Internet Security - Cryptography fundamentals
by Wenwei Weng
Internet security is becoming more relevant in life as internet is growing daily. There are many aspects of internet security. Cryptograph is a fundamental element when we talk about internet security related to encryption and decryption.
In this post, I will give a summary of cypto used in network security.
A cipher is an algorithm for performing data encryption and decryption. e.g. old day’s Caesar Cipher, Vigenere Cipher, Tranposition Cipher; today’s DES, 3DES, AES, Rivest Ciphers. See a brief desciption for each.
The Data Encryption Standard (DES) has now been in use for over 35 years and still has not been found to have a signifi cant fl aw. However, because its key length is relatively short, it can be susceptible to brute - force attacks. DES uses a 64 -bit key, but only 56 of the bits are used for encryption. Unfortunately, 16 of those remaining 56 bits are known and 40 bits are unknown. The other 8 bits are used for parity. What that means, essentially, is that DES has a 40 - bit key strength. DES has two operating modes, stream cipher and block cipher. Further, each of these two modes has two types within it.
Triple DES, as the 3DES encryption algorithm has become known, essentially strengthens the original DES algorithm by applying it three times. Because the original DES algorithm is cryptographically strong, it can be made much stronger by encrypting the data three times. This triple encryption makes a brute - force attack unfeasible. The effective key strength can be either 112 bit or 168 bit, which is what Cisco uses. Let us examine how the 3DES algorithm works.
- A first 56 -bit key is used to encrypt the plaintext.
- A second 56 -bit key is used to decrypt the data.
- A third 56 -bit key is used to encrypt the data again.
Advanced Encryption Algorithm (AES) came about after the federal government decided that it needed to create a new standard that would replace DES as the offi cial government encryption cipher. A bake - off of sorts was initiated in 1997. The winner, selected in 2000, was the Rijndael cipher, a mixture of the last names of the two creators, Joan Daemen and Vincent Rijmen. This cipher became an offi cial government standard in 2002. The Rijndael cipher uses a variable key length and block size in the implementation of the cipher. There are potentially nine different combinations of key length and block size. You may use a key length of 256 bits, 192 bits, or 128 bits to encrypt block sizes of 128 bits, 192 bits, or 256 bits.
The Rivest ciphers are also known as the RC ciphers. Ron Rivest is a well -known cryptographer and professor at MIT. He is the author of the Rivest ciphers known as RC2, RC4, and RC5 and coauthor of RC6.
- RC2: Variable - length key - block cipher, designed to be an alternative to DES.
- RC4: Variable key - length stream cipher used frequently in file encryption products, as well as in Secure Sockets Layer (SSL).
- RC5: RC5 has a variable - length key and variable - length block size.
- RC6: Block cipher meant to compete for the AES standard.
Examples: encryt and decrypt a text file
We can use openssl in linux to encrypt and decryt file.
First let’s create a file named as “plaintext-hello.txt”
Second, let’s encrypt it using passord “cipherme”
Third, let’s decrypt the binary to see if we can restore “hello world” plain text. As shown below, we did it.
In the above example, the algorithm aes-256-cbc is picked. For supported encrypt algorithm, use “man openssl” to find out.
What is hashing? Simply put, hashing is taking some type of input data and generating some sort of value. This value is typically a fixed - length integer. The process of taking input data and generating the value is called a hash function . The output of the hash function is called the hash value. A hash function has fi ve main features:
- Easily compute the hash value for any message ---> Fast and Efficient
- Must never create the same hash value from two different sets of data ---> Collision Resistant
- Cannot modify the message without altering the hash value ---> Manipulation resistant
- Cannot determine the message from the hash value ---> One-way hash
- Take variable -length data and produce a fixed-length value ---> Fixed-length hash value
The typical hashing used are: MD5, SHA1, SHA256, SHA512. See example below.
Hash Message Authentication Code (HMAC)
Hash Message Authentication Code (HMAC) is a way to further secure a hash. HMAC is not a hash function requirement but has its place when we talk about securing the hash function. Because some popular hash algorithms have been shown not to be completely collision resistant, it is important to add newer techniques to validate the integrity of a hash. HMAC accomplishes this by adding another layer of data into the hashing mix. This layer is called a secret key . The secret key is known only by the sender and receiver, and it provides authentication to HMAC. In the HMAC process, the input data is taken and a secret key is added. Both the input data and secret key are put through the hashing algorithm. This produces an HMAC hash . The size of the HMAC hash is the same as that of the corresponding hashing algorithm. (The two main types of HMAC hashes are HMAC - MD5, which produces a 128 - bit hash, and HMAC - SHA - 1, which produces a 160 -bit hash.)
See example below, HMAC of “Hello World” from file plaintext-hello.txt, using secret key “mykey”. The sender sends the message along with HMAC using shared secret key (in below example “mykey”). The receiver gets the message, and computes HMAC using received data, plus shared secret key, generate HMAC, and comparing too received HMAC. If both are equal, then it means message is received as sent exactly.
A digital signature is an electronic means to validate the authenticity and integrity of a message, software, or document. Most digital signatures use asymmetric cryptography to accomplish the authenticity.
As shown above, it uses private key to genearte HMAC in the sender side, however the pubic key is used in receiver side to generate HMAC to compare. This is the key feature of asymmetric encryption technology, which we talk next.
Subscribe via RSS