Welcome back to our series on Security 101. Because encryption is such an important part of security, we’re going to spend some time going over encryption in more detail. We’ll take a look at the encryption algorithms that are in common use today and those that are no longer in vogue. We’ll also see how encryption can be used both to obscure and to validate data and when you want to use one type of algorithm over another.
When you need to protect the confidentiality of data, which is to say you don’t want any unauthorized people reading it, you use encryption. This can be applied to data stored on disk, or transmitted between systems. Encryption uses a combination of an encryption algorithm and a key to take plaintext and render it into ciphertext. Decryption takes the ciphertext and a key to render it back into plaintext. To decrypt data, you need the appropriate key. As long as that key was provided to you securely, the data remains confidential. But if the key can be compromised or guessed, then decryption is trivial for an attacker.
There are several publicly available encryption algorithms available but some software creators insist on developing their own. While the encryption algorithm you choose is important, it is the key that is what makes it work and must be protected. When using a publicly-documented algorithm, you are using one that has been vetted countless times, and is both well understood and secure, as long as your key is secure. When vendors choose to implement their own proprietary algorithms, you run the risk that there is a flaw in their mathematics or implementation that will make the encryption vulnerable to attack.
There are two categories of data encryption: symmetric key encryption and asymmetric key encryption.
Symmetric key encryption
In symmetric key encryption, a single key is used both to encrypt and to decrypt data. The primary advantage of symmetric key encryption is that it is very fast. Even relatively low-powered systems can perform encryption and decryption operations with very little impact. There are two primary types of symmetric key encryption algorithms: stream ciphers and block ciphers.
Stream ciphers encrypt data one byte at a time. The most common stream cipher still in use is RC4.
Block ciphers encrypt data in blocks and will pad any data that doesn’t make a standard size block. Common block ciphers include DES, 3DES, RC5, and AES. The mathematics typically involves some form of XORing operation between the data and the symmetric key.
In contrast, asymmetric encryption algorithms use one key for encryption, and another key for decryption. These keys, called key pairs, work as a matched set, with one key referred to as the public key, and the other as the private key. It is frequently referred to as Public Key Encryption. You can distribute/publish online/hand out to perfect strangers online your public key, but you must guard the private key as closely as possible. Data encrypted with one key can only be decrypted with the other. If someone wants to send you an encrypted file they can use your public key to encrypt it. It doesn’t matter that anyone else on the Internet might have your public key. Even with the encrypted data, they cannot decrypt it. As long as you are the only one with the private key, you are the only one that can decrypt the data. Public key encryption can also be used to provide digital signing of data. If you hash (see below) data and then encrypt the hash with your private key, anyone can decrypt the hash using your public key and compare the hash to a hash they compute themselves. If the hashes match, the data integrity is confirmed.
Asymmetric key encryption is computationally expensive, and requires both time and CPU cycles to work effectively. It is commonly used to provide a secure way to transmit symmetric encryption keys, rather than to protect actual data.
Common asymmetric key algorithms include RSA, Diffie-Hellman, DSS, SSL/TLS, SSH, and PGP.
To ensure that the process of encrypting and decrypting data does not alter the data and that data has not been altered in transit or while stored, hashing algorithms can be used to verify data. A hash is not used to encrypt data itself. A hashing algorithm can take data of a variable size, and create a fixed size mathematical calculation of that data. These are one-way calculations. It is impossible to derive the data from the hash, but it is possible to calculate all possible hashes for a finite set of data. Hashes are not meant to encrypt data; only to verify it. Hashes can be “salted” with a unique value to further protect their integrity, but still should not be used alone to protect data.
Common examples of hashing algorithms that use block ciphers include MD4, MD5, SHA1, SHA2, and SHA256.
In our next post, we will look at how encryption works to protect the confidentiality and integrity of data both in transit and at rest.