Basics of Cryptography

Encryption

Encryption is a method of transforming human readable data (plain text) into a non readable format called Cipher Text, this enables transmission and storage of data in the form that is unreadable and it remains confidential and Private.  Decryption is a method of getting Plain text back from Cipher text.

HTTPS is used over HTTP for increasing the Security in the Web Applications, it is used for for secure communication over the network.  The HTTPS makes all the web traffic encrypted or unreadable over the network, it means no one can intercept our web traffic, data while communicating over the internet.

Symmetric Encryption

There are two main components in the encryption –

ü  Algorithm – Conventionally, there algorithm is publically known and is tested by many people for security concerns. Algorithm is like a padlock.

ü  Key- Key is a secret component of a encryption, key can also be defined as password but is must be keep confidential .

The combination of key and algorithm decides how the plain text will be jumbled up.

Symmetric encryption is one of the simplest type of encryption which uses one secret key for conversion of plain text to cipher text and vice versa. Secret key can be anything numbers, strings, letters or combination of all these. One of the biggest disadvantages of symmetric encryption is that all the parties involved have to exchange the key used to encrypt the data before they can decrypt.

Some of the Examples of symmetric encryption are –

Ø  AES-128

Ø  AES-192

Ø  AES-256

Ø  RC4

Ø  DES

Ø  RC5

Ø  Blowfish

Asymmetric Encryption

In symmetric encryption all the parties involved have to exchange the key used to encrypt the data before they can decrypt, this lead to many security issues so to overcome this disadvantage of symmetric encryption, the concept of asymmetric encryption was invented.

In asymmetric encryption the two keys are used called as public keys and private keys. It is also known as public key cryptography. In asymmetric encryption different keys are used for encrypting and decrypting the plain text. In asymmetric encryption every user needs to have a pair of dissimilar keys i.e private and public keys. These two keys are mathematically related since one key is used for encryption, the other can decrypt the cipher text back to original plain text. Asymmetric encryption requires to put the public key in the public repository and private key as confidential.

When Host1 needs to send data to Host2, he/she obtains the public key of host 2 from repository, encrypts the data and transmits

Host2 uses his/her private key to extract the data

Hash Functions

In order to exchange keys with two persons in secure manner, it is needed to authenticate the person in order to securely exchange the keys. While exchanging the keys over the network, one can see or manipulate the keys using man in the middle attack. So by just seeing the public key we cannot say that this is the real public key, we first need to authenticate that key. This brings us to other cryptographic technology called as Hash Functions and digital signatures which helps in providing authentication of senders and receivers.

In the above figure we can see that there is input, Hash Function or algorithm and output (digest). Hash function takes data as input in any form such as it E-mail, word, image etc. In the above figure we have words as an input to the hash function and those inputs are converted to the group of strings and numbers generally called as Hashes or message digest. One special feature of Hashing is that Message Digest/Hashes cannot be revert back to it’s original form i.e input. This is one way hash function, no keys are required for this, only input and hashing function or algorithm are required which will give hash of fixed length depending upon the type of hash function/algorithm used. So hashing provides integrity not confidentiality, and undesirable modification to the data can be detected by using hashing.

A lot of downloading services use checksums to validate the integrity of their files. Thanks to that, you can find out if your downloaded file isn’t corrupted.

Some of the Popular Hashing Functions are –

Ø  MD5

Ø  SHA-1

Ø  SHA-2

Hashing algorithms can be pretty useful. However, IT is a really fast industry and this also extends to the hashing algorithms.
MD5, once considered really safe, now it’s completely compromised. Then there was SHA-1, it’s now unsafe. The same thing will surely happen to the SHA-2 some day.
In order to keep your security standards, you must always follow the newest technologies, especially when you use hashing algorithms for security.
 

Digital Signatures

Digital Signatures are the hash values which is fixed length result of the hash function which is encrypted with sender’s private key. Hence Hash Values encrypted with private key produces digital signatures or the signed messages. Digital signature is technically a stamp of approval, it provide guarantee of whatever is being signed. When something is digitally signed it provides authentication because it is being encrypted with private key, it also provide integrity because we are hashing. Digital Signatures are used with softwares , drivers, operating system, certificates to validate or authenticate all things and to check integrity.

Digital signature is a technique used to check the authenticity and integrity of a message, software or digital document. Digital Signature uses the concept of public key cryptography, the one who is creating digital signature uses their own private keys to encrypt the signature related data and the only way to decrypt the data is with signer’s public  key so in this way authentication is done.

Hence in Digital Signature Hashing is done for checking integrity  and private keys are used for authentication.

In the above figure the signer needs to share the data, so she first obtain the hash of the data using hash algorithm and than encrypt that hash with her private key, than shares the document over the network, than  verifier decrypt it with signer’s public key and than matches hash if hash values are equal than the signature is valid.

SSL and TLS

Secure Socket layer (SSL) and Transport layer security (TLS) uses cryptographic technology such as symmetric and asymmetric encryption, hashes, digital signatures, Message authentication code. SSL and TLS are the cryptographic protocols designed to provide the communication security over the network or internet. SSL is the older encryption protocol and TLS is the newer one. TLS maintains confidentiality, authentication and integrity . Communication with TLS is private (confedential) because the asymmetric algorithm such as AES which is used while data transmission. The keys for this asymmetric encryption are generated uniquely for each connection. The server and client negotiate the details of which encryption algorithm and cryptographic algorithm to used before the first part of data transmission. These algorithm and keys cannot be read by evasdropper even by the attacker who places himself/herself in the middle of the connection, the connection is also reliable such that no attacker can modify the connection. The identity of the communicating parties can be authenticated using public key cryptography, digital signatures and certificates.

How does SSL Certificate create secure Connection ?

When browser attempts to access a website that is secured by SSL than the web client (browser) and browser establish a SSL connection using a process called SSL Handshake. This handshake is invisible to the user and happens instantaneously

Basically Three Keys are used to setup the SSL Connection-

Ø  Public Keys

Ø  Private Keys

Ø  Session Keys

Since encryption and decryption with a private and public keys take lot of processing time and power so they are just used during the SSL handshake to create the symmetric session key. After the secure connection is made the session key is used to encrypt all the transmitted data.

STEPS –

Ø  Browser Connects to a web server (website) which is secured with SSL (HTTPS) than browser request the server identity itself

Ø  Server sends the copy of it’s SSL certificate including server’s public key

Ø  Browser checks the certificate root agains’t a list of trusted Certificate authorities and the certificate is unexpired, unrevoked and that it’s common name is valid for the website that is connecting to. If the browser trusts the certificate it creates, encrypts and sends back the symmetric session key using server’s public key

Ø  The server decrypts the symmetric session key using it’s private key and sends back an acknowledgement encrypted with the session key to start the encrypted session key.

Ø  Server and browser now encrypts all transmitted data with session key

Digital Certificates

Digital Certificate are also known as public key certificates. Digital Certificates are for sharing the public key that are used for encryption and authentication. Digital Certificate include the public key being certified, identifying information about the entity owns the public key, metadata relating to the digital certificate and digital signatures of public key created by issuer of the certificate.

As we have discussed above for making SSL connection between browser and the web server, the web server shares it’s public key with web client (web browser) than web browser creates one symmetric session key, encrypt it with web server’s public key and than sends back to the web server. Now we can see that there is one of the critical security issue is in sharing the public key, which web server sends to the browser, anyone using the man-in –the  middle attack can see or modify that public key. So we need to authenticate the public key that the public key is legitimate or not, one solution for this which is widely used on the internet is Digital Certificate which are digitally signed are symbol of trust.

Digital certificates are used by all major web browsers and web servers to provide assurance that published content has not been modified by any unauthorized actors, and to share keys for encrypting and decrypting web content. Digital certificates are also used in other contexts, both online and offline, for providing cryptographic assurance and privacy of data.

Digital Certificates are nothing but the data or some crucial information including public key. In the above figure the hash value of data/certificate is obtained using hash function than that hash value is encrypted using signers private key, this encryption of hash values using private key creates digital signatures. These digital signatures are than attached with certificate/data than they called as digitally signed data/certificate. Now for the Verification hash value of the data is obtained and the also the signature is decrypted using the signers  public key to obtain the hash values. Both the Hash values are compared to to validate the signature.

  

                                          MAYANK BARSAINYA

                         Founder, M7 Information Security Pvt. Ltd.