Data Encryption TechniquesPepperdine Inc.

Authored by: David Leonard 02 Feb 2012

Purpose and Basic Terminology

Algorithms (General) 

Algorithms (Most Popular)

Symmetric and Asymmetric

Encryption 

Ciphers 

Hashing

Digital Signatures

Trust Models

Conclusion

The Purpose of Cryptography:1. Confidentiality2. Authentication3. Integrity4. Non-RepudiationPlaintext is the data or message as it exists prior to encryption (ordinary email or readable data).Ciphertext the same data after it has been encrypted and made unreadable. Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people1. Decryption is the process of converting encrypted data back into its original form, so it can be understood1.Algorithm is a set of instructions that is used with a key to encrypt / decrypt data

Basic Terminology

1. http://searchsecurity.techtarget.com/definition/encryption

Algorithms (General)

• One of the cornerstones to all modern Cryptography• An algorithm is a set of data manipulation instructions that works

with a key to produce encrypted information (Cyphertext). • The Security of the data relies on 2 factors

1. The strength of the Algorithm2. The secrecy of the Key

Algorithms (Types)

Two Types:• Symmetric – Single Key also known as secret key, One key, shared key, or

private key. Normally used to quickly encrypt large block of data. – Both sender and receiver have a common secret key agreed upon

through a key exchange agreement • Asymmetric – Two Keys (Public )

– Sender encrypts with a Public Key and the Receiver Decrypts with a Private key. The private Key cannot be compromised by knowing the Public Key, therefore the message cannot be decrypted with the public key.

Step 1: Both sender and receiver agree on a shared secretStep 2: Sender Encrypts the message using the shared key and a known

algorithm .Step 3: The message is sent to the recipient, who decodes it with the

same key.

Graphic from: http://msdn.microsoft.com/en-us/library/ff650720.aspx

Symmetric Key Encryption

Step 1: Recipient sends the Sender the Public KeyStep 2: Sender Encrypts the message using the Public key.Step 3: The message is sent to the recipient.Step 4: The recipient decodes it with the Private key (Public Key = ½ of a key pair and Private Key = the other ½ of the pair)

Graphic from: http://msdn.microsoft.com/en-us/library/ff650720.aspx

Asymmetric Key Encryption

Common Symmetric Algorithms Name Cipher Key Size Comments

AES Block128-bit

128, 192, or 256 bits Designed by J. Daemen & V. Rijmen thus (Rijndael)AES256 is the current standard and is the most secure.

Blowfish Block64-bit

(Variable) 32 bits to 448

Uses a Feistel cipher (16-rounds)

CAST Block64-bit

CAST128 – (Variable) 40-128 bits

CAST stands for Carlisle Adams and Stafford Tavares

DES Block64-bit

56 Bit Digital Encryption Standard: Although DES’s complexity increases exponentially with each cycle of encryption, at 56 bits it is considered a weak and compromised cipher.

IDEA Block64-bit

128 bit International Data Encryption Algorithm (European standard) Designed by Dr. X. Lai and Prof. J. Massey Although a designated as a secure cipher it is susceptible to an all zeros key

RC4 Stream Variable: 40 – 2,048 bits

Desigined by Ron Rivest. Use in SSL and WEP. State-full approach

RC6 Block128 bit

128, 192, & 256 bits Developed by Ron Rivest, Y. Yin, M. Robshaw, & R. Sidney at RSA Security to replace AES (Federal Level)

Serpent Block128 bit

128, 192, & 256 bits Designed by Ross Anderson, Eli Biham and Lars Knudsen

Triple DES

Block64 bit

64 bits (56 effective & 8 parity bits)

Uses a mutating key which changes as each new round is entered.

Twofish Block128 bit

Up to 256 bits NIST approved. Designed by: Bruce Schneier, J. Kelsey, C. Hall, N. Ferguson, D. Wagner & D. Whiting

Common Asymmetric Algorithms

Name NotesRSA Asymmetric

algorithm1. Designed by Rivest-Shamir-Adleman. 2. The most common Public Key algorithm used3. Depends on the inability to factor of large prime numbers to develop a

common key from a key pair

Diffie-Hellman 1. The oldest Asym still in use (1976).2. Relies of discrete logarithms in a pre-defined setup3. The strength of the algorithm is based on the math set and the order

(magnitude ) of its element generators4. Transport Layer Security (TLS) uses DH to generate Keys

Digital Signature Algorithm (DSA)

1. NIST approved US Federal Standard2. Limited by its element generator, it provides only about 80 bits of security

ECDSA (Elliptic Curve) 1. Proposed by N. Koblitz and V. Miller2. Relies on mathematical functions that produce elliptic curves wherein 2

selected points can produce a third (encryption element) point3. Because a function can produce an infinite set of points the element set is

unlimited.

XTR 1. XTR is a verbal hash of ECSTR (Efficient and Compact Subgroup Trace Representation)

2. Derived from Diffie-Hellman3. It security depends on the ability to resolve complex logarithmic problems

within a define field.

Ciphers

Block Cipher: This method encrypts plaintext in segments which range in length from 8 to 16 bytes (64 – 128 bits). These segments are called blocks and the standard encryption size is the 64 bit variety. However, these blocks can be augmented to include larger segments called superblocks.

Padding: A technique of supplementing a message entry that does not meet the block-size requirement. Example: If a message of 100 bits in length were encrypted using a 128 bit block cipher format, then an additional 28 bits of dummy information would be added to the message to fulfill the 128 bit requirement.

Stream Cipher: A method which encrypts each component (character or digit) of a Key-stream of incoming data individually.

• The Hash Function is not normally used to encrypt data for transmission. • Used for data verification. • The hash function takes inputs of variable length and outputs a standard

fixed length output• It is a one-way encryption. Once data has been encrypted, it is not meant

to be decrypted and the original text is unrecoverable. • The output is called Message Digest or Hash Value• Hashing is subject to the Birthday Paradox where it is mathematically

possible generate erroneous random Hash value matches called Collisions• The most popular Hash Functions are the Secure Hash Algorithm (SHA)

series and the Message Digest (MD) series.• SHA & MD mitigate the birthday problem and are

therefore referred to as Collision Resistant

Hash Function

Hash Function Uses

• Message authentication and Integrity Check• They can be used as One-time Passwords• Ensure the uniformity of Software• Used as a Digital signature or Time Stamping

Digital Signatures are a functional option of Asymmetric Encryption.

They perform the following jobs:1. Indentify the sender2. Provide for Non-Repudiation3. Demonstrates the integrity of the message

They are usually custom created by hashing the Private Key of the sender.

Digital Signatures

Digital SignaturesOriginal Message is sent with the Asymmetric Key protocol

During the process the message and the Private Key is hashed and sent as well.

On the receiving end, the message is hashed and verified against the signature using the Public Key. If there is a match then the message is

verified.

PKI is the blueprint for the management of Digital Certificates. This includes the creating, distributing, expiration, escrowing, and revoking of those certificates.

Digital Certificates is a technology that is used to authenticate a user’s identity by associating it with a Public Key that has been signed by a third party. They are usually issued by a Certificate Authority (CA) which is an established third party that can authenticate the identities of its members. Thereby entities who are unknown to each other can develop a trust relationship based on the exchange of these certificates.

Public Key Infrastructure (PKI)

A Digital Certificate is normally composed of: 1. The holder’s Public Key2. Certificate Serial Number3. The holder’s Distinguished Name (DN)4. Certificates Validity Period5. Unique name of the issuer (CA)6. Digital Signature of the issuer7. Signature algorithm identifier8. Version of the certificate standard

PKI

Trust Models (Types)

Trust Model: A Trust Model defines the relationship between two or more entities and attempts to ensure a level of confidence in the information passed between those entities.Two Basic Types:1. Direct 2. Third PartyThere are three types of Third Party verifications examined in this brief.3. Single Authority4. Hierarchical5. Web of TrustThird party trust relationships are normally established by exchanging certificates.

Single Authority Trust Model

This the simplest trust arrangement possible. This system has one Certificate Authority which issues Certificates directly to the Users.

This model is composed of one main or Root CA that distributes certificates to secondary (intermediate) and possibly tertiary (Leaf) CA’s before they are dispensed to the Users

Hierarchical Trust Model

In the Web of Trust model there is no common CA. Individual entities verify and sign the certificates of the other participants and in effect vouch for each other. It is also known as the Mesh or Peer to Peer Model.

Web of Trust Model

http://www.youtube.com/watch?v=0VhMiipj3I4

PKI (Terminology)

Certificate Authority (CA) – Person or group (trusted third party) that is responsible for issuing certificates to authorized users. Certificate Repository List (CR) – public database of digital certificates that can establish the status / validity of a given certCertificate Revocation List – public database of all certificates that have been voided.Certificate Expiration – Occurs when a cert’s end of authorization date has been reached signifying that it is no longer valid. It applies to both Private and Public Keys. Certificate Revocation – The cancellation of a cert prior to its expiration date. It is the easiest and most efficient way to deactivate a key. It applies to both Private and Public Keys. Certificate Suspension – Technique used by cert owner who to extend the life of a cert. By suspending it, they avoid revocation based on the cert’s lack of use.

?

Conclusion:

Ciampa, Mark. Security+ Guide to Network Security Fundamentals. Boston: Course Technology Cengage Learning, 2012. Print.

Comptia Network+ Certification Vol 1 & 2. Rochester: Element K Press LLC, 2009 Print

Frisch, Æleen. Essential SystemAdministration 3rd Edition. Sebastopol: O’Reilly & Associates Publishing, 2002. Print.

Garfinkel, Simpson, Gene Spafford, and Alan Schwartz. Practical UNIX and Internet Security 3rd Edition, Sebastopol: O’Reilly & Associates Publishing, 2003. Print.

Houseman, Kirk, Diane Barrett, and Martin Weiss. Comptia Security+. Indianapolis: Que Publishing, 2003. Print.

Springer, Michael, et al. Comptia Security+ Certification. Boston: Thomson Learning Course Division, 2006.Print.

Works Cited: