Monday, 21 September 2015

A brief guide to cryptosystems

Cryptosystem Functions

  • Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver.
  • Authentication: The process of proving one's identity.
  • Integrity: Assuring the receiver that the received message has not been altered in any way from the original.
  • Non-repudiation: A mechanism to prove that the sender really sent this message.
  • Key exchange: The method by which crypto keys are shared between sender and receiver.

Cryptosystem Algorithms

Each cryptosystem defines three algorithms:
  • key(s) generation
    • key size (length)
    • expiration date
  • encryption
  • decryption

Deterministic algorithm 
  • given a particular input it will always produce the same output
  • the underlying machine will always be passing through the same sequence of states
Block cipher
  • deterministic algorithm operating on fixed-length groups of bits, called blocks
  • consists of two paired algorithms, one for encryption, E, and the other for decryption, D.
    • Both algorithms accept two inputs: an input block of size n bits and a key of size k bits; and both yield an n-bit output block.
    • The decryption algorithm D is defined to be the inverse function of encryption

Cryptosystem types

  • Symmetric Encryption (Secret Key Cryptography)
    • Uses a single key for both encryption and decryption
    • Sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the message and recover the plaintext.
    • Key must be known to both the sender and the receiver; key is the secret
    • Applications which use this type of encryption to securely store data can use user-supplied password as a key (or key gets generated from a password)
    • Same key/password is used to encrypt and decrypt content, which is helpful from a usability standpoint.
    • The biggest difficulty with this approach is the distribution of the key
    • Used for:
      • privacy/confidentiality
    • Types:
      • stream ciphers
      • block ciphers
    • Algorithms:
      • Advanced Encryption Standard (AES, Rijndael; NIST 2001)
        • variant of the Rijndael block cipher 
        • Rijndael is a family of ciphers with different key and block sizes.
        • For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 (AES256) bits. 
        • Examples: Ansible Vault uses AES256
    • ...
  • Asymmetric Encryption (Public Key Cryptography)
    • Uses one key for encryption and another for decryption
    • Used for:
      • authentication
      • non-repudiation
      • key exchange
    • Algorithms:
      • RSA (Rivest, Shamir and Adleman) (PKCS#1) 
      • Diffie–Hellman key exchange protocol
      • PGP
      • GPG (GnuPG)
      • SSL/TLS
      • SSH
    • ...
  • Hash Functions (Message Digests, One-way Encryption)
    • Use a mathematical transformation to irreversibly "encrypt" information, providing a digital fingerprint
    • Use no key 
    • Fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered
    • Used for:
      • message integrity. Examples:
        • ensure the integrity of a file; provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus
        • encrypt passwords
    • Algorithms:
      • Message Digest (MD) algorithms
        • byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message
        • Algorithms:
          • MD2
          • MD4
          • MD5
            • weaknesses in the algorithm were demonstrated
      • Secure Hash Algorithm (SHA)
        • SHA-1
          • produces a 160-bit hash value
          • deprecated by NIST
        • SHA-2
          • SHA-1 plus
          • SHA-224
          • SHA-256
            • produces a 256-bit (32-byte) hash value, typically rendered as a hexadecimal number, 64 digits long
          • SHA-384
          • SHA-512
        • SHA-3
          •  Keccak