The main objective of cryptography is to provide a mechanism for two (or more) entities to communicate without any other entity being able to read or change the message. Along with this it can provide other services, such as:
- Integrity check. This makes sure that the message has not been tampered with by non-legitimate sources.
- Providing authentication. This verifies the sender identity. Unfortunately most of the current Internet infrastructure has been build on a fairly open system, where users and devices can be easily spoofed, thus authentication is now a major factor in verifying users and devices.
One of the main problems with using a secret algorithm for encryption is that it is difficult to determine if Eve has found-out the algorithm used, thus most encryption methods use a key-based approach where an electronic key is applied to a well-known algorithm. Another problem with using different algorithms for the encryption is that it is often difficult to keep devising new algorithms and also to tell the receiving party that the text is being encrypted with the new algorithm. Thus, using electronic keys, there are no problems with everyone having the encryption/decryption algorithm, because without the key it should be computationally difficult to decrypt the message (Figure 1).
The three main methods of encryption are (Figure 2):
Symmetric key-based encryption. This involves the same key being applied to the encrypted data, in order that the original data is recovered. Typical methods are DES, 3DES, RC2, RC4, AES, and so on.
- Asymmetric key-based encryption. This involves using a different key to decrypt the encrypted data, in order that the original data is recovered. A typical method is RSA, DSA and El Gamal.
- One-way hash functions. With this it is not possible to recover the original source information, but the mapping between the value and the hashed value is known. The one-way hash function is typically used in authentication applications, such as generating a hash value for a message. The two main methods are MD5 and SHA-1, and it is also used in password hashing applications, where a password is hashed with a one-way function, and the result is stored. This is the case in Windows and UNIX login, where the password is stored as a hash value. Unfortunately, if the password is not a strong one, the hash value is often prone to a dictionary-type attack, where an intruder tries many different passwords and hashes them, and then compares it with the stored one.
Generate your own keys
In order for you to see what keys look like, I’ve created a Web page where you can generate your own keys:
For example, we I use “fred” as the pass phrase and for aes-128-cbc (128-bit AES with CBC – Chained Block Cipher), I get:
salt=187938EEE4E87FDA key=39E2095E5789CAD5CD1995219B48FFE6 iv =6D55F343E0D60985564D2D51D44C40D0
but when I try it again I get:
salt=BEAF690035812A3D key=610C6519F47ECDDC370B88AECC0A4BDC iv =247BF2166C1672CA935829B75F814EA4
In this way the salt, the key and the IV value all change, so that they cannot be easily guessed. The salt value allows us to create a difficult to crack hash value, and the IV value allows for the ciphertext to change with the same message. The trick is to add randomness into the generation, so that Eve cannot guess what the generated values are.
Obviously the size of the key will vary with the number of bits in the key, so if we use AES-256 CBC we get:
salt=3142A388014686CA key=B4E2195C7F2BF04EB67722DF7FB8D5E6B4FE62E9CA9C896760D4435175A4EBA7 iv =8CE70C8998BB237997BFA9ED4B75A587
which shows that the encryption key is twice as long (but the salt and the IV values stay the same).
I’ll cover computational difficulty in the next article….