What asymmetric algorithm provides an electronic key exchange method to share the secret key?

Asymmetric

Asymmetric cryptography is a second form of cryptography. Asymmetric cryptography is scalable for use in very large and ever expanding environments where data are frequently exchanged between different communication partners. With asymmetric cryptography:

Each user has two keys: a public key and a private key.

Both keys are mathematically related (both keys together are called the key pair).

The public key is made available to anyone. The private key is kept secret.

Both keys are required to perform an operation. For example, data encrypted with the private key is unencrypted with the public key. Data encrypted with the public key is unencrypted with the private key.

Encrypting data with the private key creates a digital signature. This ensures the message has come from the stated sender (because only the sender had access to the private key to be able to create the signature).

A digital envelope is signing a message with a recipient's public key. A digital envelope, which serves as a means of access control by ensuring that only the intended recipient can open the message (because only the receiver will have the private key necessary to unlock the envelope; this is also known as receiver authentication).

If the private key is ever discovered, a new key pair must be generated.

Asymmetric cryptography is often used to exchange the secret key to prepare for using symmetric cryptography to encrypt data. In the case of a key exchange, one party creates the secret key and encrypts it with the public key of the recipient. The recipient would then decrypt it with their private key. The remaining communication would be done with the secret key being the encryption key. Asymmetric encryption is used in key exchange, email security, Web security, and other encryption systems that require key exchange over the public network.

Pros:

Key management

Two keys (public and private), private key cannot be derived for the public, so the public key can be freely distributed without confidentially being compromised.

Offers: Digital signatures, integrity checks, and nonrepudiation.

Cons:

Speed/file size

Because symmetric-key algorithms are generally much less computationally intensive than asymmetric key algorithms.

In practice, asymmetric key algorithm are typically hundreds to thousands times slower than a symmetric key algorithm.

10.3.2 Asymmetric LWC algorithms

Public-key (asymmetric) cryptography requires the use of a public-key and a private key. Public keys can be associated with the identity of a node by including them into a public certificate, signed by a Certification Authority (CA) that can be requested to verify the certificate. Public-key cryptography requires the significant effort of deploying a PKI. Moreover, asymmetric cryptography requires higher processing and long keys (at least 1024 bits for RSA [31]) to be used. Alternative public-key cryptographic schemes, such as ECC [32], might require shorter keys to be used in order to achieve the same security than RSA keys. However, because of these reasons, symmetric cryptography is preferred in terms of processing speed, computational effort, and size of transmitted messages. Public key can be used to setup symmetric keys to be used in subsequent communications. Lightweight cryptography algorithms are suitable for environments that do not have stringent security requirements and where the constraints on available hardware and power budget cannot be relaxed.

6 Asymmetric Cryptography

The biggest example of asymmetric cryptography for VPNs is in the RSA protocol. Three professors at MIT, Ron Rivest, Adi Shamir, and Leonard Adelman (thus RSA), came up with the RSA encryption algorithm, which is an implementation of public/private key cryptography.

This is one of the coolest and most secure means of transmitting data. Not only is it used for transmission of data, but a person can also digitally sign a document with the use of RSA secure systems. Some states are creating systems for giving people their own digital signatures and holding the public keys in a server that can be accessed by all.

Although these systems have been around for a while, they are becoming more and more prevalent. For example, some states will allow accountants who sign up with them to transmit income tax forms electronically as long as they digitally sign the returns.

This algorithm uses two large random prime numbers. Prime number searching has been a pastime for many mathematical scientists. As the prime number gets larger and larger, its use for privacy and security systems is increased. Thus, many search for larger prime numbers. Through the use of these numbers and a key, the data is secured from prying eyes.

When you are in a public system and don’t have the luxury of knowing the keys in advance, there are ways to create a key that will work. This system is very interesting and is known as the exponential key exchange because it uses exponential numbers in the initial key exchange to come to an agreed-on cipher.

6 Asymmetric Cryptography

The biggest example of asymmetric cryptography for VPNs is in the RSA protocol. Three professors at MIT, Ron Rivest, Adi Shamir, and Leonard Adelman (thus RSA), came up with the RSA encryption algorithm, which is an implementation of public/private key cryptography. Anyone who wants to spend a bit of time can review the math behind the encryption at www.muppetlabs.com/∼breadbox/txt/rsa.html. The RSA protocol is one of the coolest and most secure means of transmitting data. Not only is it used for transmission of data, but a person can also digitally sign a document with the use of RSA secure systems.

Although these systems have been around for a while, they are becoming more and more prevalent. For example, some states will allow accountants who sign up with them to transmit income tax forms electronically as long as they digitally sign the returns. The federal government also allow electronic signatures and passed the E-SIGN Act, Public Law No. 106–229 in June of 2000.

The RSA algorithm uses two large random prime numbers. Prime number searching has been a pastime for many mathematical scientists. As the prime number gets larger and larger, its use for privacy and security systems is increased. Thus, many search for larger prime numbers. Through the use of these numbers and a key, the data is secured from prying eyes.

When you are in a public system and don't have the luxury of knowing the keys in advance, there are ways to create a key that will work. This system is very interesting and is known as the exponential key exchange because it uses exponential numbers in the initial key exchange to come to an agreed-on cipher.

Hash functions

Hash functions represent a third cryptography type alongside symmetric and asymmetric cryptography, what we might call keyless cryptography. Hash functions, also referred to as message digests, do not use a key, but instead create a largely unique and fixed-length hash value, commonly referred to as a hash, based on the original message, something along the same lines as a fingerprint. Any slight change to the message will change the hash.

Hashes cannot be used to discover the contents of the original message, or any of its other characteristics, but can be used to determine whether the message has changed. In this way, hashes provide confidentiality, but not integrity. Hashes can be used on programs (to determine if someone modified an application you want to download), open text messages or operating system files. Hashes are very useful when distributing files or sending communications, as the hash can be sent with the message so that the receiver can verify its integrity. The receiver simply hashes the message again using the same algorithm, then compares the two hashes. If the hashes match, the message has not changed. If they do not match, the message has been altered.

Although it is theoretically possible to engineer a matching hash for two different sets of data, called a collision, this is a very difficult task indeed, and generally requires that the hashing algorithm be broken in order to accomplish. Some algorithms, such as Message-Digest algorithm 5 (MD5), have been attacked in this fashion, although producing a collision is still nontrivial. When such cases occur, the compromised algorithm usually falls out of common use. Hashing algorithms such as SHA-2 and the soon-to-arrive SHA-3 have replaced MD5 in cases where stringent hash security is required.

Many other hash algorithms exist and are used in a variety of situations, such as MD2, MD4, and RACE.

4.1 Public key encryption

Diffie and Hellman (1976) introduced the concept of public key encryption, also known as asymmetric cryptography in 1976. Like FHE today, practical implementations of public key encryption were limited. However they are now widely used, including the El Gamal and Paillier schemes. Both of these schemes use a large prime number for a modulus operation, which is a security parameter. It is important to note however that even though these schemes can provide homomorphic operations, because of the nature of modulus operation, if the input or output values are greater than the modulus, results may not be as expected.

Looking at an example of public key encryption, Alice, Bob and Claire are good friends who send each other online chat messages at night after school. However, Alice and Bob would like to throw Claire a surprise birthday party. The problem is that neither Alice or Bob can figure out how to remove Claire from the chat session. But they do not want Claire to be able to see their conversion because it will ruin the surprise. One solution to this problem is for them both to create a private and public key, known as public key encryption. Then they can send their public key to everyone in the chat session. This allows Bob to encrypt a secret message to Alice using her public key, before broadcasting it in the chat session. Only Alice will be able to decrypt and read the message, meaning Claire is unable to read any messages about her surprise party.

However looking at the bigger picture, it also prevents malicious users from reading the messages as well. For example, the chat services’ administrators can only see the public key and encrypted messages. The same applies for any user sniffing the network, and finally this means that even if the chat service gets compromised, Alice and Bobs chat history is safe. This is not to say that the encrypted chat is 100% guaranteed to be safe and secure, but it adds another layer of protection to their data.

Therefore, public key encryption proves a means to encrypt data that only the holder of the private key can read. Anyone can gain access to the public key, which is used to encrypt the data. But ideally, only one person/system has the private key to decrypt the data. Everyone using the Internet would have experienced public key encryption, but probably without knowledge. For example, Hypertext Transfer Protocol Secure (HTTPS) sets up a secure tunnel using public key encryption within a browser. The client sends data to the server using the servers public key, and the server sends data back to the client using the clients public key. The setup of the keys is a bit more complicated than the example before, but it all happens in the background.

When designing and setting up a cloud service, it is important to consider how public key encryption will play a role in making the service more secure. Providing secure channels for authentication is a must today, and HTTPS is a viable solution. However, there are other ways to make the service more secure, like the use of PHE. Some real-world examples of homomorphic encryption will be covered in Section 6, but now El Gamal and Paillier’s scheme will be described to show how simple it is to implement PHE.

Hash Functions

It is important to know that the slight technical differences that support hashing are significant enough to draw a distinction between symmetric or asymmetric cryptography and hash functions. Hashing only supports integrity and not confidentiality services. A hash function is a one-way cryptographic algorithm. The use of a one-way cryptographic algorithm means that the ciphertext cannot be decrypted to reveal the original plaintext. The algorithm is made of two parts. The first element is the original content and is called the message. After encryption, the output, or second element, is called the message digest. The message digest is a unique identifier and based on the message. It is often viewed as a digital fingerprint. If the original message were altered in anyway, then it would not match the original message digest. Table 4.1 compares the types of encryption algorithms as well as provides a common example.

Table 4.1. Common Encryption Algorithms

Summary

This chapter looked into the meaning of cryptography and some of its origins, including the Caesar Cipher. More modern branches of cryptography are symmetric and asymmetric cryptography, which are also known as secret key and public key cryptography, respectively.

The most common symmetric algorithms in use today include DES, AES, and IDEA. Since DES is showing its age, we looked at how NIST managed the development of AES as a replacement, and how Rijndael was selected from five finalists to become the AES algorithm. From the European perspective, we saw how IDEA came to be developed in the early 1990s and examined its advantages over DES.

The early development of asymmetric cryptography was begun in the mid-1970s by Diffie and Hellman, who developed the Diffie-Hellman key exchange algorithm as a means of securely exchanging information over a public network. After Diffie-Hellman, the RSA algorithm was developed, heralding a new era of public key cryptography systems such as PGP. Fundamental differences between public key and symmetric cryptography include public key cryptography's reliance on the factoring problem for extremely large integers.

Brute force is an effective method of breaking most forms of cryptography, provided you have the time to wait for keyspace exhaustion, which could take anywhere from several minutes to billions of years. Cracking passwords is the most widely used application of brute force; programs such as L0phtcrack and John the Ripper are used exclusively for this purpose.

Even secure algorithms can be implemented insecurely, or in ways not intended by the algorithm's developers. Man-in-the-middle attacks could cripple the security of a Diffie-Hellman key exchange, and even DES-encrypted LANMAN password hashes can be broken quite easily. Using easily broken passwords or passphrases as secret keys in symmetric algorithms can have unpleasant effects, and improperly stored private and secret keys can negate the security provided by encryption altogether.

Information is sometimes concealed using weak or reversible algorithms. We saw in this chapter how weak ciphers are subject to frequency analysis attacks that use language characteristics to decipher the message. Related attacks include relative length analysis and similar plaintext analysis. We saw how vendors sometimes conceal information using XOR and Base64 encoding and looked at some sample code for each of these types of reversible ciphers. We also saw how, on occasion, information is compressed as a means of obscuring it.

Types of cryptography

There are three primary types of modern encryption: symmetric, asymmetric, and hashing. Symmetric encryption uses one key: the same key encrypts and decrypts. Asymmetric cryptography uses two keys: if you encrypt with one key, you may decrypt with the other. Hashing is a one-way cryptographic transformation using an algorithm (and no key).

Cryptographic protocol governance describes the process of selecting the right method (cipher) and implementation for the right job, typically at an organization-wide scale. For example, a digital signature provides authentication and integrity, but not confidentiality. Symmetric ciphers are primarily used for confidentiality, and AES is preferable over DES due to strength and performance reasons (which we will also discuss later).