Crypto (technically also referred to as cryptography) includes many techniques for protecting messages.Crypto allows you to transform text, images, sound and video messages to be hidden from others who do not have a specific key needed to decode the message. Using crypto to encode a message is called encryption , to decode a message is called decryption .
Crypto is one of the technologies that can be used for both military and civilian purposes. Most historical records about the use of crypto involve military, spies and diplomats. Julius Caesar used a simple way to encrypt messages sent from his field commanders. During the 2 nd World War, Hitler very effectively used an Enigma machine to encrypt messages sent by radio to coordinate his battalions and U-Boats. Civilian use of crypto also goes back many centuries. Crypto was used to protect science and industry secrets, and also to keep romantic relationships private. During the 2 nd World War, lovers sent many more encrypted letters than spies, but the lovers almost always used weaker crypto methods. Lovers and spies had the same reason to use crypto, to prevent the wrong person from reading their letters and keep the contents secret. Crypto has always been used to protect privacy. Currently, use of crypto for business and trade has overtaken the volume of crypto used by governments and militaries combined. Crypto is used to encode satellite television signals, protect banking and ATM networks, and almost every purchase done over the internet. Without crypto, internet based e-commerce would not be as widespread. Crypto is a way to maintain trust, keep secrets and reduce the risk of trade.
Messages are encrypted with an encryption algorithm . In a secret key encryption algorithm (technically also referred to as symmetric key algorithm), a secret key is needed to encrypt and decrypt a message. A message encrypted with a certain key cannot be decrypted with a different key. The secret key acts like a password to protect the message, where the password is only known among people who need to know the message. The sender and receiver of the message need to have the same secret key in order to ensure that the contents of their message are kept secret. This type of algorithm has been in use for many centuries.
4. What Is A Secure Size for Secret Keys Used in Crypto? Short keys can have drastic consequences for the security of encrypted messages. Attackers can attempt to decrypt messages by guessing every possible key, and this is feasible today, using the computing power that is available within homes and organizations or even using the aggregated computing power of networked computers. However, the measure of security based on secret key length is only based on one method to attack crypto. That method involves a brute force search for all possible keys that can decrypt a message. There are many other methods for attacking a crypto system as discussed in the next section.
5. What makes Secret Key Crypto Secure? Secret key crypto systems are not all equally secure. Some crypto systems do not protect messages well enough against attackers. For some crypto systems, an attacker does not even need to know the secret key to be able to decrypt the message. The security of a secret key crypto system depends on many factors: - Secrecy of the secret key. During 2000, the US National Institute of Standards and Technology (NIST) approved a crypto method as the new Advanced Encryption Standard (AES). AES is around six times faster than 3DES when used in software, while in hardware AES it also still much faster than 3DES. AES is now much more widely used in many sectors, including banking, finance, business, military and government. As of June 2003, the US Government announced that AES may be used to protect SECRET level classified information, while TOP SECRET information will require using secret key size of 192 or 256 bits. This is the first time that the general public is able to use crypto certifiably approved by the NSA even for TOP SECRET information.
6. Comparing Secret Key Crypto Methods There are many secret key crypto methods in use nowadays. Here's a comparison of most of the algorithms available. DES The Data Encryption Standard became a US Government standard in 1977. Has a maximum secret key size of 56 bits. Its use is no longer recommended due to the short key size and some mathematical weaknesses. In 1998, the Electronic Frontier Foundation (EFF) built hardware machine (nick named Deep Crack) which cost US$250,000 and used to demonstrate cracking a DES encrypted message in 22 hours.
Triple-DES (3DES or TDES) Made DES more secure by using a larger secret key size of 168 bits. The secret key is broken up into 3 secret keys of 56 bits each used to encrypt data using DES 3 times. 3DES was a temporary response to the demonstrated insecurity of DES and used by some financial institutions. Even though 3DES is secure, it is computationally expensive and slow. 3DES use has been phased out and substituted by AES which is much faster and more secure.
I DEA The International Data Encryption Algorithm (IDEA) was developed in Switzerland during 1990 and uses a 128 bit secret key. IDEA is used by PGP, a popular program for secure desktop email. IDEA is not widely adopted due to protection by some US registered software patents. IDEA is secure, but is being phased out in favor of AES.
RC2 and RC4 Developed by Ronald Rivest of RSA Security. It was not intended for release to the public, until it was revealed in an anonymous internet posting during 1994. RC2 and RC4 are very secure and allow secret key size of 2048 bits. RC2 is used to encrypt messages and data in files, while RC4 is used to encrypt streams of data (e.g. phone calls, satellite digital TV transmissions). Export from the US was restricted to 40 bit secret key size. There are some secret keys that are weak and relatively easy to crack if used to encrypt a message, perhaps that is a reason RC2 was not intended for public release.
RC5 Developed by Ronald Rivest of RSA Security and published for review in 1994. RC5 was perhaps published as a fix to RC2 and RC4. RC5 is very secure and allows secret key size of 128-256 bits, while export from the US was restricted to 40 bit secret key size, but is being phased out in favor of AES. RC5 is not widely adopted mainly due to protection by US registered software patents.
RC6 Developed by Ronald Rivest's team at RSA Labs and published to compete according to the requirements of the Advanced Encryption Standard (AES) during the year 2000. RC6 was one of five finalists. RC6 is not widely adopted mainly due to protection by US registered software patents.
Blowfish Developed by Bruce Schneier of Counterpane Security. Blowfish is fast, compact and allows secret key size of upto 448 bits. Blowfish is unpatented and it's source code for software implementation is released into the public domain. Blowfish has been phased out by the introduction of Twofish which is faster and more secure.
Twofish Developed by Bruce Schneier of Counterpane Security. Twofish is fast, secure, compact and allows secret key size of 128- 256 bits. Twofish is an improvement on Blowfish. Twofish in unpatented and it's source code for software implementation is released into the public domain. Twofish was one of the five finalists to compete according to the requirements of the Advanced Encryption Standard (AES) during the year 2000. Twofish is being phased out in favor of the standardised AES (technically also referred to as Rijndael) which is generally faster and more secure.
AES, technically also referred to as Rijndael, developed by Belgian crypto experts, was chosen after a 3 year selection process as the standard AES crypto in October 2000 by the US National Institute of Standards and Technology. AES is extremely fast (as hardware or software), compact, secure and allows secret key size of 128, 192 or 256 bits. AES is suitable for encrypting messages or data in files, and also suitable for encrypting streams of data (e.g. satellite or digital TV transmissions). Use of AES is not restricted by any patents and has been widely adopted by banking, government , military and many commercial enterprises.
7. What Makes Public Key Crypto Secure? Public key crypto is typically used to encrypt messages and digitally sign messages. For encrypting messages, a public key is needed to encrypt and a private key is needed to decrypt the message. The public key is made available to anyone in public. The private key is only kept by the person who needs to decrypt the message. This can be considered as similar to a mailbox, anyone in public can send a letter to the mailbox, only the owner of the mailbox can open it and read the letters in the mailbox.
8. Compare Public Key Crypto Systems There are many secret key crypto methods in use nowadays. Here's a comparison of the algorithms available. Diffie-Hellman Key Exchange This is a method for exchanging secret keys over a public communication system.( talk about inventors). Diffie-Hellman involves some mathematically based alteration of mutually agreed values, exchanging the keys generated, then calculating a secret key which cannot easily be guessed by an attacker who knows the keys that have been exchanged.
DSA/DSS This Digital Signature Standard (DSS) is based on the Digital Signature Algorithm (DSA) and was invented by the US National Security Agency (NSA). DSS has been standardised by the US National Institute of Standards and Technology (NIST), to use public key size of 512 and 1024 bits and is only for digital signing of documents and messages. DSS keys are not to be use for the encryption of messages. Some systems use the non-standard Digital Signature Algorithm for digital signatures and encryption.
Elliptic Curves As the name suggests, this kind of public key crypto system uses elliptic curves (mathematically defined by the equation y 2 = x 3 + ax + b ). This system allows use of much smaller public key sizes, that offer a higher degree of security, while being very fast to calculate. Elliptic curve based public key crypto systems are very recent inventions that are not in widespread use due to their high cost and proprietary nature. Elliptic curve crypto systems are used mainly to encrypt data.
RSA is a well known public key crypto system developed in the 1970s. RSA is named after the acronym of it's inventors Rivest, Shamir and Adleman. RSA is now very widely used due to the efforts at standardisation and non-proprietary specification. RSA is commonly used for sending data over the internet and is the trusted engine driving e-commerce. RSA can be used to encrypt messages and for digital signatures. The US National Institute of Standards and Technology (NIST), recommends using RSA key size of 1024 bits for securing messages until the year 2010, after which RSA key size of 2048 bits must be used.
Authenticate Authentication means checking or verifying a person's identity. Authentication can be done by meeting in person, checking photo id, video camera, ensuring possession of a physical key or even recognizing a voice over the phone. Several high tech authentication methods include DNA tests, fingerprint or retina scans (biometrics). Crypto techniques for authentication allow digital signatures to identify a website for e-commerce and also sender of an email message. Digital signatures can be used along with passwords or biometrics.
Authorize Authorization means deciding what a person may or may not do. This occurs only after authentication is done, since it would not be proper to grant permission to the wrong person, at the same time it would not be proper to deny permission to the right person. Crypto techniques may be used to distribute lists of authorized users and make it impossible to falsify.
Confidential Confidentiality means protecting messages, sent over any network connection and stored on servers, from being read by eavesdroppers. Often, the term privacy is used interchangeably with confidentiality. Secrecy is also confused with confidentiality in crypto, but crypto cannot prevent an eavesdropper from knowing (with traffic analysis) that some communication is ongoing or has occurred.
Integrity Integrity means that messages sent over any network connection arrives unmodified on the other side. Crypto methods, digitally signed message digests, are used to verify that a message has not been altered while in transit.
10. What Can Crypto Not Protect Against? Unencrypted Messages If messages are encrypted when sent, but the originals are kept as unencrypted messages then anyone can check your messaging device in order to see the content of your messages.
Stolen Keys If secret keys used for encryption are stolen then anyone can read the content of your messages. If private keys used for decryption are stolen then anyone can read the content of your messages. Even if someone cannot steal your keys but are able to purchase your keys then they may be able to decrypt your messages.
Denial of Service Attacks For many kinds of usage, an attacker can cause significant damage or loss of funds simply by pulling the plug on your communications or even just deleting your encrypted messages. Attackers don't always need to listen to your communications, some attackers may achieve their goals by simply denying you the ability to communicate.
Traffic Analysis Sometimes, it is sufficient to know the pattern of encrypted communications. Other times, it may be sufficient to detect a connection between an encrypted message and another event that is apparently visible.
Trojaned Systems An attacker can modify your encryption program to make it not just worthless, but also misleads you about the degree of security. An attacker can install a keyboard sniffer to detect all the keystrokes you enter, and then transmit those keystrokes to a location that's easily retrievable by them. You can only be absolutely certain about eliminating these possibilities if you write or inspect all the programs that run on yor system. These possibilities are relevant for any communications device, whether or not there is any crypto involved. It is possible to minimize these risks by only using programs published from trusted sources.
Traitors Or Mistakes Any security system will usually have humans as the weakest link in the chain. If you send encrypted messages to a friend, but your friend chooses to forward your message to other people then this becomes a matter broken trust rather than a broken crypto system. Snoopers If you leave your phone lying around while you go to the bathroom, then somebody can use your device in ways that you never intended.
|
