Encryption is the process of making information only readable to certain receivers and incomprehensible to other users. It achieves this by enabling the original content to be shown only after the correct key is used to decrypt the information. Encryption protects data from being obtained and read by unauthorized users. It prevents interception and theft of private information over networks. Encryption guarantees the confidentiality, integrity, authenticity, and non-repudiation of information.
Confidentiality: implemented through data encryption. It allows only some users to access and read the information, making the information incomprehensible to unauthorized users. This is the main objective of encryption. It ensures that only the corresponding receivers can read it by using mathematical equations.
Integrity: implemented through data encryption, hash algorithm, or digital signature. It ensures that data is not changed (tampered with, deleted, added, and replayed) by unauthorized users during the storage and transmission processes. For users that require high-level security, data encryption alone is not enough, because data can still be cracked and changed by unauthorized users.
Authenticity: implemented through data encryption, hash algorithm, or digital signature. It provides services relevant to the authentication of the data sender and receiver.
Non-repudiation: implemented through symmetric or asymmetric encryption and digital signature, with the help of trustworthy registration or certification organizations. It prevents users from denying things they have said or done.
As a method for information security protection, cryptography is not a modern invention. It dates back to a long time ago, when human beings tried to learn how to communicate while keeping their correspondence confidential. Ancient Greeks might be the first people to use techniques to encrypt information, which they did prior to the 5th century B.C. They used a rod called a scytale, with a piece of parchment wrapped around it, on which a message was written. Then the parchment was sent to the receiver. Anyone who did not know the diameter of the rod, which was the key in this case, could not
understand the information on the message.
In about 50 B.C., the Roman emperor Caesar invented a method for encrypting information during times of war, which was later called the Caesar cipher. The principles are that each letter in the simple text is replaced by the third letter further along in the alphabet, and the last three letters in the alphabet are replaced by the first three letters respectively. For example, after encryption, HuaweiSymantec becomes KxdzhlvBPdqwhf.
Recent encryption technologies were mainly used for military purposes, such as the War of Independence and the Civil War in the US, and two World Wars. During the War of Independence in the US, the rail fence cipher was used. In this method, the simple text is written downwards and diagonally on successive "rails" of an imaginary fence, then moving up when we reach the bottom rail. When we reach the top rail, the message is written downwards again until the whole plaintext is written out.
During World War I, Germany wrote codes based on a dictionary. For example, 10-4-2 means the 2nd word in the 4th paragraph on the 10th page of a dictionary. In World War II, the most well-known cipher machine was the Enigma machine used by Germans to encrypt information.
The symmetric encryption algorithm is also called traditional cryptography (secret key algorithm and one-key algorithm). The encryption key can be calculated using the decryption key. The sender and receiver share the same key, which is used for both encryption and decryption. Symmetric encryption is an effective method for encrypting a large amount of data. There are many types of algorithms for symmetric key encryption. They all have one purpose, namely, to transfer the plaintext (unencrypted data) into ciphertext in a revertible way. The symmetric key algorithm uses the same key for encryption and decryption. Therefore, its security depends on whether unauthorized users get hold of the symmetric key. It should be noted that the two parties who want to communicate using symmetric encryption must securely exchange the key before they exchange the encrypted data.
Asymmetric encryption, also called public key encryption, is a form of encryption using a public key and a private key that are mathematically related. The public key can be transferred openly between the two parties or released in the public database. The private key, however, is confidential. The data encrypted with the public key can be decrypted only by the private key, and the data encrypted with the private key can be decrypted only by the public key.
Users A and B negotiate a symmetric key in advance. The encryption and decryption process is as follows:
- User A uses the symmetric key to encrypt data and sends the encrypted data to user B.
- After receiving the encrypted data, user B decrypts the data using the symmetric key and obtains the original plaintext.
User A obtains the public key of user B in advance. The encryption and decryption process is as follows:
- User A uses user B's public key to encrypt data and sends the encrypted data to user B.
- After receiving the encrypted data, user B decrypts the data using their private key and obtains the original plaintext.
Symmetric key cryptography features high efficiency, simple algorithms, and low system overhead. It is suitable for encrypting a large volume of data. However, it is difficult to implement because the two parties must exchange their keys securely before communication. In addition, it is difficult to expand because each pair of communicating parties needs to negotiate keys, and n users needs to negotiate n*(n-1)/2 different keys.
Attackers cannot use one key in a key pair to figure out the other key. The data encrypted by a public key can only be decrypted by the private key of the same user. However, it takes a long time for the public key cryptography to encrypt a large amount of data, and the encrypted packets are too large, consuming much bandwidth.
Public key cryptography is suitable for encrypting sensitive information such as keys and identities to provide higher security.
A digital envelope contains the symmetric key encrypted using the peer's public key. When receiving a digital envelope, the receiver uses its own private key to decrypt the digital envelope and obtains the symmetric key.
Assume that user A has the public key of user B. The encryption and decryption process is as follows:
- User A uses a symmetric key to encrypt data.
- User A uses the public key of user B to encrypt the symmetric key and generate a digital envelope.
- User A sends the digital envelope and encrypted data to user B.
- User B uses its own private key to decrypt the digital envelope and obtains the symmetric key.
- User B uses the symmetric key to decrypt the data and obtains the original data.
The digital envelope has the advantages of both symmetric key cryptography and public key cryptography. That is, it speeds up key distribution and encryption while improving key security, extensibility, and efficiency.
However, the digital envelope still has a vulnerability. The attacker may obtain information from user A, use its own symmetric key to encrypt the forged information, use the public key of user B to encrypt its own symmetric key, and send the information to user B. After receiving the information, user B decrypts it and considers the information to be sent from user A. To address this problem, the digital signature is used, ensuring that the received information was sent from the correct sender.
Digital signature is generated by the sender by encrypting the digital fingerprint using its own private key. The receiver uses the sender's public key to decrypt the digital signature and obtain the digital fingerprint.
A digital fingerprint, also called information digest, is generated by the sender using the hash algorithm on plaintext information. The sender sends both digital fingerprint and plaintext to the receiver, who uses the same hash algorithm to calculate the digital fingerprint on the plaintext. If the two fingerprints are the same, the receiver knows that the information has not been tampered with.
Assume that user A has the public key of user B. The encryption and decryption process is as follows:
- User A uses the public key of user B to encrypt data.
- User A performs hash on the plaintext and generates a digital fingerprint.
- User A uses its own private key to encrypt the digital fingerprint, generating the digital signature.
- User A sends both the ciphertext and digital signature to user B.
- User B uses the public key of user A to decrypt the digital signature, obtaining the digital fingerprint.
- After receiving the ciphertext from user A, user B uses its own private key to decrypt the information, obtaining the plaintext information.
- User B performs hash on the plaintext and generates a digital fingerprint.
- User B compares the generated fingerprint with the received one. If the two fingerprints are the same, user B accepts the plaintext; otherwise, user B discards it.
The digital signature proves that information is not tampered with and verifies the sender's identity. The digital signature and digital envelope can be used together.
However, the digital signature still has a vulnerability. If the attacker modifies the public key of user B and user A obtains the modified key, the attacker can intercept information sent from user B to user A, sign the forged information using its own private key, and send the forged information encrypted using user A's public key to user A. After receiving the encrypted information, user A decrypts the information and verifies that the information has not been tampered with. In addition, user A considers the information to be sent by user B. The digital certificate can fix this vulnerability.
According to encryption objects, there are two main types of symmetric cryptography algorithms:
Stream algorithms
The stream algorithm continuously inputs elements and generates one output element at a time. A typical stream algorithm encrypts one-byte of plaintext at a time, and the key is input into a pseudo random byte generator to generate an apparently random byte stream, which is called a key stream. A stream algorithm is generally used for data communication channels, browsers, or network links.
Common stream algorithms: RC4 is a stream algorithm designed by Ron Rivest for RSA Security in 1987. Its key is a stream cipher of a changeable size. Byte-oriented operations encrypt information as a whole in real time. It works around 10 times more quickly than DES cryptography.
Block algorithm
Plaintext blocks and the key are input in the encryption algorithm. The plaintext is divided into two parts, which are combined into ciphertext blocks after n rounds of processing, and the input of each round is the output of the preceding round. The subkey is also generated by the key. The typical size of a block is 64 bits.
Block algorithms are classified into the following types:
Data Encryption Standard (DES): DES was developed by the National Institute of Standards and Technology (NIST). DES is the first widely used cryptographic algorithm to use the same key for encryption and decryption. DES is a block algorithm, in which a 64-bit plaintext and a 56-bit key are input to generate a 64-bit ciphertext (data is encrypted to a 64-bit block). The password capacity is 56 bits only, delivering insufficient security. In response, the 3DES algorithm is proposed.
Triple DES (3DES): The 3DES algorithm uses a 128-bit key. Data is first encrypted using a 56-bit key, then encoded using another 56-bit key, and finally encrypted using the first 56-bit key. In this way, 3DES uses a valid 128-bit key. The greatest advantage of 3DES is that the existing software and hardware can be used, and it can be easily implemented based on DES.
Advanced Encryption Standard (AES): The AES algorithm uses a 128-bit block and supports 128-bit, 192-bit, and 256-bit keys. In addition, it can be used on different platforms. A 128-bit key can provide sufficient security and takes less time for processing than longer keys. To date, the AES does not have any serious weakness. DES can still be used due to the production of a large number of fast DES chips. However, AES will gradually replace the DES and 3DES to enhance security and efficiency.
International Data Encryption Algorithm (IDEA): The IDEA is a symmetric block cipher algorithm, with a 64-bit plaintext and a 128-bit key input to generate a 64-bit ciphertext. The IDEA is widely used. For example, SSL includes the IDEA in its cryptographic algorithm library.
RC2, designed by Ron Rivest for RSA Security, is a cryptographic algorithm with a key of a changeable size. It is a ciphertext in blocks, which means that data is encrypted to 64-bit blocks. It can use keys of different sizes, from zero to infinity, and the encryption speed depends on the key size.
RC5 is a new block cipher algorithm designed by Rivest for RSA Security in 1994. Similar to RC2, RC5 is also a ciphertext in blocks, but uses different block and key sizes. In addition, it runs a different number of rounds. It is suggested to use RC5 with a 128-bit key and run 12 to 16 rounds. It is a cipher algorithm with changeable block sizes, key sizes, and number of rounds.
RC6, unlike other new cryptographic algorithms, covers the whole algorithm family. RC6 was introduced in 1998 following RC5, which was found to have a theoretical vulnerability in encryption for a special round. RC6 was designed to tackle this vulnerability.
State-approved algorithms are commercial block algorithms compiled by China's National Password Administration. The block length and key length are both 128 bits. SM1 and SM4 can meet high security requirements.
Of these, DES, 3DES, and AES are the most commonly used.
The algorithms commonly used in public key cryptography include Diffie-Hellman (DH), Ron Rivest, Adi Shamirh, LenAdleman (RSA), and Digital Signature Algorithm (DSA).
The DH algorithm is usually used by the two parties involved to negotiate a symmetric encryption key (same key used for encryption and decryption). In essence, the two parties share some parameters and generate their respective keys, which are the same key according to mathematical principles. This key is not transmitted over links, but the parameters exchanged may be transmitted over links.
The RSA algorithm is named after Ron Rivest, Adi Shamirh, and Leonard Adleman, who jointly developed it at the Massachusetts Institute of Technology (MIT) in 1977. RSA is currently the most influential public key cryptography algorithm. It can resist all known password attacks and has been recommended by ISO as the public key data encryption standard. In addition, it is the first algorithm that can be used for both encryption and digital signature.
DSA is a variant of the Schnorr and ElGamal signature algorithms and used by NIST as the Digital Signature Standard (DSS). It plays an important role in ensuring data integrity, privacy, and non-repudiation. DSA is based on discrete logarithm problems in finite field and delivers the same level of security as RSA. In DSA digital signature and authentication, the sender uses his/her own private key to sign the file or message. After receiving the message, the receiver uses the public key of the sender to verify the authenticity of the signature. DSA is only an algorithm. In contrast to RSA, DSA cannot be used for encryption, decryption, or key exchange. It is used only for signature and is much faster than RSA in this regard.
Commonly used public key cryptography algorithms include Diffie-Hellman (DH), Ron Rivest, Adi Shamirh, LenAdleman (RSA), and Digital Signature Algorithm (DSA).
The Message Digest Algorithm 5 (MD5) is a hash function used in a variety of security applications to check message integrity. It calculates data as another fixed-length value. It can "compress" large-volume information into a confidential format before the information is signed by the digital signature software with the private key. In addition to digital signatures, it can also be used for secure access authentication.
The secure hash algorithm (SHA) is applicable to the digital signature algorithm defined in the digital signature standard.
- SHA-1: SHA was developed by NIST. SHA-1 is a revision of SHA and was published in 1994. Defined in RFC 2404, SHA-1 generates 160-bit message digests. SHA-1 is slower but more secure than MD5. SHA-1 generates a long signature, prevents key cracking, and discovers the shared key efficiently.
- SHA-2: SHA-2 is a more advanced version of SHA-1. SHA-2 has a longer key than SHA-1 and is therefore more secure. SHA-2 includes SHA-256, SHA-384, and SHA-512, with 256-bit, 384-bit, and 512-bit keys respectively.
SM3 is a commercial algorithm compiled by China's National Password Administration. It is used to verify the digital signature, generate and verify message authentication codes, and generate random numbers. It can meet the security requirements of multiple password applications.
These algorithms each have their own strengths and weaknesses. MD5 is faster than SHA-1, but less secure. SHA-2 and SM3 have a longer key than SHA-1, making them more difficult to crack and therefore more secure.
Ref : [1]