| By Pak-Tjun Chin,
on 03-11-2008 15:59
|
Views : 2067  |
Favoured : 141 |
"There are two kinds of cryptography in this world: Cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files." - Bruce Schneier 1996
The aim of this article is to present a high level introduction to cryptography. This stems from my recent move into Application Security from Application Development. I would be exploring and elaborating on this very topic in future articles.
Now, what exactly is cryptography? Well, cryptography refers almost exclusively to encryption, the process of converting some data in clear-text (also referred to as plaintext) into unintelligible gibberish (also referred to as cyphertext). The reverse of this is known as decryption. The encryption and decryption of data between 2 parties is vital to ensure the integrity, confidentiality and non-repudiation of the data that is communicated.
Dramatis Personae
In Bruce Schneier's definitive introductory text Applied Cryptography (2nd ed., 1996, John Wiley & Sons, ISBN 0-471-11709-9) he introduced a table of dramatis personae that has been widely adapted to explain how a cryptographic protocol does or does not work.
| Alice |
Client A, also know as the requester. |
| Bob |
Client B, also known as the responder. |
| Eve |
An eavesdropper, whom is usually a passive attacker. Can listen to communications between Alice and Bob but cannot tamper with it. |
| Mallory |
A malicious attacker. Unlike Eve, Mallory can tamper with the messages communicated between Alice and Bob. Mallory poses a much greater security risk than Eve. |
| Trent |
A trusted arbitrator. Is the neutral 3rd party, for example, a certification authority (CA). |
I will be using these characters throughout my series on Cryptography 101.
Asymmetric Cryptography
Asymmetric cryptography, also known as public-key cryptography, is a form of cryptography whereby a party has a pair of cryptographic keys, a public key and a private key.
Ek1(P)=C
Dk2(C)=P
The public key, as the name implies, is public, thus does not need to be kept secure and hidden. The private key MUST be secure. The strength of the encryption rely on the strength and secrecy of the private key.
Asymmetric cryptography is broken up into 2 areas: public key encryption and digital signatures.
Public Key Encryption
Diagram 1: Public Key Encryption
As per Diagram 1, a message encrypted with Bob's Public Key can only be decrypted with Bob's corresponding Private Key.This ensures that the message sent by Alice that is intended to be read only by Bob, thus ensuring confidentiality of the message, and that the message has not been tampered with during transmission, thus ensuring message integrity.
An analogy for public key encryption is as follows. Say I've got a postal mailbox at home that is padlocked and only I have the key that opens the lock. I can hand-out the address of the mailbox to all and sundry and they can post letters to my mailbox. However, only I am able to access the mail and thus read the content of the letters.
Digital Signatures
Diagram 2: Digital Signatures
As per Diagram 2, a message encrypted with Alice's private key can only be decrypted with Alice's corresponding public key. This guarantees that the message was sent by the owner of the private key, Alice, assuming that her private key has not been compromised. Subsequently, Alice will not be able to repudiate (deny) that she was indeed the sender of the message.
In the ancient days of China, the emperor used to dispatch royal decrees to his nation by messengers on horseback. The emperor prevented the messengers from tampering with the decress by sealing it with his royal seal. Also, by seeing the royal decrees sealed with the emperor's seal, the nation would believe that the royal decrees were indeeed from their beloved emperor.
Symmetric Cryptography
Symmetric cryptography, also known as secret-key cryptography, is a form of cryptography whereby 2 parties share the same secret key for encryption as well as decryption.
Ek(P)=C
Dk(C)=P
One of the main challenges of symmetric cryptography is to get the secret key to both the communicating parties.
Diagram 3: Symmetric Cryptography
As per Diagram 3, both Alice and Bob share the same secret key. The plaintext message is encrypted and decrypted using the same key. This ensures message confidentiality between Alice and Bob.
Bring It All Together
Now, from the 2 previous sections, it's been noted that asymmetric algorithms ensures message confidentiality, integrity and non-repudiation. So, why do we need to bother with symmetric algorithms? Well, the reason is pretty simple. It takes a lot more computational and processing power in asymmetric algorithms than symmetric algorithms, thus making it relatively inefficient. Typically, asymmetric cryptography are hundreds to thousands times slower than symmetric cryptography.
In modern times, a hybrid of both are employed whereby:
- Asymmetric algorithms are used in during the authentication of Alice by Bob. This ensures non-repudiation.
- Randomly generated symmetric session keys, that are used to encrypt and decrypt messages between Alice and Bob, are encrypted by Alice using Bob's public key prior to transmitting it over to Bob. This ensures the integrity of the session key.
- Finally, the session key is used to encrypt and decrypt subsequent messages between Alice and Bob, preventing Eve from reading the messages thus ensuring condifidentiality.
Last update: 08-11-2008 22:04
|
