There are two classes of encryption used to provide data confidentiality; asymmetric and symmetric. These two classes differ in how they use keys. In this article, I am going to talk about data confidentiality in Cybersecurity. Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) are based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI).
Note: DES is a legacy algorithm and should not be used. 3DES should be avoided if possible.
The figure highlights some differences between symmetric and asymmetric encryption.
The figure highlights some differences between symmetric and asymmetric encryption.
Characteristics of symmetric encryption include: use the same key to encrypt and decrypt data; key lengths are short (40 bits – 256 bits); faster than asymmetric encryption; and commonly used for encrypting bulk data such as in VPN traffic.
Characteristics of asymmetric encryption include: uses different keys to encrypt and decrypt data; key lengths are long (512 bits – 4096 bits); computationally tasking therefore slower than symmetric encryption, and commonly used for quick data transactions such as HTTPS when accessing your bank data.
Symmetric Encryption
Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-shared key, also called a secret key, is known by the sender and receiver before any encrypted communications can take place.
To help illustrate how symmetric encryption works, consider an example where Alice and Bob live in different locations and want to exchange secret messages with one another through the mail system. In this example, Alice wants to send a secret message to Bob.
In the figure, Alice and Bob have identical keys to a single padlock. These keys were exchanged prior to sending any secret messages. Alice writes a secret message and puts it in a small box that she locks using the padlock with her key. She mails the box to Bob.
The message is safely locked inside the box as the box makes its way through the post office system. When Bob receives the box, he uses his key to unlock the padlock and retrieve the message. Bob can use the same box and padlock to send a secret reply back to Alice.
Symmetric Encryption Example
Today, symmetric encryption algorithms are commonly used with VPN traffic. This is because symmetric algorithms use less CPU resources than asymmetric encryption algorithms. This allows the encryption and decryption of data to be fast when using a VPN.
When using symmetric encryption algorithms, like any other type of encryption, the longer the key, the longer it will take for someone to discover the key. Most encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a minimum key length of 128 bits should be used. Use a longer key for more secure communications.
Symmetric encryption algorithms are sometimes classified as either a block cypher or a stream cypher. Click the buttons to learn about these two cypher modes.
Well-known symmetric encryption algorithms are described in the table.
| Symmetric Encryption Algorithms | Description |
|---|---|
| Data Encryption Standard (DES) | This is a legacy symmetric encryption algorithm. It uses a short key length that makes it insecure for most current uses. |
| 3DES (Triple DES) | The is the replacement for DES and repeats the DES algorithm process three times. It should be avoided if possible as it is scheduled to be retired in 2023. If implemented, use very short key lifetimes. |
| Advanced Encryption Standard (AES) | AES is a popular and recommended symmetric encryption algorithm. It offers combinations of 128-, 192-, or 256-bit keys to encrypt 128, 192, or 256 bit-long data blocks. |
| Software-Optimized Encryption Algorithm (SEAL) | SEAL is a faster alternative symmetric encryption algorithm to AES. SEAL is a stream cypher that uses a 160-bit encryption key and has a lower impact on the CPU compared to other software-based algorithms. |
| Rivest ciphers (RC) series algorithms | This algorithm was developed by Ron Rivest. Several variations have been developed, but RC4 was the most prevalent in use. RC4 is a stream cypher that was used to secure web traffic. It has been found to have multiple vulnerabilities which have made it insecure. RC4 should not be used. |
Asymmetric Encryption
Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption is different from the key that is used for decryption, as shown in the figure. The decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa.
The figure shows an example of asymmetric encryption where the encryption key is different from the decryption key.
Asymmetric Encryption Example
Asymmetric algorithms use a public key and a private key. Both keys are capable of the encryption process, but the complementary paired key is required for decryption. The process is also reversible. Data that is encrypted with the public key requires the private key to decrypt. Asymmetric algorithms achieve confidentiality and authenticity by using this process.
Because neither party has a shared secret, very long key lengths must be used. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.
Examples of protocols that use asymmetric key algorithms include:
- Internet Key Exchange (IKE) – This is a fundamental component of IPsec VPNs.
- Secure Socket Layer (SSL) – This is now implemented as IETF standard Transport Layer Security (TLS).
- Secure Shell (SSH) – This protocol provides a secure remote access connection to network devices.
- Pretty Good Privacy (PGP) – This computer program provides cryptographic privacy and authentication. It is often used to increase the security of email communications.
Asymmetric algorithms are substantially slower than symmetric algorithms. Their design is based on computational problems, such as factoring extremely large numbers or computing discrete logarithms of extremely large numbers.
Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange. However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.
Common examples of asymmetric encryption algorithms are described in the table.
| Asymmetric Encryption Algorithm | Key Length | Description |
|---|---|---|
| Diffie-Hellman (DH) | 512, 1024, 2048, 3072, 4096 | The Diffie-Hellman algorithm allows two parties to agree on a key that they can use to encrypt messages they want to send to each other. The security of this algorithm depends on the assumption that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome. |
| Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA) | 512 – 1024 | DSS specifies DSA as the algorithm for digital signatures. DSA is a public key algorithm based on the ElGamal signature scheme. Signature creation speed is similar to RSA, but is 10 to 40 times slower for verification. |
| Rivest, Shamir, and Adleman encryption algorithms (RSA) | 512 to 2048 | RSA is for public-key cryptography that is based on the current difficulty of factoring very large numbers. It is the first algorithm known to be suitable for signing, as well as encryption. It is widely used in electronic commerce protocols and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. |
| EIGamal | 512 – 1024 | An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. A disadvantage of the ElGamal system is that the encrypted message becomes very big, about twice the size of the original message and for this reason it is only used for small messages such as secret keys. |
| Elliptic curve techniques | 224 or higher | Elliptic curve cryptography can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or ElGamal. The main advantage of elliptic curve cryptography is that the keys can be much smaller. |
Asymmetric Encryption – Confidentiality
Asymmetric algorithms are used to provide confidentiality without pre-sharing a password. The confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with the public key.
The process can be summarized using the formula:
The process can be summarized using the formula:
Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
When the public key is used to encrypt the data, the private key must be used to decrypt the data. Only one host has a private key; therefore, confidentiality is achieved.
When the public key is used to encrypt the data, the private key must be used to decrypt the data. Only one host has a private key; therefore, confidentiality is achieved.
If the private key is compromised, another key pair must be generated to replace the compromised key.
Asymmetric Encryption – Authentication
The authentication objective of asymmetric algorithms is initiated when the encryption process is started with the private key.
The process can be summarized using the formula:
The process can be summarized using the formula:
Private Key (Encrypt) + Public Key (Decrypt) = Authentication
When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data. Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender. Typically, no attempt is made to preserve the secrecy of the public key, so any number of hosts can decrypt the message. When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is. This is a form of authentication.
When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data. Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender. Typically, no attempt is made to preserve the secrecy of the public key, so any number of hosts can decrypt the message. When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is. This is a form of authentication.
Click the buttons to view how the private and public keys can be used to provide authentication to the data exchange between Bob and Alice.
Asymmetric Encryption – Integrity
Combining the two asymmetric encryption processes provides message confidentiality, authentication, and integrity.
The following example will be used to illustrate this process. In this example, a message will be ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key to provide confidentiality, authenticity, and integrity.
The following example will be used to illustrate this process. In this example, a message will be ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key to provide confidentiality, authenticity, and integrity.
Diffie-Hellman
Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two computers to generate an identical shared secret without having communicated before. The new shared key is never actually exchanged between the sender and receiver. However, because both parties know it, the key can be used by an encryption algorithm to encrypt traffic between the two systems.
Here are two examples of instances when DH is commonly used:
Here are two examples of instances when DH is commonly used:
- Data is exchanged using an IPsec VPN
- SSH data is exchanged
To help illustrate how DH operates, refer to the figure.
The figure illustrates how the Diffie-Hellman algorithm works by using colours. Assume Alice and Bob have agreed to start with 50 millilitres (50ml) of yellow paint. Alice adds 50 ml of red paint to the yellow paint to create a 100 ml amount of orange paint. Bob mixes his 50 ml of yellow paint with 50 ml of blue paint to create 100 ml of green paint. Alice sends Bob her 100 ml of orange colour paint and Bob sends Alice his 100 ml green colour paint. Alice then proceeds to add another 50 ml of her red paint to Bob’s 100 ml of green paint to create 150 ml of brown paint. Bob mixes another 50 ml of blue paint to the 100 ml of Alice’s orange paint to create 150 ml of the exact same colour brown colour paint that Alice created.
Next, Alice and Bob will each select a secret colour. Alice chose red while Bob chose blue. These secret colours will never be shared with anyone. The secret colour represents the chosen secret private key of each party.
Alice and Bob now mix the shared common colour (yellow) with their respective secret colour to produce a public colour. Therefore, Alice will mix the yellow with her red colour to produce a public colour of orange. Bob will mix the yellow and the blue to produce a public colour of green.
Alice sends her public colour (orange) to Bob and Bob sends his public colour (green) to Alice.
Alice and Bob each mix the colour they received with their own, original secret colour (Red for Alice and blue for Bob.). The result is a final brown colour mixture that is identical to the partner’s final colour mixture. The brown colour represents the resulting shared secret key between Bob and Alice.
The security of DH is based on the fact that it uses very large numbers in its calculations. For example, a DH 1024-bit number is roughly equal to a decimal number of 309 digits. Considering that a billion is 10 decimal digits (1,000,000,000), one can easily imagine the complexity of working with not one, but multiple 309-digit decimal numbers.
Diffie-Hellman uses different DH groups to determine the strength of the key that is used in the key agreement process. The higher group numbers are more secure, but require additional time to compute the key. The following identifies the DH groups supported by Cisco IOS Software and their associated prime number value:
- DH Group 1: 768 bits
- DH Group 2: 1024 bits
- DH Group 5: 1536 bits
- DH Group 14: 2048 bits
- DH Group 15: 3072 bits
- DH Group 16: 4096 bits
Note: A DH key agreement can also be based on elliptic curve cryptography. DH groups 19, 20, and 24, which are based on elliptic curve cryptography, are also supported by Cisco IOS Software.
Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption. This is why it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys that will be used by the encryption algorithm.
Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.
|
Leave a Reply