Understanding Data Confidentiality In Cyber Security
There are two classes of encryption used to provide data confidentiality; asymmetric and symmetric. These two classes differ in how they use keys. In this article, I want to talk about all that you need to know about Data confidentiality in Cyber Security. Follow me as we will look at that in this article.
Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) are based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also be ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA) and the public key infrastructure (PKI).
Note: DES is a legacy algorithm and should not be used. 3DES should be avoided if possible.
The figure highlights some differences between symmetric and asymmetric encryption.
The figure shows the differences between symmetric and asymmetric encryption. Characteristics of symmetric encryption include: use the same key to encrypt and decrypt data; key lengths are short (40 bits – 256 bits); faster than asymmetric encryption; and commonly used for encrypting bulk data such as in VPN traffic. Characteristics of asymmetric encryption include: uses different keys to encrypt and decrypt data; key lengths are long (512 bits – 4096 bits); computationally tasking therefore slower than symmetric encryption; and commonly used for quick data transactions such as HTTPS when accessing your bank data.
Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-shared key also called a secret key, is known by the sender and receiver before any encrypted communications can take place.
To help illustrate how symmetric encryption works, consider an example where Alice and Bob live in different locations and want to exchange secret messages with one another through the mail system. In this example, Alice wants to send a secret message to Bob.
In the figure, Alice and Bob have identical keys to a single padlock. These keys were exchanged prior to sending any secret messages. Alice writes a secret message and puts it in a small box that she locks using the padlock with her key. She mails the box to Bob. The message is safely locked inside the box as the box makes it’s way through the post office system. When Bob receives the box, he uses his key to unlock the padlock and retrieve the message. Bob can use the same box and padlock to send a secret reply back to Alice.
The figure shows the symmetric encryption analogy described in the text.
Symmetric Encryption Example
Today, symmetric encryption algorithms are commonly used with VPN traffic. This is because symmetric algorithms use less CPU resources than asymmetric encryption algorithms. This allows the encryption and decryption of data to be fast when using a VPN. When using symmetric encryption algorithms, like any other type of encryption, the longer the key, the longer it will take for someone to discover the key. Most encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a minimum key length of 128 bits should be used. Use a longer key for more secure communications.
Symmetric encryption algorithms are sometimes classified as either a block cipher or a stream cipher. Click the buttons to learn about these two cipher modes.
Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of 64 or 128 bits. Common block ciphers include DES with 64-bit block size and AES with a 128-bit block size.
Well-known symmetric encryption algorithms are described in the table.
|Symmetric Encryption Algorithms||Description|
|Data Encryption Standard (DES)||This is a legacy symmetric encryption algorithm. It uses a short key length that makes it insecure for most current uses.|
|3DES (Triple DES)||The is the replacement for DES and repeats the DES algorithm process three times. It should be avoided if possible as it is scheduled to be retired in 2023. If implemented, use very short key lifetimes.|
|Advanced Encryption Standard (AES)||AES is a popular and recommended symmetric encryption algorithm. It offers combinations of 128-, 192-, or 256-bit keys to encrypt 128, 192, or 256 bit-long data blocks.|
|Software-Optimized Encryption Algorithm (SEAL)||SEAL is a faster alternative symmetric encryption algorithm to AES. SEAL is a stream cypher that uses a 160-bit encryption key and has a lower impact on the CPU compared to other software-based algorithms.|
|Rivest ciphers (RC) series algorithms||This algorithm was developed by Ron Rivest. Several variations have been developed, but RC4 was the most prevalent in use. RC4 is a stream cypher that was used to secure web traffic. It has been found to have multiple vulnerabilities which have made it insecure. RC4 should not be used.|
Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used for encryption is different from the key that is used for decryption, as shown in the figure. The decryption key cannot, in any reasonable amount of time, be calculated from the encryption key and vice versa.
The figure shows an example of asymmetric encryption where the encryption key is different from the decryption key.
Asymmetric Encryption Example
Asymmetric algorithms use a public key and a private key. Both keys are capable of the encryption process, but the complementary paired key is required for decryption. The process is also reversible. Data that is encrypted with the public key requires the private key to decrypt. Asymmetric algorithms achieve confidentiality and authenticity by using this process.
Because neither party has a shared secret, very long key lengths must be used. Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter are considered insufficient.
Examples of protocols that use asymmetric key algorithms include:
- Internet Key Exchange (IKE) – This is a fundamental component of IPsec VPNs.
- Secure Socket Layer (SSL) – This is now implemented as IETF standard Transport Layer Security (TLS).
- Secure Shell (SSH) – This protocol provides a secure remote access connection to network devices.
- Pretty Good Privacy (PGP) – This computer program provides cryptographic privacy and authentication. It is often used to increase the security of email communications.
Asymmetric algorithms are substantially slower than symmetric algorithms. There design is based on computational problems, such as factoring extremely large numbers or computing discrete logarithms of extremely large numbers.
Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic mechanisms, such as digital signatures and key exchange. However, the key management of asymmetric algorithms tends to be simpler than symmetric algorithms, because usually one of the two encryption or decryption keys can be made public.
Common examples of asymmetric encryption algorithms are described in the table.
|Asymmetric Encryption Algorithm||Key Length||Description|
|Diffie-Hellman (DH)||512, 1024, 2048, 3072, 4096||The Diffie-Hellman algorithm allows two parties to agree on a key that they can use to encrypt messages they want to send to each other. The security of this algorithm depends on the assumption that it is easy to raise a number to a certain power, but difficult to compute which power was used given the number and the outcome.|
|Digital Signature Standard (DSS) and Digital Signature Algorithm (DSA)||512 – 1024||DSS specifies DSA as the algorithm for digital signatures. DSA is a public key algorithm based on the ElGamal signature scheme. Signature creation speed is similar to RSA, but is 10 to 40 times slower for verification.|
|Rivest, Shamir, and Adleman encryption algorithms (RSA)||512 to 2048||RSA is for public-key cryptography that is based on the current difficulty of factoring very large numbers. It is the first algorithm known to be suitable for signing, as well as encryption. It is widely used in electronic commerce protocols and is believed to be secure given sufficiently long keys and the use of up-to-date implementations.|
|EIGamal||512 – 1024||An asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. A disadvantage of the ElGamal system is that the encrypted message becomes very big, about twice the size of the original message and for this reason it is only used for small messages such as secret keys.|
|Elliptic curve techniques||224 or higher||Elliptic curve cryptography can be used to adapt many cryptographic algorithms, such as Diffie-Hellman or ElGamal. The main advantage of elliptic curve cryptography is that the keys can be much smaller.|
Asymmetric Encryption – Confidentiality
Asymmetric algorithms are used to provide confidentiality without pre-sharing a password. The confidentiality objective of asymmetric algorithms is initiated when the encryption process is started with the public key.
The process can be summarized using the formula:
Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
When the public key is used to encrypt the data, the private key must be used to decrypt the data. Only one host has the private key; therefore, confidentiality is achieved.
If the private key is compromised, another key pair must be generated to replace the compromised key.
Asymmetric Encryption – Authentication
The authentication objective of asymmetric algorithms is initiated when the encryption process is started with the private key.
The process can be summarized using the formula:
Private Key (Encrypt) + Public Key (Decrypt) = Authentication
When the private key is used to encrypt the data, the corresponding public key must be used to decrypt the data. Because only one host has the private key, only that host could have encrypted the message, providing authentication of the sender. Typically, no attempt is made to preserve the secrecy of the public key, so any number of hosts can decrypt the message. When a host successfully decrypts a message using a public key, it is trusted that the private key encrypted the message, which verifies who the sender is. This is a form of authentication.
Click the buttons to view how the private and public keys can be used to provide authentication to the data exchange between Bob and Alice.
Alice encrypts a message using her private key. Alice sends the encrypted message to Bob. Bob needs to authenticate that the message did indeed come from Alice.
Asymmetric Encryption – Integrity
Combining the two asymmetric encryption processes provides message confidentiality, authentication, and integrity.
The following example will be used to illustrate this process. In this example, a message will be ciphered using Bob’s public key and a ciphered hash will be encrypted using Alice’s private key to provide confidentiality, authenticity, and integrity.
Alice wants to send a message to Bob ensuring that only Bob can read the document. In other words, Alice wants to ensure message confidentiality. Alice uses the public key of Bob to cypher the message. Only Bob will be able to decipher it using his private key.
Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two computers to generate an identical shared secret without having communicated before. The new shared key is never actually exchanged between the sender and receiver. However, because both parties know it, the key can be used by an encryption algorithm to encrypt traffic between the two systems.
Here are two examples of instances when DH is commonly used:
- Data is exchanged using an IPsec VPN
- SSH data is exchanged
To help illustrate how DH operates, refer to the figure.
The figure illustrates how the Diffie-Hellman algorithm works by using colours. Assume Alice and Bob have agreed to start with 50 millilitres (50ml) of yellow paint. Alice adds 50 ml of red paint to the yellow paint to create a 100 ml amount of orange paint. Bob mixes his 50 ml of yellow paint with 50 ml of blue paint to create 100 ml of green paint. Alice sends Bob her 100 ml of orange colour paint and Bob sends Alice his 100 ml green colour paint. Alice than proceeds to add another 50 ml of her red paint to Bob’s 100 ml of green paint to create 150 ml of brown paint. Bob mixes another 50 ml of blue paint to the 100 ml of Alice’s orange paint to create 150 ml of the exact same colour brown colour paint that Alice created.
The colours in the figure will be used instead of complex long numbers to simplify the DH key agreement process. The DH key exchange begins with Alice and Bob agreeing on an arbitrary common colour that does not need to be kept secret. The agreed-on colour in our example is yellow.
Next, Alice and Bob will each select a secret colour. Alice chose red while Bob chose blue. These secret colours will never be shared with anyone. The secret colour represents the chosen secret private key of each party.
Alice and Bob now mix the shared common colour (yellow) with there respective secret colour to produce a public colour. Therefore, Alice will mix the yellow with her red colour to produce a public colour of orange. Bob will mix the yellow and the blue to produce a public colour of green.
Alice sends her public colour (orange) to Bob and Bob sends his public colour (green) to Alice.
Alice and Bob each mix the colour they received with there own, original secret colour (Red for Alice and blue for Bob.). The result is a final brown colour mixture that is identical to the partner’s final colour mixture. The brown colour represents the resulting shared secret key between Bob and Alice.
The security of DH is based on the fact that it uses very large numbers in it’s calculations. For example, a DH 1024-bit number is roughly equal to a decimal number of 309 digits. Considering that a billion is 10 decimal digits (1,000,000,000), one can easily imagine the complexity of working with not one, but multiple 309-digit decimal numbers.
Diffie-Hellman uses different DH groups to determine the strength of the key that is used in the key agreement process. The higher group numbers are more secure, but require additional time to compute the key. The following identifies the DH groups supported by Cisco IOS Software and there associated prime number value:
- DH Group 1: 768 bits
- DH Group 2: 1024 bits
- DH Group 5: 1536 bits
- DH Group 14: 2048 bits
- DH Group 15: 3072 bits
- DH Group 16: 4096 bits
Note: A DH key agreement can also be based on elliptic curve cryptography. DH groups 19, 20, and 24, which are based on elliptic curve cryptography, are also supported by Cisco IOS Software.
Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption. This is why it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys that will be used by the encryption algorithm.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
Follow Us On Telegram
CEHNigeria On Google Playstore
GET SEOPOZ . OUTSMART YOUR BLOG COMPETITORS
Joint Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.