Cryptosystem Functions
- Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver.
- Authentication: The process of proving one's identity.
- Integrity: Assuring the receiver that the received message has not been altered in any way from the original.
- Non-repudiation: A mechanism to prove that the sender really sent this message.
- Key exchange: The method by which crypto keys are shared between sender and receiver.
Cryptosystem Algorithms
Each cryptosystem defines three algorithms:
- key(s) generation
- key size (length)
- expiration date
- encryption
- decryption
Deterministic algorithm
- given a particular input it will always produce the same output
- the underlying machine will always be passing through the same sequence of states
Block cipher
- deterministic algorithm operating on fixed-length groups of bits, called blocks.
- consists of two paired algorithms, one for encryption, E, and the other for decryption, D.
- Both algorithms accept two inputs: an input block of size n bits and a key of size k bits; and both yield an n-bit output block.
- The decryption algorithm D is defined to be the inverse function of encryption
Cryptosystem types
- Symmetric Encryption (Secret Key Cryptography)
- Uses a single key for both encryption and decryption
- Sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the message and recover the plaintext.
- Key must be known to both the sender and the receiver; key is the secret
- Applications which use this type of encryption to securely store data can use user-supplied password as a key (or key gets generated from a password)
- Same key/password is used to encrypt and decrypt content, which is helpful from a usability standpoint.
- The biggest difficulty with this approach is the distribution of the key
- Used for:
- privacy/confidentiality
- Types:
- stream ciphers
- block ciphers
- Algorithms:
- Advanced Encryption Standard (AES, Rijndael; NIST 2001)
- variant of the Rijndael block cipher
- Rijndael is a family of ciphers with different key and block sizes.
- For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 (AES256) bits.
- Examples: Ansible Vault uses AES256
- ...
- Asymmetric Encryption (Public Key Cryptography)
- Uses one key for encryption and another for decryption
- Used for:
- authentication
- non-repudiation
- key exchange
- Algorithms:
- RSA (Rivest, Shamir and Adleman) (PKCS#1)
- Diffie–Hellman key exchange protocol
- PGP
- GPG (GnuPG)
- SSL/TLS
- SSH
- ...
- Hash Functions (Message Digests, One-way Encryption)
- Use a mathematical transformation to irreversibly "encrypt" information, providing a digital fingerprint
- Use no key
- Fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered
- Used for:
- message integrity. Examples:
- ensure the integrity of a file; provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus
- encrypt passwords
- Algorithms:
- Message Digest (MD) algorithms
- byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message
- Algorithms:
- MD2
- MD4
- MD5
- weaknesses in the algorithm were demonstrated
- Secure Hash Algorithm (SHA)
- SHA-1
- produces a 160-bit hash value
- deprecated by NIST
- SHA-2
- SHA-1 plus
- SHA-224
- SHA-256
- produces a 256-bit (32-byte) hash value, typically rendered as a hexadecimal number, 64 digits long
- SHA-384
- SHA-512
- SHA-3
- Keccak
Resources:
http://www.keylength.com/
emc - PKCS
MD5, SHA1, SHA224, SHA256, SHA384, SHA512 and RIPEMD160 hash generator
Advanced Encryption Standard - Wikipedia
MD5, SHA1, SHA224, SHA256, SHA384, SHA512 and RIPEMD160 hash generator
Advanced Encryption Standard - Wikipedia