Here we are going to discuss on Modern Cryptography Concepts. Let’s see them one by one.
Symmetric Key Cryptography
One of the most commonly used cryptographic techniques nowadays is called the symmetric-key cryptography. In this method, the cryptographic keys that are used both for the encryption and the decryption of the text are either the same or are very similar in such a way that one can be derived from the other through a preset computation or algorithm. These keys represent a modern transformation of the early Greek scytale that is, these keys need to be possessed both by the sender and the receiver of the message in order for the communication to successfully take place.
Nowadays, symmetric ciphers are commonly utilized primarily because of their simplicity to create cryptography primitives – those stable, low-level algorithms that are used as foundations for computer security systems. Until June 1976, this is the sole type of encryption that has been available to the masses.
Symmetric ciphers are used either as stream ciphers or a block ciphers. The first one encrypts each individual character of the text, as opposed to the block method which takes an entire block of plaintext and transforms it into an equivalent ciphertext.
The US government has approved two block cipher designs as cryptography standards over time – the Data Encryption System (surviving now in its more modern form, the triple-DES) and the Advanced Encryption System, which has been implemented as a replacement for the former. The triple-DES is still used in such everyday applications such as ATM encryption, secure remote access, and email privacy.
Many other types of block ciphers have been created over time – some withstood the dogged tests of cryptoanalysts, while some, such as the FEAL or Fast Data Encipherment Algorithm which has been designed to replace the DES, had been thoroughly dismantled. In fact, the FEAL has even been instrumental in the discovery of the disciplines of linear and differential cryptoanalysis – more advanced techniques used by adversaries as a means of breaking different types of code.
Stream ciphers have also been standardized, such as RC4, which is used in protecting various systems such as Internet traffic (in TLS or Transport Layer Security) and wireless networks (in WEP or Wired Equivalent Privacy). In 2013, a controversy appeared that some government agencies possess the capability to break the RC4 used in Internet traffic, prompting Microsoft to warn that RC4 should be disabled whenever possible.
Cryptographic Hash Functions
Another type of symmetric key cryptography is in the form of hash functions. We have put it under a different section, as it contains some interesting details. A cryptographic hash function essentially takes a block of data and converts it into a string of characters with a fixed length. One interesting characteristic of the hash is the so-called “avalanche effect”, in which a simple change (even that of a single letter) in the original string of characters can drastically change the encrypted output. In the terms of cryptographic hash, the data to be encoded is called the “message” while the output is usually called the “message digest” or “digest”.
A ‘good’ cryptographic hash function (also called a “digital fingerprint” or “checksum”) is generally considered to have four major properties. First, it should be easy to compute the hash value for a certainly given message. It should also be infeasible (in the computational sense) to generate a message that is equated to a hash. Furthermore, it should also be infeasible to change a given message without changing its equivalent hash. Lastly, it would again be infeasible to see two different messages given a single hash.
The system enjoys a multitude of applications in modern times, such as in Message Authentication Codes or MACs and in Digital Signatures, among some other forms of authentication (MACs, unlike regular hash functions, can be verified by a certain secret key). Hash can also be used in fingerprinting procedures and in detecting duplicate data or in uniquely identifying files (such as in web pages – a mile-long web address may indicate a hash function at work). Accidental data corruption can also be pinpointed using hash functions.
Another everyday system that uses hash functions is password verification. A system that stores all the passwords of its users in the plaintext will have a massive breach of security if the database is hacked into. So that passwords can be easily verified and at the same time kept secure, the passwords are converted into their digests inside the database.
When a user enters a password, it is likewise hashed and compared to the stored data. This type of password verification makes it impossible (computationally infeasible, as described earlier) to retrieve lost or forgotten passwords – in such instances, the password will have to be replaced. Note that this is the standard for a large majority of online services. As an added security against brute-force attackers trying to obtain hashed password data, key stretching techniques (those that provide a stronger “enhanced key” for easily cracked passwords) are employed.
The system of using hash functions for password security is so fundamental that in 2013, a Password Hashing Competition was announced. Allegations have been previously made that the National Security Agency had forced the National Institute of Standards and Technology to adopt a backdoored hash algorithm (the “Dual-Elliptic-Curve-Deterministic-Random-Bit-Generator” or called as “Dual_EC_DRBG”, which is stated to a cryptographically secure pseudo-random numbers generator). This is the reason why the competition is being presided over by an independent team of cryptographers and security practitioners.
Examples of hash functions include the MD4 (Message-Digest Algorithm), which has been initially used in 1990. It has a message digest link of 128 bits and has been influential in the development of later designs.
However, its security has been compromised since then – a collision attack (a type of hash attack that finds two different messages with the same hash) has been proved possible as early as 1991, and a full attack was published in 1995. In fact, generating an MD4 collision is now as efficient as generating the hash itself. A theoretical preimage attack (when an adversary can find a message with a certain hash value) was also found in 2008. A notable application of MD4 is in the computation of NT LAN Manager on Microsoft Operating Systems (Windows NT, XP, Vista, and 7). In 2011, the MD4 was rendered “historic” or “obsolete”.
Ronald Rivest enhanced his own creation in 1991, producing its successor, the MD5. In 1996, a weakness was likewise demonstrated in the system. It was not recognized to be a fatal weakness at the time, but newer and more secure algorithms were already recommended by experts as early as then.
In 2004, the MD5, much like its predecessor, was shown to be non-collision resistant as well. In the same year, researchers have shown that two different files with the same checksum can be created. The technique was enhanced by cryptanalysts in the succeeding years until in 2008, the same was used to fake the validity of SSL certificates.
In 2012, a malware had used the weaknesses discovered in the MD5 hash to fake a Microsoft digital signature. Furthermore, a 2013 attack was created by adversaries, breaking the algorithm in less than a second using a regular computer. Thus, the algorithm has been considered cryptographically broken, and its previous widespread use to verify data integrity has been officially discontinued.
The United States National Security Agency developed a series of algorithms drawing from the MD5. The first Secure Hash Algorithm (SHA-0, made in 1993) was found to be flawed and was withdrawn to be replaced in 1995 by SHA-1, its successor. Of the existing SHA functions, the SHA-1 enjoys the most widespread use in several different applications and protocols.
However, in 2005, cryptanalysts have found attacks that might spell the vulnerabilities of the cryptography algorithm, prompting Microsoft to announce that by 2017, their systems will no longer accept the hash. Because of this, the system was replaced in 2010 by the SHA-2, which was algorithmically similar to its predecessor (thus eliciting a question of its overall integrity). The SHA-2 consists of a set of 6 different hash functions, with digest varying from 224, 256, 384 or 512 bits. Like the SHA-1, a mathematical weakness was also pointed out in 2005, indicating the need for an even stronger algorithm.
A hash function competition was held in 2012 to answer to the call. On the 2nd of October of the same year, the hash algorithm “Keccak” was selected as the winner and was officially proclaimed as the SHA-3. The system was not meant to replace the SHA-2 (as the latter had not been cryptographically broken yet), but it aims to provide a dissimilar alternative hash. The proclamation of the Keccak as the SHA-3 sparked some controversy in the cryptography community as the NIST published a hash with a different security level than what they originally demanded. This prompted an independent panel to reopen the competition in 2013, as described earlier.
One other particularly controversial application of the hash in the conception of Bitcoins, a type of cryptocurrency that uses hash functions as a verification method and as a means of “minting” new coins. In this instance, the irreversibility hash function has proven especially useful to disallow the reversing of transactions, eliminating the threat of corruption of the Bitcoin network.
Public-Key Cryptography
This method is also known as “asymmetric cryptography”, and is the name for a system which requires two different sets of keys, one which is on a public domain and another which is kept secret (private). This type of algorithm has been extensively used to augment such systems as Internet standards (including TLS and other online cryptographic software).
The two different keys used in this cryptographic method are always mathematically related to each other, in contrast to the previously discussed symmetric cryptography that uses entirely similar keys. The “public” key is mostly used in encrypting the plaintext, as well as in verifying a digital signature that came from another party involved. The “private” key, on the other hand, is used to decrypt the message and to create a digital signature to be sent. Each key s technically the inverse of the other in order to perform these contrasting and yet paired functions.
Algorithms that use public keys are, as a vast majority of modern encryption algorithms, dependent on mathematical problems that would be infeasible to solve as they have no efficient solution. Computationally, it would be easy for anyone to create a private-public key pair and use them to encrypt and decrypt messages. However, a properly generated private key should not be generated from the corresponding public key.
Thus, the public half of the set may be published for all to see without compromising security, while the private one should be kept a secret, known only among those who are authorized to read messages and sign digital signatures. Unlike symmetric keys (whose acquisition by anyone else aside from the authorized parties would render the whole system null), public key algorithms do not necessitate a secured initial exchange of the secret keys.
Since the encryption can be made by a public key, which supposedly can be available to anyone, any person who obtains it can create a ciphertext for the recipient which is the owner of the private key. As the decrypting key is private, only those who own them will be able to decode the message’s contents. However, the sender also owns a private key, which as mentioned can be used to digitally sign the message, and can be read by the receiver’s own public key.
Thus, any onlooker can send a message, but it will not show any digital signature – showing as unauthorized. Also, any onlooker can know that a certain encoded message they happen to intercept had been sent by a particular sender, but since they only own the public key, they cannot read its contents.
One central issue with public-key cryptography is the burden of proving that a certain public key has not been tampered by adversaries. To facilitate this, a “Public Key Infrastructure” or PKI is employed. This is a whole suite of hardware, software, procedures, policies, and people needed in the creation, management, storage, use, distribution, and even revocation of digital certificates. A “certificate authority” is an authority that binds public keys with user identities.
A decentralized alternative model is also implemented and is called the “web of trust”. Any user, through their identity certificates, can be part of this web. An example is the Bitcoin cryptocurrency that we have described earlier, whose “blockchains” are used to store and validate ownership of the public key without any central authority.
The very first publicly known example of a public-key cryptosystem is the RSA algorithm that we have discussed earlier. Another example is the Cramer-Shoup system that has been the first proven efficient scheme against “Adaptive Chosen Ciphertext Attack” (CCA2), a technique in which an adversary sends different ciphertexts to be decrypted, then uses the results in selecting subsequent ciphertexts. This was created by Ronald Cramer and Victor Shoup in 1998.
The Cramer-Shoup system is in itself an extension of the Elgamal cryptosystem, which is based on the Diffie-Hellman Key Exchange. It was made in 1985 by Taher Elgamal. The security of the system is dependent on the underlying variables, and modifications have been made to better suit it against different types of threats.
Different types of elliptic curve cryptography also exist. These depend on the mathematics covering the structures of elliptic curves over finite fields. Algorithms utilizing this have been in use since 2004, with alternative representations presented using different types of curves. This type of scheme has been diagnosed to be in danger of side-channel attacks (adversarial acts based on the physical states of the infrastructure in which the cryptosystem is running), particularly differential fault analysis or the act of inducing unnatural conditions to discern a system’s physical state. It is also vulnerable to quantum cryptanalysis, such as Shor’s algorithm that solves all the prime factors of a given integer.
Hybrid Cryptosystems
In the world of cryptography, both symmetric and asymmetric encryption techniques have their strengths. For example, asymmetric-key systems are known for their convenience in that they do not require the sender and the receiver to have a preset shared secret in order to operate. However, they can be prohibitive in a way that it takes a very difficult (to say the least) mathematical computation in comparison to similar symmetric-key systems. Thus, hybrid cryptosystems were born that combines the efficiency of symmetric systems and the convenience of asymmetric techniques.
There are two ways of constructing a hybrid system using two separate cryptographic methods. One is the “Data Encapsulation System”, in which a symmetric-key technique is employes, and the other is the “Key Encapsulation System” in which a public-key system is used.
Hybrid systems work by encoding very long message strings with the more efficient symmetric-key scheme and encrypting the short keys used to decode it via its asymmetric counterpart. This system essentially creates an encryption mechanism that derives from the security level of its components. However, even if a key encapsulation has a lower security definition than its counterpart that protects the data, the system may still remain secure against different types of Adaptive Chosen Ciphertext attacks by adversaries.
Different types of hybrid signature schemes are also being utilized. In these cases, a hash function (symmetric-key) is computed, and only that hash is digitally signed (public-key).
