Cryptographic Algorithms | Security+ Study Guide

Cryptographic algorithms are used to encode a message from its unencrypted or cleartext state into an encrypted message. The three primary methods are the hashing, symmetric, and asymmetric methods. The following sections discuss these methods and some of the standards that use them.

Hashing

Two primary standards exist that use the hashing process for encryption. These methods are SHA and MD.

Note

Hashing is the process of converting a message, or data, into a numeric value. The numeric value that a hashing process creates is referred to as a hash total or value. Hashing functions are considered either one-way or two-way. A one-way hash does not allow a message to be decoded back to the original value. A two-way hash allows a message to be reconstructed from the hash. Most hashing functions are one-way hashing.

The Secure Hash Algorithm (SHA) was designed to ensure the integrity of a message. The SHA is a one-way hash that provides a hash value that can be used with an encryption protocol. The SHA algorithm produces a 160-bit hash value. SHA has been updated; the new standard is SHA-1.

The Message Digest Algorithm (MDA) is another algorithm that creates a hash value. MDA uses a one-way hash. The hash value is used to help maintain integrity. There are several versions of MD. The most common are MD5, MD4, and MD2.

MD5 is the newest version of the algorithm. MD5 produces a 128-bit hash, but the algorithm is more complex than its predecessors and it offers greater security.

Note

You will not be tested on the various encryption standards described in this section. They are described to help you understand the terms and provide you with a good overall picture of the various standards that exist today.

Symmetric Algorithms

Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A private key is simply a key that is not disclosed to people who are not authorized to use the encryption system. The disclosure of a private key breaches the security of the encryption system. If a key is lost or stolen, the entire process is breached. These types of systems are very common, but the keys require special handling. Figure 7.4 illustrates a symmetric encryption system. In this example, the keys are the same on each end.

Figure 7.4: Symmetric encryption system

Typically, a new key would not be sent across the encrypted channel (if the current key has been compromised, the new key may also be compromised). Keys are sent using an out-of-band method. This means that the key may be sent by letter, by courier, or by some other separate method. This may be cumbersome, and it may leave the key subject to human error or social engineering exploitation.

The other disadvantage of a symmetric algorithm is that each person who uses the encryption algorithm must have the key. If you want 50 people to access the same messages, all 50 people must have the key. As you can imagine, it is hard for 50 people to keep a secret. On the other hand, if you wanted to communicate with 50 different people in private, you would need to know who uses which key. This can be hard to keep straight. You might spend all your time trying to remember who uses which key.

Several very successful encryption systems use symmetric systems. A strong algorithm can be very difficult to break. Here are some of the common standards that use symmetric algorithms:

DES The Data Encryption Standard (DES) has been used since the mid-1970s. This standard was the primary standard used in government and industry. It is a strong and efficient algorithm. Strong refers to the fact that it is hard to break. DES has several modes that offer security and integrity. DES has become a little dated as a result of advances in computer technology, and it is being replaced. DES is based on a 128-bit key. A recent study showed that a very powerful system could break the algorithm in about two days. For its time, it was one of the very best standards available.

AES Advanced Encryption Standard (AES) has replaced DES as the current standard, and it uses the Rijndael algorithm. It was developed by Joan Daemon and Vincent Rijmen. AES is now the current product used by U.S. governmental agencies. AES supports key sizes of 128, 192, and 256 bits.

Note
For more information about Rijndael (AES), see their website at http://csrc.nist.gov/encryption/aes/ rijndael/.

3DES Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems. 3DES is more secure than DES.

CAST CAST is an algorithm developed by Carlisle Adams and Stafford Tavares—hence the name. CAST is used in some products offered by Microsoft and IBM. CAST uses a 40-bit to 128-bit key, and it is very fast and efficient.

RC RC is an encryption family produced by RSA laboratories. RC stands for Ron's Code or Rivest's Cipher. Ron Rivest is the author of this algorithm. The current levels are RC5 and RC6. RC5 uses a key size of up to 2,048 bits. It is considered to be a strong system.

Blowfish Blowfish is an encryption system produced by Counterpane systems. The original author was Bruce Schneier. His next generation product Twofish was a finalist in the AES selection process. AES supports key lengths of up to 448 bits.

IDEA International Data Encryption Algorithm (IDEA) is an algorithm that uses a 128-bit key. This product is similar in speed and capability to DES, but it is more secure. IDEA is used in PGP. Pretty Good Privacy (PGP) is a public domain encryption system used by many for e-mail. IDEA was developed by a Swiss consortium. Currently, ASCOM AG holds the right to market IDEA.

The software product pcAnywhere uses a symmetric encryption system for security. The software provides two utility programs, CERTCONS.EXE and MACHKEY.EXE, for users who want to share a secure connection. CERTCONS.EXE creates a certificate store that can contain certificates from different types of systems. The MACHKEY.EXE utility creates a machine store that can be accessed by all pcAnywhere users who desire encryption. This encryption process can then be used by pcAnywhere users to provide secure connections and file transfers.

As you can see, there is a great deal of competition to be the best-of-the-best in this field. No doubt the competition will stiffen over the next few years, as the race to provide secure communications grows on a worldwide scale.

Asymmetric Algorithms

Asymmetric algorithms use two keys to encrypt and decrypt data. These keys are referred to as the public key and the private key. The public key can be used by the sender to encrypt a message, and the private key can be used by the receiver to decrypt the message. As you may recall, symmetrical systems require the key to be private between the two parties. Each circuit has one key.

This public key may be public or it may be a secret between the two parties. The private key is kept private and is known only by the owner. If someone wants to send you an encrypted message, they can use your public key to encrypt the message and then send you the message. You can use your private key to decrypt the message. One of the keys is always kept private. If both keys become available to a third party, the encryption system will not protect the privacy of the message.

Note

Asymmetric algorithms use two keys. In many implementations, one of these keys can be shared with the general community. This key is referred to as a public key. The other key is not shared; this is the private key. If a file is encrypted with the public key, the private key is used for decryption. If the message is encrypted with the private key, the public key is used for decryption. At no time would both keys be made public.

This may sound confusing, but it is simpler than it sounds. Perhaps the best way to think about this is that it is similar to a safe deposit box. To open the box, two keys are needed. The box owner keeps the public key with him. The bank retains the second or private key. In order to open the box, both keys must be used simultaneously. Figure 7.5 illustrates the two-key method. Notice that in the encryption process, Key 1 is used to encrypt the message and Key 2 is used to decrypt it. In this way, it is harder to break the code unless both the public and private keys are known.

Figure 7.5: A two-key system in use

This mechanism is called a public-key system. If someone wanted to send you an encrypted message, they could ask you for your public key. They would use your public key and encrypt the message. When you received the message, your private key would be used to decrypt the message. The same would be true if you wanted to send someone a private message; you would ask for and use their public key to encrypt the message. The private key would never be given out, as this would compromise the security of the method.

Note

Two-key systems are referred to as Public Key Cryptography (PKC). Do not confuse this with Public Key Infrastructure (PKI), which uses PKC as a part of the process.

The algorithms used in this two-key process are very complicated, and several volumes of materials would be needed to explain it thoroughly. In this book, we will focus primarily on how the two-key process is used. The two-key concept is implemented in systems such as PKI.

Four popular asymmetric systems are in use today:

RSA RSA is named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman. RSA is a widely implemented, and it has become a de facto standard. RSA works for both encryption and digital signatures. RSA is used in many environments, including SSL. The RSA algorithm is an early public key encryption system that uses large integer numbers as the basis of the process.

Diffie-Hellman The Diffie-Hellman key exchange was conceptualized by Dr. W. Diffie and Dr. M. E. Hellman. They are considered the founders of the public/private key concept. This algorithm is used primarily to send keys across public networks. The process is not used to encrypt or decrypt messages; it is used merely for the transmission of keys in a secure manner. The Diffie-Hellman process is one of the first implementations of a public/ private key system. Their original work conceptualized splitting the key into two parts.

ECC The Elliptic Curve Cryptosystem (ECC) provides similar functionality to RSA. ECC is being implemented in smaller, less intelligent devices such as cell phones and wireless devices. ECC is smaller than RSA and requires less computing power. ECC encryption systems are based on the idea of using points on a curve to define the public/private key pair. This process is less mathematically intensive than processes such as RSA.

El Gamal El Gamal is an algorithm used for transmitting digital signatures and key exchanges. The method is based on calculating logarithms. The process used is similar to the Diffie-Hellman key exchange and is based on the characteristics of logarithmic numbers and calculations. The El Gamal algorithm is also called DSA, and it was first published in 1985.

PALM, Motorola, Cisco, and others have, or are implementing, the ECC system for security. PALM handhelds now have the ability to have secure connections using wireless or other means to applications running on other systems. Motorola recently released its new development system for the next generation of cellular phones. This system implements ECC and other protocols as an integral part of the tool kit. You can expect that ECC will be commonly implemented in cellular devices in the very near future.