Cryptography is the process of converting recognizable data into an encrypted code for transmitting it over a network (either trusted or entrusted).
Data is encrypted at the source, i.e. sender’s end and decrypted at the destination, i.e. receiver’s end.
In all cases, the initial unencrypted data is referred to as plain text. It is encrypted into cipher text, which will in turn (usually) be decrypted into usable plaintext using different encryption algorithms.
Plaintext =>Ciphertext=> Plaintext=>Encryption=> Decryption
Some Cryptography tools are as follow:
- PWGen: Generator Of Cryptographically-Strong Passwords
- BeeCrypt: Cryptography Library Toolkit
- Retter That Can Easily Promote And Develop Cryptography
The Purpose :-
Authentication : The process of proving one’s identity.
> Privacy/confidentiality : Ensuring that no one can read the message except the intended receiver.
> Integrity : Assuring the receiver that the received message has not been altered in any way from the original.
> Non-repudiation : A mechanism to prove that the sender really sent this message.
The general practices and required minimum key length depending on the scenario listed below.
- Key exchange: Diffie–Hellman key exchange with minimum 2048 bits
- Message Integrity: HMAC-SHA2
- Message Hash: SHA2 256 bits
- Asymmetric encryption: RSA 2048 bits
- Symmetric encryption: AES 128 bits
- Password Hashing: Argon2, PBKDF2, Scrypt, Bcrypt
In general, cryptographic algorithms are classified into three categories as follows:
1) Secret Key Cryptography (SKC) : Uses a single key for both encryption and decryption.
2) Public Key Cryptography (PKC) : Uses one key for encryption and another for decryption.
3) Hash Functions : Uses a mathematical transformation to irreversibly “encrypt” information.
Secret Key Cryptography :-
With secret key cryptography, a single key is used for both encryption and decryption. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption.
Secret key cryptography algorithms that are in use today include :
1) Data Encryption Standard (DES): DES is a block cipher employing a 56-bit key that operates on 64-bit blocks. DES uses a key of only 56 bits, and thus it is now susceptible to “brute force” attacks. Triple-DES (3DES) and DESX are the two important variants that strengthen DES.
2) Advanced Encryption Standard (AES ): The algorithm can use a variable block length and key length; the latest specification allowed any combination of keys lengths of 128, 192, or 256 bits and blocks of length 128, 192, or 256 bits.
3) International Data Encryption Algorithm (IDEA): Secret-key cryptosystem written by Xuejia Lai and James Massey, in 1992 and patented by Ascom; a 64-bit SKC block cipher using a 128-bit key. Also available internationally.
4) Rivest Ciphers : Named for Ron Rivest, a series of SKC algorithms.
- RC1 : Designed on paper but never implemented.
- RC2 : A 64-bit block cipher using variable-sized keys designed to replace DES. It’s code has not been made public although many companies have licensed RC2 for use in their products. Described in RFC 2268.
- RC3 : Found to be breakable during development.
- RC4 : A stream cipher using variable-sized keys; it is widely used in commercial cryptography products, although it can only be exported using keys that are 40 bits or less in length.
- RC5 : A block-cipher supporting a variety of block sizes, key sizes, and number of encryption passes over the data. Described in RFC 2040.
- RC6 : An improvement over RC5, RC6 was one of the AES Round 2 algorithms.
5) Blowfish : A symmetric 64-bit block cipher invented by Bruce Schneier; optimised for 32-bit processors with large data caches, it is significantly faster than DES on a Pentium/PowerPC-class machine. Key lengths can vary from 32 to 448 bits in length. Blowfish, available freely and intended as a substitute for DES or IDEA, is in use in over 80 products.
Public-Key Cryptography :-
Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext. No matter which key is applied first, but both the keys are required for the process to work. Because a pair of keys are required, this approach is also called asymmetric cryptography.
In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key and is never revealed to another party.
Public-key cryptography algorithms that are in use today for key exchange or digital signatures include :
RSA : One of the most popular encryption algorithm, invented in 1977 by three MIT scientists (Ronald Rivest, Adi Shamir, and Leonard Adleman).
The key-pair is derived from a very large number, n, that is the product of two prime numbers chosen according to special rules; these primes may be 100 or more digits in length each, yielding an n with roughly twice as many digits as the prime factors. The public key information includes n and a derivative of one of the factors of n; an attacker cannot determine the prime factors of n (and, therefore, the private key) from this information alone and that is what makes the RSA algorithm so secure.
Hash Functions :-
Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key. Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered.
Hash algorithms are typically used to provide a digital fingerprint of a file’s contents, often used to ensure that the file has not been altered by an intruder or virus. It is also commonly employed by many operating systems to encrypt passwords and then, provide a measure of the integrity of a file.
Hash algorithms that are in common use include:
1) Message Digest (MD) algorithms: A series of byte-oriented algorithms that produce a 128-bit hash value from an arbitrary-length message.
MD2 : Designed for systems with limited memory, such as smart cards.
MD4 : Developed by Rivest, similar to MD2 but designed specifically for fast processing in software.
MD5 : Also developed by Rivest in 1991 after potential weaknesses were reported in MD4; this scheme is similar to MD4 but is slower because more manipulation is made to the original data.It accepts variable length message from the user and converts it into a fixed 128-bit message digest value.
One interesting and important aspect of the MD5 hash function is that it is a one-way algorithm. This means you can produce the 128-bit fingerprint if the data chunk is available to you. You cannot, however, generate the entire data if only the fingerprint of the data is known.
2) Secure Hash Algorithm (SHA): Algorithm for NIST’s Secure Hash Standard (SHS). SHA-1 produces a 160-bit hash value and was originally published as FIPS 180-1 and RFC 3174. FIPS 180-2 describes five algorithms in the SHS: SHA-1 plus SHA-224, SHA-256, SHA-384, and SHA-512 which can produce hash values that are 224, 256, 384, or 512 bits in length, respectively. SHA-224, -256, -384, and -52 are also described in RFC 4634.
3) RIPEMD: A series of message digests that initially came from the RIPE (RACE Integrity Primitives Evaluation) project. RIPEMD-160 was designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, and optimised for 32-bit processors to replace the then-current 128-bit hash functions. Other versions include RIPEMD-256, RIPEMD-320, and RIPEMD-128.
4) HAVAL (Hash of Variable Length): Designed by Y. Zheng, J. Pieprzyk and J. Seberry, a hash algorithm with many levels of security. HAVAL can create hash values that are 128, 160, 192, 224, or 256 bits in length.
5) Whirlpool: A relatively new hash function, designed by V. Rijmen and P.S.L.M. Barreto. Whirlpool operates on messages less than 2256 bits in length, and produces a message digest of 512 bits. The design of this hash function is very different than that of MD5 and SHA-1, making it immune to the same attacks as on those hashes.
6) Tiger: Designed by Ross Anderson and Eli Biham, Tiger is designed to be secure, run efficiently on 64-bit processors, and easily replace MD4, MD5, SHA and SHA-1 in other applications. Tiger/192 produces a 192-bit output and is compatible with 64-bit architectures; Tiger/128 and Tiger/160 produce the first 128 and 160 bits, respectively, to provide compatibility with the other hash functions.
Secure Cryptographic Storage Design
- All protocols and algorithms for authentication and secure communication should be well vetted by the cryptographic community.
- Ensure certificates are properly validated against the hostnames/users ie whom they are meant for.
- Avoid using wildcard certificates unless there is a business need for it
- Maintain a cryptographic standard to ensure that the developer community knows about the approved ciphersuits for network security protocols, algorithms, permitted use, cryptoperiods and Key Management