Current Encryption Methods in Distributed Systems Meg Lindsay
What is Encryption? The process of converting information or data into a code, especially to prevent unauthorized access Plaintext is converted into ciphertext using an encryption algorithm and encryption key Most important automated tool for network security Primary purpose is to protect the confidentiality of digital data stored on computer systems or transmitted via the internet or any other computer network
Why is it important? 1. Internet privacy concerns are real 2. Hacking is big business 3. Regulations demand it Internet privacy has become a very real concern Encryption helps protect privacy by turning personal information into unreadable messages intended only for the parties that need them Hacking is big business Hacking has extended beyond the kid in the basement scenario and become a huge business. In some cases, they’re multinational outfits. Security breaches are costing companies millions every year, so they need credible security to prevent from happeneing Regulations demand it Healthcare providers are required by the Health Insurance Portability and Accountability Act (HIPAA) to implement security features that protect patients’ sensitive health information. Institutions of higher learning must take similar steps under the Family Education Rights and Privacy Act (FERPA), while retailers must contend with the Fair Credit Practices Act (FCPA) and similar laws.
The Two Methods of Encryption Symmetric method, also known as private key cryptography Asymmetric method, also known as public key cryptography
Symmetric Method Sender encrypts the data with one key, sends the data (the ciphertext) and then the receiver uses the key to decrypt the data Using the symmetric method, a sender encrypts the data with one key, sends the encrypted data (known the ciphertext) and then the receiver uses the key to decrypt the data the key used to encrypt and decrypt the message must remain secure because anyone with access to that key can decrypt the data, so if it ends up in the wrong hands it can be very dangerous This method can either use stream ciphers, which encrypt the bits one at a time, or block ciphers, which take a number of bits and encrypt them as a single unit, padding the plaintext so that it is a multiple of the block size
Asymmetric Method A public key is freely available to everyone and is used to encrypt messages, and a different, private key is used by the recipient to decrypt messages With asymmetric methods, a public key is freely available to everyone and is used to encrypt messages, and a different, private key is used by the recipient to decrypt messages, and digital signatures are used to authenticate the sender The two keys provide the potential to be more secure than symmetric cryptography Because of the computational complexity of asymmetric encryption, it is usually used only for small blocks of data
Encryption Location The location of encryption devices also needs to be considered - what to encrypt and where the encryption gear should be located. We have 2 alternatives for this:
Link-level Security Each link is equipped on both ends with an encryption device Provides high level of security, as all traffic over all communications links is secured Requires large number of encryption devices in a large network Message must be decrypted each time it enters a PSN/router because the node must read the VC number in the packet header to route the packet
End-to-end Encryption Encryption process is carried out at two end systems Source host encrypts data, data is transmitted in encrypted form Destination shares a key with the source and so is able to decrypt the data More secure against attacks on links and switches Source cannot encrypt entire packet because the packet-switching node wouldn’t be able to read the header → can only encrypt actual data End-to-end Encryption Last point: So the host can only encrypt the data and leave the header in the clear. So user data is secure, but the traffic pattern is not because packet headers are transmitted in the clear. The best solution is to use both techniques. The host encrypts the user data of a packet using an end-to-end encryption key. The entire packet is then encrypted using a link encryption key. As the packet traverses the network, each switch decrypts the packet using a link encryption key to read the header and then encrypts the entire packet again for sending it out on the next link
5 Common Encryption Algorithms
Triple DES ciphertext = EK3(DK2(EK1(plaintext))) Symmetric algorithm Developed to replace DES (Data Encryption Standard) Effective key length of 112 bits Slowly being phased out Triple DES ciphertext = EK3(DK2(EK1(plaintext))) Is a symmetric-key block cipher operating on 64 bit blocks, which applies the DES algorithm three times to each block of plaintext 3 times, using three keys Developed to replace DES (Data Encryption Standard). The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was designed, but the availability of increasing computational power made brute-force attacks feasible Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm. To encrypt, the plaintext is fed through the algorithm three times. It is first encrypted with key 1, then decrypted with key 2, and encrypted again with key 3. You can see this process writted in the equation on the screen. To decrypt, the opposite process is carried out. The encrypted text is first decrypted with key 3, encrypted with key 2, and decrypted with key 1 to obtain the original plain text. There are 3 possible keying options for this algorithm In the first option, all three keys are different from each other, which is the strongest approach and results in an effective key length of 112 bits. In the second, key 1 and key 3 are equal, which requires fewer keys but reduces the strength of the algorithm In the third, all three keys are the same, which is equally as insecure as the DES algorithm.
Blowfish Symmetric algorithm Also designed to replace DES Messages split into blocks of 64 bits and encrypted individually Known for speed and overall effectiveness One of the more flexible encryption methods available Blowfish has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits It is a Fiestel network, which means that in each round, half of the text block is sent through an F function, and then XORed with the other half of the text block. The way the algorithm works is, each line represents 32 bits. The algorithm keeps two subkey arrays: the 18-entry P-array and four 256-entry S-boxes. The S-boxes accept 8-bit input and produce 32-bit output. One entry of the P-array is used every round, and after the final round, each half of the data block is XORed with one of the two remaining unused P-entries. On the diagram on the screen you can see Blowfish's F-function. The function splits the 32-bit input into four eight-bit quarters, and uses the quarters as input to the S-boxes. The outputs are added modulo 232 and XORed to produce the final 32-bit output. Blowfish is still used, but no longer considered secure because there are known attacks against some weak encryption keys when used with blowfish. The creator advises against using blowfish and recommends twofish instead, which is the next algorithm on my list.
Twofish Symmetric algorithm Blowfish’s successor Block size of 128 bits, and keys may be up to 256 bits in length Regarded as one of the fastest of its kind Ideal for use in both hardware and software environments Twofish is also a symmetric algorithm, and blowfish’s successor. It was another contender in the competition for the Advanced Encryption Standard, but lost to Rijndael. It relies on a feistel network for secrecy, similarly to blowfish, AES, and DES. It is a block cipher that operates on 128 bit blocks, using key lengths of 128, 192 or 256 bits. It is still considered secure for use today. Main differences between twofish and blowfish: block size of 128, and the s boxes are not selected randomly in twofish like they are in blowfish. Instead, S-box construction rules were carefully designed and tested with all possible 128-bit keys (and a subset of possible longer keys) to make sure that all the S-boxes were strong
Advanced Encryption Standard (AES) Symmetric algorithm Extremely efficient in 128 bit form, but also uses keys of 192 and 256 bits for heavy duty encryption purposes Trusted as the standard by the US government and numerous organizations Considered “impervious” to all attacks except brute force, which attempts to decipher messages using all possible combinations in the 128, 192 or 256 bit cipher Advanced Encryption Standard (AES) The Advanced Encryption Standard came as the result of a competition, whose purpose was to replace the old DES with a more secure alternative Winner was algorithm called Rijndael (rine-dal) AES uses a combination of substitution and transposition functions. It is a symmetric block cipher that operates on 128 bit blocks, and allows key lengths of 128, 192 or 156 bit keys. All three option are considered secure today. It is trusted as the standard by the US government and numerous organizations, and is considered impervious to all attacks except for brute force, which attempts to decipher messages using all possible combinations in the 128, 192 or 256 bit cipher. As mentioned before, it also relies on a feistel network for security.
RSA Asymmetric algorithm Standard for encrypting data sent over the internet The result of RSA encryption takes attackers quite a bit of time and processing power to break Encryption: C = me (mod n) Decryption: Cd = (me)d = m (mod n) RSA is an asymmetric algorithm, the only one on this list, and the standard for encrypting data sent over the internet. The result of RSA encryption takes attackers quite a bit of time and processing power to break. The algorithm involves four steps: key generation, key distribution, encryption and decryption, and uses modular exponentiation for encryption and decryption. Users create key pairs using two large prime numbers. After B obtains A’s public key, B can send a message to A. To do it, B first turns the message into an integer m, such that m is greater than 0 and less than n by using an agreed-upon reversible protocol known as a padding scheme. He then computes the ciphertext c, using Alice's public key e, corresponding to Encryption: C = me (mod n) Alice can recover m from c by using her private key exponent d by computing Decryption: Cd = (me)d = m (mod n) RSA is a relatively slow algorithm, and because of this, it is less commonly used to directly encrypt user data. More often, RSA passes encrypted shared keys for symmetric key cryptography
...Questions?