Cryptography is an art as well as a science that involves the process of transforming plain text into scrambled text and vice versa. The purpose of cryptography is to conceal confidential information from unauthorized entities and ensure immediate detection of any alteration made to the concealed information. Concealing the original information that is in human or machine-readable format is achieved by a method called encryption.
A plain text in the cryptographic context is information that is in a human or machine-readable format that needs protection. For example, the password that you are typing is in plain text. Similarly, documents such as business agreements, MOU, and so on are in plain text.
Scrambled text in the cryptographic context is called a cipher text. A cipher text is the scrambled version of the plain text. Cipher text is not in a human or machine-readable format.
The functions of cryptography are to keep the plain text secret by way of scrambling and detecting unauthorized changes to such information. These functions are for the purposes of confidentiality and integrity.
The process of converting plain text into scrambled (cipher) text is called encryption. The process of encryption is also called enciphering. Hence, cipher text can be called encrypted text.
The process of converting scrambled (cipher) text into plain text is called decryption. The process of decryption is also called deciphering. The output of decryption is plain text or decrypted text.
Encryption as well as decryption is based on algorithms. An algorithm, in cryptography, is a series of well-defined steps that provide the procedure for encryption/decryption. For example, if we use a scrambling method that substitutes the alphabets with the next alphabet, then we're using a type of substitution algorithm. In this type of algorithm A=B, B=C....Z=A. Hence, in this algorithm, a word such as WELCOME will be represented as XFMDPNF. As you can see, this example uses only one step, but complex algorithms use multiple steps with different mathematical formulae.
A cryptographic key is also called a Crypto variable, and it is used on the operation for encryption and decryption of a text. This is analogous to the keys that we use in household padlocks. If you observe the physical key, you can find varying slots. These are called tumblers or levers. By adjusting the levers, different types of key combinations are obtained. Similarly, in cryptography, we use an electronic key (cryptographic key) to lock or unlock a plain text, document, or any electronic data.
A cryptographic method is a way of doing encryption and decryption in a systematic way. The following diagram illustrates a cryptographic method:
In the preceding process, message (M) from the sender is encrypted and results in the cipher text (C). A cryptographic key (K) is used in the encryption process. When cipher text is decrypted, it results in the original message. The same key (K) that was used for encrypting is required for decrypting (D) the cipher text. This process is represented as EK(M)=C and DK (C)=M, where E is encryption, K is for key, M is for message, C is for a cipher text, and D is for decryption.
Cryptography is based on algorithms and the keys that operate on them. Types of encryption or decryption are based on the combination of these two factors (algorithms and keys). There are two types of encryption predominantly used in government agencies as well as corporations. Either there is a single key or there are two keys:
- If only one key is used, then it is called symmetric key encryption
- If two keys are used, then it is called asymmetric key encryption
In symmetric key encryption, only one key is used. The name symmetric implies that the key used for encryption as well as for decryption is the same. This type of encryption is also called Secret Key Cryptography (SKC).
Based on the algorithm used, this symmetric key encryption can be categorized into two types:
- Stream cipher: When the key stream algorithm operates on a single bit, byte, or a computer word such that the information is changed constantly, then it is called a stream cipher. For example, in a stream cipher, if we want to encrypt a word such as
WELCOME, then each of the alphabets in the word will be encrypted using the algorithm. The Caesar shift3 algorithm is a stream cipher. - Block cipher: If the algorithm operates on a block of text (as opposed to a single bit or byte), then it is known as a block cipher. In this case, the algorithm will encrypt the entire word.
The following are some of the examples of algorithms that are commonly used in the industry.
The examples of stream cipher is given here:
- The Rivest Cipher (RC4) algorithm uses about 40 to 256 bits and the key sizes are different. It is considered good for speed and is to be used in less-complex hardware. Some of the examples where RC4 is used are in protocols such as Secure Sockets Layer (SSL) and Wireless Equivalent Privacy (WEP).
The examples of block cipher are given here:
- Data Encryption Standard (DES) is a block cipher that uses up to 56-bit keys and operates on 64-bit blocks. It was designed by International Business Machines (IBM) and adopted by the National Institute of Standards and Technology (NIST).
- Triple-DES (3DES), as the name implies, uses three 56-bit keys that pass over the blocks three times.
- Advanced Encryption Standard (AES) is a 128-bit block cipher that employs 128, 192, or 256 bit keys. This is based on the NIST specifications and is the official successor to DES.
- Blowfish is an algorithm that uses variable key lengths of 32 to 448 bits that work on 64-bit blocks.
- Twofish is a block cipher that uses 128, 192, or 256-bit keys on 128-bit blocks. And is considered to be more secure.
- International Data Encryption Algorithm (IDEA) is a block cipher that uses 128-bit keys on 64-bit blocks.
The following are the different operational modes of block ciphers:
- When a cipher text block is formed by the application of a secret key to encrypt the plain text block, it is called Electronic Code Book (ECB).
- When plain text is eXlusively-ORed (XORed) with the previous block of cipher text then the mode is called Cipher Block Chaining (CBC).
- Cipher FeedBack (CFB) is a mode that allows encrypted data units to be smaller than the block unit size.
- Output FeedBack (OFB) uses an internal feedback mechanism such that the same plain text block cannot create the same cipher text block.
- Initialization vectors are a block of bits that allow either a stream cipher or a block cipher to execute on any of the previous modes. It is usually a random number that is applied to ensure that the cipher text is different when the same message is encrypted twice.
In this type, there are two keys. The name asymmetric implies that the keys are not the same. This type of encryption is also called Public Key Cryptography (PKC):
The two keys that are used in this type are called the private key and the public key. They are used in combination to encrypt and decrypt the message or text.
The following are important concepts in public key cryptography:
- There are two keys (private and public).
- The private key is kept secret.
- The public key is widely distributed.
- An entity's (a person or a software application) private and public keys are related by way of a mathematical algorithm.
- It is not possible to derive the private key from the public key.
- The body of the message is encrypted using the recipient's public key. Hence, only the recipient's private key can be used to decrypt the message. This ensures the confidentiality of the message. For example, if Bob wants to send a document to Alice and he does not want anyone to else be able to read this document, then Bob will encrypt the document using Alice's public key. Then, only Alice can open the document using her private key.
Digital signature is a type of public key cryptography where the message is digitally signed using the sender's private key. Digitally signing means encrypting the hash value. This can be verified using sender's public key. This is to verify the authenticity of the sender. For example, Bob will digitally sign the message that he is sending to Alice using his private key. Alice can verify the authenticity using Bob's public key.
One of the most important applications of public key cryptography is to ensure non-repudiation. Non-repudiation is a method by which the sender of the message can deny their actions.
The following are examples of algorithms that are commonly used in the industry:
- Rivest, Shamir, and Adleman (RSA) is an asymmetric key encryption algorithm named after its inventors. It uses a variable size encryption block as well as a variable size key. The algorithm uses a product of two large prime numbers to derive the key pairs.
- Diffie-Hellman method is used primarily for private-key exchange over an insecure medium.
- ElGamel is similar to Diffie-Hellman and is used for exchanging keys.
- Elliptic Curve Cryptography (ECC) is an algorithm that generates keys from elliptical curves.
- Digital Signature Algorithm (DSA) is specified by NIST under Digital Signature Standard (DSS). This algorithm is primarily used for authentication purposes in digital signatures.
Hashing or hash functions are a type of encryption where a key is not used. Instead, a hash value is computed based on the contents of the message. The computed value is called a checksum. The purpose of hashing is to provide integrity checking to the plain or encrypted text.
The following are some of examples of algorithms that are commonly used in the industry:
- Message Digest Algorithm (MD) are series of hashing algorithms that produce 128-bit hash values from an arbitrary length message.
- Secure Hash Algorithm (SHA) is based on NIST's Secure Hash Standard (SHS), which can produce hash values that are 224, 256, 384, or 512 bits in length.
In cryptography, the length of keys is not the only factor that indicates its strength or security. While short key means less secure, the same is not true for the reverse; that is, longer keys do not automatically translate into stronger security. The security of an encryption lies in the quality of the encryption algorithm and the entropy of the key.
The entropy of a key in cryptography means the uncertain portions of key combinations. In other words, entropy is related to the randomness of the key combinations. Hence, a 128-bit key may not have 128-bits of entropy. The more the entropy, the stronger the key and it requires more time and computing power to try the combinations.
The following table summarizes the cryptographic algorithms, their key lengths, and other important details pertaining to the encryption types:
|
Encryption type |
Algorithm |
Key length |
Application(s) |
|
Symmetric key encryption |
RC4 |
40 to 256 bits |
Secure Sockets Layer (SSL) Wireless Encryption Privacy (WEP) |
|
Data Encryption Standard (DES) |
Uses up to 56-bit keys and operates on 64 bit blocks |
Secure Electronic Transaction (SET) Secure Sockets Layer (SSL) Transport Layer Security (TLS) | |
|
Triple-DES (3DES) |
Three 56-bit keys |
Secure Electronic Transaction (SET) Secure Sockets Layer (SSL) Transport Layer Security (TLS) | |
|
Advanced Encryption Standard (AES) |
128, 192 or 256 bit keys |
Secure Electronic Transaction (SET) Secure Sockets Layer (SSL) Transport Layer Security (TLS) | |
|
Blowfish |
32 to 448 bits that work on 64 bit blocks |
Communication links Embedded file encryption | |
|
Twofish |
128, 192 or 256-bit keys on 128-bit blocks |
Communication links Embedded file encryption | |
|
International Data Encryption Algorithm (IDEA |
128-bit keys on 64-bit blocks |
Pretty Good Privacy (PGP) | |
|
Asymmetric key encryption |
Rivest, Shamir, Adleman (RSA) |
Variable key length |
Communication links Embedded file encryption |
|
Diffie-Hellman |
Variable key length |
Communication links Embedded file encryption | |
|
ElGamel |
Variable key length |
Secure Sockets layer (SSL) | |
|
Elliptic Curve Cryptography (ECC) |
Variable key length |
Public Key Cryptography Smart cards | |
|
Digital signature Algorithm (DSA) |
Variable key length |
Digital Signatures | |
|
Hashing |
Message Digest Algorithm (MD) |
Key not used. 128-bit hash value |
For checking integrity of files such as MD5 hash SSL, TLS, IPSec |
|
Secure hash Algorithm (SHA) |
Key not used. 224, 256, 384 or 512 bit hash value |
SSL, TLS, IPSec |