Encryption algorithms and techniques
- Algorithm: step-by-step method of solving a problem
- Encryption algorithms: mathematical formulas used to encrypt and decrypt data
- Keys should still change on a regular basis even though they may be "unhackable"
- đź“ť In terms of speed
- Symmetric encryption algorithms are faster than asymmetric algorithms
- Stream ciphers (including AES in CTR) are usually faster than hash functions
Encryption types per OSI layer​
| OSI layer | Â Encryption type | Description |
|---|---|---|
| 2 | Link encryption | Everything including original headers is encrypted |
| 3 | Network encryption | Everything in the packet is encrypted |
| 4 | Protocol encryption | Specific protocols are entirely encrypted e.g. SSL |
| 5 | Service based encryption | Encryption for specific services on specific hosts |
| 6 | Data encryption | |
| 7 | Application based information encryption |
Symmetric algorithms​
- Both ends of the transmission must use the same key.
- Requires to find a secondary secure channel to send the symmetric key to the recipient to ensure security.
DES (Data Encryption Standard)​
- Block cipher, 56-bit key, 64-bit block size
- Developed in the early 1970s at IBM
- Was a standard set by NSA but was withdrawn, quickly outdated
- Used in initial implementation of Kerberos but later deprecated
- Considered insecure, has been superseded by the Advanced Encryption Standard (AES)
3DES (Triple Data Encryption Standard)​
- Block cipher, 168-bit key
- More effective than DES but much slower
- 3 keys are used:
- Used to encrypt the plain text
- Used to decrypt ciphertext resulting from the first round of encryption
- Used to encrypt the ciphertext that resulted from the decryption with the 2nd key
AES (Advanced Encryption Standard)​
- Iterated block cipher, 128, 192 or 256 bit key, 128-bit block size
- Original name is Rijndael, named to AES after Advanced Encryption Standard contest.
- Symmetric-key algorithm
- Performs same operation multiple size
- Approved and used by NSA
- Much faster than DES and 3DES for bulk data encryption.
RC (Rivest Cipher)​
- đź“ť Symmetric-key algorithm.
- Lost to AES in Advanced Encryption Standard contest.
RC4​
- Variable length key algorithm
- Uses random permutations
- Stream cipher
RC5​
- Parameterized algorithm
- Block cipher (slower)
- Variable
- block size: can be 32, 64, or 128 bits
- key size: between 0 and 2048 bits
- number of rounds: between 0 and 255
RC6​
- Extends RC5 with two features
- integer multiplication
- 4-bit registers (RC5 uses 2-bit registers)
Blowfish​
- Fast symmetric block cipher, 64-bit block size, 32 to 448 bits key
- Considered public domain
- Insecure
Twofish​
- Symmetric-key block cipher
- Uses 128-bit blocks
- Key size can range between 0 and 256 bits.
- Lost to AES as finalist in Advanced Encryption Standard contest.
Asymmetric algorithms​
RSA (Rivest–Shamir–Adleman)​
- One of the common used encryption standards for data transmission.
- đź“ť Achieving strong encryption through the use of two large prime numbers
- Solves
- I want anybody to be able to encrypt a message, but I'm the only one who can decrypt it. I don't want to share decryption keys with anybody.
- There are no published methods to defeat the system if a large enough key is used.
- Wide usage, e.g. SSH for public key authentication
- A lot safer than password authentication (should be disabled after copying keys)
- Steps
ssh-gen -t rsacreates private and public keys in.sshfolder- Copy the key to server to be connected
- Can run e.g.
ssh-copy-id user@192.168.122.37with ssh password - Or just copy
~/.ssh/id_rsa.pubto the server manually.
- Can run e.g.
- đź’ˇ In RSA crypto, when you generate a key pair, it's completely arbitrary which one you choose to be the public key, and which is the private key.
- If you encrypt with one, you can decrypt with the other - it works in both directions.
- When encrypting, private key is used to decrypt and public key to decrypt
- "I want to be able to encrypt certain information and use it as a product key for my software."
- When signing, private key is used to encrypt and public key to decrypt
- "I want to use my private key to generate messages so only I can possibly be the sender."
- Recommended key size is 2048 bits or higher.
- 🤗 RSA Factoring Challenge
- Held between 1991 and 2007 with price awards
- Goal was to factoring prime numbers used by RSA
- Shows cryptanalytic strength of RSA
Diffie–Hellman​
- Also known as Diffie Hellman or DH
- Used for generating a shared key between two entities over an insecure channel.
- One of the first public-key protocols
- 📝 Used in • SSL • IKE (Internet Key Exchange) | IPsec
- âť— If digital signatures are waived, vulnerable to MITM attacks
- Enables two parties to encrypt their traffic with a shared key.
- Solves: We have a symmetric encryption scheme and want to communicate. We don't want anybody else to have the key, so we can't say it out loud (or over a wire).
Diffie–Hellman groups​
- Determines the strength of the key used in the Diffie-Hellman key exchange process.
- Higher Diffie-Hellman Group numbers are more secure, but requires more computation power.
- • Group 1 (768-bit) • Group 2 (1024-bit) • Group 5 (1536-bit) • Group 14 (2048-bit) • Group 15 (3072-bit) • Group 19 (256-bit elliptic curve) • Group 20 (384-bit elliptic curve) • Group 21 (521-bit elliptic curve) • Group 24 (2048-bit, 256 bit subgroup)
Elliptic-curve Diffie–Hellman​
- Also known as • ECDH • Elliptic curve Diffie Hellman
- Variant of the Diffie–Hellman protocol using elliptic-curve cryptography
- 📝 Used in • SSH • TLS 1.3
ECC (Elliptic-curve cryptography)​
- Also known as elliptic curve cryptosystem
- Using points on elliptical curve along with logarithmic problems
- Using less processing power, smaller keys, good for mobile devices
DSA (Digital Signature Algorithm)​
- Asymmetric algorithm
- Private key tells who signed the message
- Public key verifies the digital signature
- In the message exchange, each entity creates a public and private key.
- Per FIPS 186-5, it's not recommended for signature generation but approved for signature verification.
Symmetric vs asymmetric algorithms​
| Differentiator | Symmetric Key Encryption | Asymmetric Key Encryption |
|---|---|---|
| Key | Only one key (symmetric key) is used to encrypt and decrypt | Â Two different cryptographic keys (asymmetric keys), called the public and the private keys, are used to encrypt and decrypt |
| Â Complexity and Speed of Execution | Simple technique, fast encryption | More complicated process, slower |
| Length of key | Â Smaller, usually 128, 256 and 512 bits | Much larger, e.g. recommended RSA key size is 2048 bits or higher |
| Common usage | When large chunks of data need to be transferred. | Smaller transactions, primarily to authenticate and establish a secure communication channel prior to the actual data transfer. |
| Â Security | Â The secret key is shared. Consequently, the risk of compromise is higher. | The private key is not shared, and the overall process is more secure as compared to symmetric encryption. |