998, but not considered strong enough for today's standards, relatively slow.

  • Triple DES.

    Performs 3DES operations, equivalent of 168-bit keys, more secure than DES, widely used, relatively slow.

  • AES.

    Variable key lengths, latest standard for U.S. Government use, replacing DES.

  • IDEA.

    128-bit key, requires licensing for commercial use.

  • Blowfish.

    Variable key length, free algorithm, extremely fast.

  • RC4.

    Variable key length, stream cipher, effectively in public domain.

Asymmetric Algorithms

Asymmetric algorithms use different keys to encrypt and decrypt data. One method of asymmetric encryption is called public key cryptography. Public key cryptography uses two keys that form a key pair. These two keys are known as the public key and the private key. (The private key is also known as the secret key.) Unlike symmetric algorithms, the key that encrypts the plaintext cannot be used to decrypt the ciphertext. Instead, the public key encrypts the plaintext, and the private key decrypts the ciphertext.

  • Public key.

    Provided to everyone who needs to send you encrypted data.

  • Private key.

    This is the key that only you possess. When a plaintext message is encrypted using the public key, only the person with the private key can decrypt the ciphertext. When a plaintext message is encrypted using the private key, it can be decrypted by everyone who possesses the public key, and that person can be certain the plaintext message originated with the person who possessed the private key.

Asymmetric keys provide authentication, integrity, and nonrepudiation. They can also support confidentiality when used for key management. Some examples of asymmetric encryption algorithms are Diffie-Hellman (DH) and RSA. The RSA asymmetric algorithm is the basis for public key cryptography.

To learn more about RSA and the Diffie-Hellman key exchanges, visit the RSA Security Web site at http://www.rsasecurity.com.

There are advantages and disadvantages to using asymmetric keys. Some of the advantages are as follows:

  • Provide a secure way to communicate with an individual.

    Because there is a public key and a private key, the public key can be provided to anyone that you want to send you encrypted information, but only you can decrypt that information. This helps ensure data confidentiality.

  • Provide a method to validate an individual.

    You can use a private key to create a digital signature, which can be used to verify that you are who you claim to be. This helps provide an authentication method and nonrepudiation. Digital signatures are explained in Lesson 2 of this chapter.

Some of the disadvantages of using asymmetric keys include the following:

  • Asymmetric encryption is relatively slow.

    Asymmetric algorithms are generally slower than symmetric algorithms due to the increased computational complexity required to encrypt and decrypt data; therefore it is not suited to provide confidentiality for large amounts of data.

Some characteristics of specific asymmetric keys are as follows:

  • RSA.

    Variable-length key, de facto standard for public key encryption.

  • Diffie-Hellman.

    Variable-length key, used to securely establish a shared secret.

  • Elliptic curve cryptography.

    Variable-length key, currently too slow for widespread implementation.

The purpose of using cryptography is to ensure confidentiality, integrity, identification and authentication, and nonrepudiation. Given enough time, though, a hacker can decrypt the information. The strength of symmetric and asymmetric keys comes from the length of the key (the random or pseudo-random binary number) and the algorithm that is used to encrypt the data.

Standards and Protocols

For algorithms to be widely used and supported, protocols and standards are created and are maintained by various governing bodies. The National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA) have available current information on cryptographic standards and specifications.

The NIST provides measurements and standards for U.S. industries and creates Federal Information Processing Standards (FIPS) that detail computer security. The Internet Engineering Task Force (IETF) documents how cryptographic mechanisms are implemented with current communications protocols.

The following is a list of some sites that have general information as well as tools that can be used to further explore cryptography. These sites also provide links to information on specific cryptographic algorithms in use today:

  • http://www.nist.gov.

    This site has information security standards listed, including access to most FIPS that cover cryptography. From the site's home page you can navigate to the Standards page, and then to the Information Technology Standards page.

  • http://www.nsa.gov.

    This site includes historical and informative documentation covering cryptography. It also includes security recommendation guides for currently used technologies, such as Microsoft and Cisco products. There are also links to partners, such as the NIST. To view current security recommendation guides, from the home page, navigate to the INFOSEC page and follow the links to the guides you are interested in viewing.

  • http://www.ietf.org.

    This site maintains the standards used on the Internet. The RFC Web page can be used to locate details about how encryption methods and mechanisms are implemented. To locate RFCs on a specific topic, from the home page, navigate to the RFC Editor Web pages, and search the database for a specific encryption mechanism. For instance, to find the RFC that explains how the AES encryption mechanism is implemented for Transport Layer Security (TLS), you would perform a search using the RFC search engine for AES.

  • http://www.x9.org.

    This is the home page for the Accredited Standards Committee X9, which was accredited by the American National Standards Institute (ANSI). This organization is an affiliation of industry leaders that identifies technical problems, identifies the best solutions, and codifies them as nationally accepted standards. The format for these standards is X9.xx, such as X9.30.1 Public Key Cryptography Using Irreversible Algorithms.

  • http://csrc.nist.gov/encryption.

    NIST cryptographic toolkit.

  • http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.

    Information on DES and Triple DES.

  • http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

    Information on AES.

  • http://csrc.nist.gov/encryption/skipjack/skipjack.pdf.

    Information on SKIPJACK (an encryption algorithm), and Key Exchange Algorithm (KEA).

  • http://www.itl.nist.gov/fipspubs/fip180-1.htm.

    Secure Hash Standard for Secure Hash Algorithm (SHA-1), which is used to create a 160-bit message digest.

  • http://csrc.nist.gov/encryption/shs/FR_180-2.pdf.

    Draft for SHA-256, SHA-384, and SHA-512, which provides for message digest lengths of 256 bits, 384 bits, and 512 bits.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. Select the answer that best describes cryptography.

    1. Cryptography is encrypting messages with a secure hash function to provide information security.

    2. Cryptography is decrypting messages with a secure hash function to provide information security.

    3. Cryptography is encrypting and decrypting data to provide information security.

    4. Cryptography is providing information confidentiality using a shared secret, also known as an asymmetric key pair.

  2. Which of the following best describes a key?

    1. A procedure for solving a mathematical problem in a fixed number of steps

    2. A set of instructions that govern ciphering or deciphering messages

    3. A one-way mathematical function that creates a fixed-sized representation of data

    4. An algebraic equation for solving a mathematical problem in a fixed number of steps

  3. What is a procedure for solving a mathematical problem in a fixed number of steps?

    1. A secure hash function

    2. A symmetric key

    3. An asymmetric key

    4. An algorithm

  4. Match the term to the definition:

    1. Symmetric key

    2. Asymmetric key pair

    3. Secure hash function

    4. Algorithm

    1. A procedure for solving a mathematical problem in a fixed number of steps

    2. A one-way mathematical function that creates a fixed-sized representation of data

    3. Two keys that form a key pair; one key is used to encrypt data, and the other key is used to decrypt data

    4. A single key is used for encrypting and decrypting data, and everyone that is allowed to encrypt and decrypt the data has a copy of the key

Lesson Summary

  • Cryptography is encrypting and decrypting data to provide information security.

  • The four goals of cryptography are to provide data confidentiality, data integrity, identification and authentication, and nonrepudiation.

  • A key is a set of instructions that govern ciphering or deciphering messages.

  • A secure hash function is a one-way mathematical function that creates a fixed-sized representation of data.

  • A symmetric key is a single key used for encrypting and decrypting data, and everyone that is allowed to encrypt and decrypt the data has a copy of the key.

  • An asymmetric key pair is made up of two keys that form a key pair; one key is used to encrypt data, and the other key is used to decrypt data.

  • A public key is provided to many people and is used to validate that a message came from the private key holder or to encrypt data to send the private key holder.

  • A private key is a secret key that only the private key holder has. It is used to decrypt information encrypted with the public key, and also to create a digital signature.



Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net