Cryptography in information security refers to the technique of protecting information whether in transit or at rest. The goal of cryptography is to secure information from unauthorized parties. Encryption scrambles information into ciphertext and then back again upon arrival.
Examples of Encrypted Communication
Encrypted communication makes information unavailable to unauthorized parties. Some examples of secure encrypted communications include:
Secure Shell (SSH) – secured version of telnet; uses port 22; relies on public key cryptography;
Secure Sockets Layer (SSL) – encrypts data at transport layer and above; uses RSA encryption and digital certificates; has a six-step process; However, SSL is considered obsolete.
Transport Layer Security (TLS) – TLS is the successor to SSL; allows both client and server to authenticate to each other; TLS Record Protocol provides secured communication channel; TLS has provided the encryption and security that makes up a secure internet connection to websites.
Internet Protocol Security (IPSEC) – network layer tunneling protocol; used in tunnel and transport modes; ESP encrypts each packet
Symmetric Cryptography
Symmetric cryptography is also known as ‘same key’ cryptography because the same key is used to encrypt and decrypt the data. The same key passes from user to user, which creates a challenge because there is a risk of compromise. Every time the key is exchange happens, there is a chance that someone can steal it and read the information. Therefore, the owner must be able to protect the single private key that the is generated upon the initial exchange between parties. Examples of this encryption type are:
- DES – block cipher; 56 bit key; quickly outdated but now considered not very secure.
- 3DES – block cipher; 168 bit key; more effective than DES but much slower
- AES (Advanced Encryption Standard) – block cipher; 128, 192 or 256 bit key; replaces DES; much faster than DES and 3DES
- IDEA (International Data Encryption Algorithm) – block cipher; 128 bit key;
- Twofish – block cipher; up to 256 bit key
- Blowfish – fast block cipher but has replaced by AES; 64 bit block size; 32 to 448 bit key but considered public domain
- RC (Rivest Cipher) – block cipher; RC6 (latest version) uses 128 bit blocks and 4 bit working registers;
Note that an algorithm’s strength is determined by its key length.
Asymmetric Cryptography
Asymmetric cryptography is also known as “public key cryptography.” Unlike symmetric cryptography, asymmetric encryption uses two keys, one public and one private. The public key encrypts and the private key decrypts, thus, lessening the risk of exposing the private key. Finally, some examples of this algorithm include:
- Diffie-Hellman – developed as a key exchange protocol; used in SSL and IPSec; However, can be vulnerable to MITM attacks
- Elliptic Curve Cryptosystem (ECC) – uses points on elliptical curve along with logarithmic problems but uses less processing power;
- El Gamal – not based on prime number factoring; uses solving of discrete logarithm problems.
- RSA – achieves strong encryption through the use of two large prime numbers;
Note that an algorithm’s strength is determined by its key length.
An example of some items that utilize asymmetric cryptography are:
- SSH algorithms
- SSL/TLS
- S/MIME encrypted email
- Code signing
- Bitcoin/Blockchain
- Signal private messenger
Public Key Infrastructure
PKI (or Public Key Infrastructure) is the framework of encryption and security that protects communication. PKI uses symmetric and asymmetric processes. Above all, the use of Digital Certificates aims to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.
Elements in the PKI process
Registration Authority (RA)
The RA receives the certificate signing requests (CSR). Then, the RA verifies and forwards these requests to a Certificate Authority (CA). The end-user will not directly deal with the RA. Additionally, the RA is separate from the Certificate Authority for security reasons (in case of a compromise). Segregation of entities will allow more control.
Certificate Authority (CA)
Next, the CA aids in validating the digital identities of the users, which can include individuals to computer systems to servers (including websites). As a result, Certificate Authorities prevent falsification of identities.
Digital Certificates
A digital certificate is a type of file that associates cryptographic key pairs with identities such as websites, individuals, groups or organizations. The main purpose of these certificates are to digitally sign files. X.509 is the standard for certificates.
Self-Signed Certificates are certificates that are not signed by a formalized CA. However, these are typically used in a development or test setting. Generally, these are not for public consumption.