analytics

Saturday, April 9, 2011

Encryption and Decryption

What is encryption?


Encryption is the conversion of data into a form, called a ciphertext. There are two basic techniques for encrypting information: symmetric encryption (also called secret key encryption) and asymmetric encryption(also called public key encryption).

How encryption works

Encryption program uses an encryption algorithm (complex mathematical processes) to encrypt and decrypt the data. Encryption algorithm creates specific strings of data used for encryption - keys that consist of long strings of bits or binary numbers. The more bits in the key, the more the number of possible combinations of binary numbers that makes the code more difficult to break. Then encryption algorithm scrambles data by combining the bits in the key with the data bits. In symmetric encryption, the same key is used to scramble (encrypt) and unscramble (decrypt) data. In asymmetric key encryption, two different keys are required - one for encryption and one for decryption.

Why you need encryption

Nowadays when more and more sensitive information is stored on computers and transmitted over the Internet, we need to ensure information security and safety.

One of the most common uses of encryption is encrypting emails. Sending sensitive messages, documents and files over the Internet is like sending a postcard as all emails are transmitted in an unsecured form. It doesn't depend on if you send emails via public and private networks. Your message is totally open to interception by anyone along the way - so anybody - your ISP, your boss, etc. can read your emails. Even if you connect to your server and send your emails via SSL, it only means that your emails can't be seen while transmitting between you and your server. When your email reaches your server, it can be seen by your email service provider. Then your server usually sends your email to the recipient in an unsecured way and your email can also be easily seen by anyone.

Private network, where email goes directly to a mail server and resides there until it is retrieved, also doesn't provide necessary security level, as you email can be seen e.g. by network administrator, your boss, etc.

Of course, you may believe that your personal email does not contain any private information, but everyone has got something to keep in secret from his family, neighbors or colleagues. It could be financial, sexual, social, political, or professional secrets. There is really only one sure way to protect your email privacy - using encryption.

Symmetric Encryption

Symmetric Encryption (also known as symmetric-key encryption, single-key encryption, one-key encryption and private key encryption) is a type of encryption where the same secret key is used to encrypt and decrypt information or there is a simple transform between the two keys.

A secret key can be a number, a word, or just a string of random letters. Secret key is applied to the information to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. Symmetric algorithms require that both the sender and the receiver know the secret key, so they can encrypt and decrypt all information.

There are two types of symmetric algorithms: Stream algorithms (Stream ciphers) and Block algorithms (Block ciphers).

Types of Symmetric algorithms (Symmetric-key algorithms)

Symmetric algorithms (Symmetric-key algorithms) use the same key for encryption and decryption. Symmetric-key algorithms can be divided into Stream algorithms (Stream ciphers) and Block algorithms (Block ciphers).


Stream Ciphers

Stream ciphers encrypt the bits of information one at a time - operate on 1 bit (or sometimes 1 byte) of data at a time (encrypt data bit-by-bit). Stream ciphers are faster and smaller to implement than block ciphers, however, they have an important security gap. If the same key stream is used, certain types of attacks may cause the information to be revealed.


Block Ciphers

Block cipher (method for encrypting data in blocks) is a symmetric cipher which encrypts information by breaking it down into blocks and encrypting data in each block. A block cipher encrypts data in fixed sized blocks (commonly of 64 bits). The most used block ciphers are Triple DES and AES.


Some examples of symmetric encryption algorithms:

AES/Rijndael

Blowfish

CAST5

DES

IDEA

RC2

RC4

RC6

Serpent

Triple DES

Twofish



AES / Rijndael encryption

AES stands for Advanced Encryption Standard. AES is a symmetric key encryption technique which replaces the commonly used Data Encryption Standard (DES).

It was the result of a worldwide call for submissions of encryption algorithms issued by the US Government'sNational Institute of Standards and Technology (NIST) in 1997 and completed in 2000.

The winning algorithm, Rijndael, was developed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen. AES provides strong encryption and was selected by NIST as a Federal Information Processing Standard in November 2001 (FIPS-197).

The AES algorithm usesthree key sizes: a 128-, 192-, or 256-bit encryption key. Each encryption key size causes the algorithm to behave slightly differently, so the increasing key sizes not only offer a larger number of bits with which you can scramble the data, but also increase the complexity of the cipher algorithm.


Blowfish

Blowfish is a symmetric encryption algorithm (64-bit cipher) designed in 1993 by Bruce Schneier as an alternative to existing encryption algorithms. Blowfish has a variable key length - from 32 bits to 448 bits. Since then Blowfish has been analyzed considerably, and is gaining acceptance as a strong encryption algorithm.


CAST

CAST stands for Carlisle Adams and Stafford Tavares, the inventors of CAST. CAST is a popular 64-bit block cipher allowing key sizes up to 128 bits.


Data Encryption Standard (DES)

Data Encryption Standard (DES) is a block cipher with 64-bit block size that uses 56-bit keys. DES was invented over 20 years ago by IBM in response to a public request from the National Bureau of Standards. Due to recent advances in computer technology, some experts no longer consider DES secure against all attacks; since then Triple-DES (3DES) has emerged as a stronger method. Using standard DES encryption, Triple-DES encrypts data three times and uses a different key for at least one of the three passes giving it a cumulative key size of 112-168 bits.


IDEA

IDEA stands for International Data Encryption Algorithm. IDEA is a symmetric encryption algorithm that was developed by Dr. X. Lai and Prof. J. Massey to replace the DES standard. Unlike DES though it uses a 128 bit key. This key length makes it impossible to break by simply trying every key.


RC2

RC2 is a variable-key-length cipher. It was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published.


RC4

RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. It is a cipher with a key size of up to 2048 bits (256 bytes).


RC6

RC6 is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. RC6 encryption algorithm was selected among the other finalists to become the new federal Advanced Encryption Standard (AES).


Serpent

Serpent is a block cipher developed by Ross Anderson, Eli Biham and Lars Knudsen. Serpent can work with different combinations of key lengths. Serpent was also selected among other five finalists to become the new federal Advanced Encryption Standard (AES).


Triple DES

Triple DES is a variation of Data Encryption Standard (DES). It uses a 64-bit key consisting of 56 effective key bits and 8 parity bits. The size of the block for Triple-DES is 8 bytes. Triple-DES encrypts the data in 8-byte chunks. The idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys.


Twofish

Twofish is a symmetric block cipher. Twofish has a block size of 128 bits and accepts keys of any length up to 256 bits.

Twofish encryption algorithm was designed by Bruce Schneier, John Kelsey, Chris Hall, Niels Ferguson, David Wagner and Doug Whiting. The National Institute of Standards and Technology (NIST) investigated Twofish as one of the candidates for the replacement of the DES encryption algorithm.


What are encryption vulnerabilities?

Breaking symmetric encryption

There are two methods of breaking symmetric encryption - brute force and cryptanalysis.

Brute Force Attack is a form of attack in which each possibility is tried until success is obtained. Typically, a ciphertext is deciphered under different keys until plaintext is recognized. No encryption software that is entirely safe from the brute force method, but if the number of possible keys is high enough, it can make a program astronomically difficult to crack using brute force. But the more bits in a key, the more secure it is, so choose software with as many bits as possible.

Cryptanalysis is a form of attack that attacks the characteristics of the algorithm to deduce a specific plaintext or the key used.


Weak passwords

In every kind of encryption software, there is some kind of password that must be created so that the recipients of the information can read it. Creating a strong password that cannot be easily guessed is just as important as choosing a good algorithm or strong encryption software.


Remembering passwords

If you forget your password, you will not be able to decrypt data that you have encrypted. Be sure to make a backup copy of your password and store it in a safe place.


Secret keys exchanging and storing

Symmetric key algorithms require sharing the secret key - both the sender and the receiver need the same key to encrypt or decrypt data. Anyone who knows the secret key can decrypt the message. So it is essential that the sender and receiver have a way to exchange secret keys in a secure manner. The weakness of symmetric algorithms is that if the secret key is discovered, all messages can be decrypted. So, secret key need to be changed on a regular basis and kept secure during distribution and while using.

 
Asymmetric Encryption (Public Key Encryption)


Asymmetric encryption uses different keys for encryption and decryption. The decryption key is very hard to derive from the encryption key. The encryption key is public so that anyone can encrypt a message. However, the decryption key is private, so that only the receiver is able to decrypt the message. It is common to set up "key-pairs" within a network so that each user has a public and private key. The public key is made available to everyone so that they can send messages, but the private key is only made available to the person it belongs to.


How Asymmetric Encryption (Public Key Encryption) works:

The sender and the recipient must have the same software. The recipient makes a pair of keys - public key and private key (both keys can be unlocked with a single password). Public key can be used by anyone with the same software to encrypt a message. Public keys can be freely distributed without worrying since it is only used to scramble (encrypt) the data.The sender does not need the recipient's password to use his or her public key to encrypt data. The recipient's other key is a private key that only he or she can use when decrypting the message. Private key should never be distributed since the private key assures that only the intended recipient can unscramble (decrypt) data intended for him or her.


To understand asymmetric encryption better please read an example:

For example, Jonny makes public key A and private key A, and jinni makes public key B and private key B. Jonny and Jinni exchange their public keys. Once they have exchanged keys, Jonny can send an encrypted message to Jinni by using Jinni's public key B to scramble the message. Jinni uses her private key B to unscramble it. If Jinni wants to send an encrypted message to Jonny, she uses Jonny's public key A to scramble her message, which Jonny can then unscramble with his private key A. Asymmetric cryptography is typically slower to execute electronically than symmetric cryptography.


Some Asymmetric Algorithms (public key algorithms) such as RSA allow the process to work in the opposite direction as well: a message can be encrypted with a private key and decrypted with the corresponding public key. If the recipient wants to decrypt a message with Bob's public key he/she must know that the message has come from Bob because no one else has sender's private key. Digital signatures work this way.



Some examples of popular asymmetric encryption algorithms:

RSA

DSA

PGP



RSA encryption

RSA is the best known public key algorithm, named after its inventors: Rivest, Shamir and Adleman. RSA uses public and private keys that are functions of a pair of large prime numbers. Its security is based on the difficulty of factoring large integers. The RSA algorithm can be used for both public key encryption and digital signatures. The keys used for encryption and decryption in RSA algorithm, are generated using random data. The key used for encryption is a public key and the key used for decryption is a private key. Public keys are stored anywhere publicly accessible. The sender of message encrypts the data using public key, and the receiver decrypts it using his/her own private key. That way, no one else can intercept the data except receiver.


DSA

The Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS).


PGP

PGP (Pretty Good Privacy) is a public-private key cryptography system which allows for users to more easily integrate the use of encryption in their daily tasks, such as electronic mail protection and authentication, and protecting files stored on a computer. PGP was originally designed by Phil Zimmerman. It uses IDEA, CAST orTriple DES for actual data encryption and RSA (with up to 2048-bit key) or DH/DSS (with 1024-bit signature key and 4096-bit encryption key) for key management and digital signatures. The RSA or DH public key is used to encrypt the IDEA secret key as part of the message.


Combination of Symmetric Encryption and Asymmetric Encryption

If we want the benefits of both types of encryption algorithms, the general idea is to create a random symmetric key to encrypt the data, and then encrypt that key asymmetrically. Once the key is asymmetrically encrypted, we add it to the encrypted message. The receiver gets the key, decrypts it with their private key, and uses it to decrypt the message.


Here I will only discuss two symmetric encryption algorithms Data Encryption Standard (DES) and Advanced Encryption Standard (AES)

4 comments:

  1. Excellent introduction about encryption and decryption process is provided in this article. I find this description very informative and highly useful.
    e signatures

    ReplyDelete