Understanding Basic Cryptography and How it Works to Protect Data

By Paul-Charife Allen

So I was asked the question: “Can you give me four types of Cryptography?” Hmm, well my mind went blank, I should have been able to pull something, but nothing; types, what types! The next day I decided to do a bit of research, see if that would trigger a memory! Reading the definition - “Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.” Of course, “Behind every code is an enigma” The Imitation Game, where legendary crypt-analyst Alan Turing, and his brilliant team of code-breakers at Britain's top-secret Government; cracked the code of the German Enigma Machine during the darkest days of World War II.

Today, more digital than analog, cryptography includes microdots, merging words with images, and other methods to hide information in storage or transfer. Cryptography is routinely associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption; encrypted data), then back again (known as decryption).   This is where it came back to me; it was not types the question was looking for but objectives. Current cryptography concerns itself with the following four objectives or families:

1) Confidentiality - the information cannot be understood by anyone for whom it was unintended; reducing the unauthorized disclosure of information. Encryption uses a symmetric key algorithm that encrypts the data, and the receiver’s system decrypts the data with a second instance of the same symmetric key.

2) Integrity - the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected; the guarding against improper information modification. Data inserted into a hashing algorithm, which results in a message digest value. Verification requires the same data placed into the same hashing algorithm to verify the message digest values are the same; its integrity is intact.

3) Non-repudiation - the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information; provides the assurance of the origin of data to both the receiver and the sender. Data is sent through a hashing algorithm with results in a digest value. This digest value is encrypted with the sender’s private key which results into a digital signature. The users cannot deny sending the data because the encryption process uses its private key to which no one else has access to the private key

4) Authentication - the sender and receiver can confirm each other’s identity and the origin/destination of the information; proving the identity of the subject or entity. By using a digital certificate, the receiver validates a trusted authority created the certificate and verified the certificate was not modified.

Data must be protected throughout each stage of its life cycle, whether data is in transit or at rest, cryptographic applies various techniques to secure sensitive information. This increasing becomes difficult when data moves from the source to its destination and how the data is being used in a dynamic environment. 

Cryptography is very complex and must be understood for proper implementation to provide a sense of security to reduce the impact of potential breach or data loss. It is not just about encryption and decryption; it provides all the services about with unique algorithm types such as Encryption Algorithms providing confidentiality; Hashing Algorithms providing integrity, and Digital Signatures Algorithms providing non-repudiation and authentication.

Algorithms are a group of static mathematical equations (mathematic function or logic functions) used for the cryptographic processes; however, algorithms alone lack randomness and can demonstrate patterns for attackers to view and reverse engineer. Randomness comes from the keys! These long string of random values and sequence of bits used as instructions, governing the cryptographic functions within the algorithm, work together as key values used by the algorithm to indicate which equation to use, in what order and with what values. Problems arise when the key is not changed out using the same key over and over again reducing the randomness of the cryptography process for reverse engineering and data compromise.

Two main algorithmic categories include:

Symmetric key cryptography uses two instances of the same key value to decrypt. Symmetric has its downfalls where protection depends on users making sure the symmetric key is kept secret, it requires “out-of-band” exchange of keys where the key cannot be transferred through the communication channel, but another method. This method does not scale well and is very time consuming with all the additional tasks involved. Some of the most commonly used symmetric algorithms used include Data Encryption Standard (DES), 3DES, Blowfish, Twofish, International Data Encryption Algorithm (IDEA), RC4, RC5, RC6, Advanced Encryption Standards (AES)

 Asymmetric key cryptography or public key cryptography uses two different key types each with having a public and private key pair that are mathematically related. Some used include Diffie-Hellman, RSA (Ron Rivest, Adi Shamir, and Leonard Adleman), El Gamal, and ECC (Elliptic Curve Cryptosystem)

Diffie-Hellman is a key agreement algorithm with agreement on the symmetric session key that is then used for encryption and decryption purposes. It does not require a previous relationship between the communicating two parties.  Diffie-Hellman allows keys agreement to happen in a secure manner based on calculating discrete logarithms in a finite field; however, it does not provide data encryption or digital signature capabilities.

RSA provides a digital signature, key distribution, and encryption functionality based upon the difficulty of factoring large numbers into the original primes. This method uses a one-way mathematical function making it easy to carry out in one direction mathematically, but virtually impossible to carry out in the opposite or reverse direction.

El Gamal provides a digital signature, encryption, and key exchanges functionality based on calculating discrete logarithms in a finite field using the Diffie-Hellman key agreement algorithm.

ECC provides digital signatures, key distribution, and encryption functionality with greater efficiency over other asymmetric algorithms, especially on devices with limited processing power such as mobile and wireless devices. ECC does not require a longer key to providing higher protection because it is based on the algebraic structure if elliptic curves over finite fields.

When using symmetric keys for encrypting large amounts of data and asymmetric keys, for encrypting smaller amounts of data; such as data found in key size. Both methods working together, also known as the hybrid approach, a sender will use a symmetric key to encrypt the data and an asymmetric key (the receiver’s public key) to encrypt to symmetric key. Both the data and the symmetric key are sent to the destination in a digital envelope. The receiver decrypts the symmetric key with the receiver’s private key and then uses to symmetric key to decrypt the data. The symmetric key is typically symmetric session key used for one session or transmission of data. On session completion, this key is destroyed to decrease the window of time an attacker has to obtain the key for malicious purposes. Even if an attacker intercepts the session key while in transmission, the attacker will not gain access to the session key without having the receiver’s private key.