Chapter two

Cryptography algorithms

This chapter will discuss cryptography, concepts, algorithms, attacks, and management.

The sensitivity of assets is determined by confidentiality and integrity requirements and the impact
of compromise on the corporation.

Cryptography is the science of encrypting and decrypting communications to make them

unintelligible for all but the intended recipient.

Cryptography used to implemented several goals of information security, including

confidentiality, integrity, and authentication.

It is no exaggeration to say that encryption is the mainstay of information and data security today.
Data that does not have encryption is never considered secure.

 Confidentiality: Cryptography protects the confidentiality of information. The encrypted

information is practically useless to persons without the proper keys for decryption.
 Integrity: Cryptography can be used to ensure the integrity (or accuracy) of information
through the use of hashing algorithms and message digests.
 Authentication: Cryptography can be used for authentication services through digital
signatures, digital certificates, or a Public Key Infrastructure (PKI).

The cryptographic life cycle involves the following steps:

1. Plain-Text: At this step, it means a text that has no encryption and is in its original state and
can be easily read. (example: CISSP)
2. Encryption: A process that uses cryptographic algorithms and techniques to converts a Plain-
text into a cipher-text so that text cannot be understood by humans or machines.

Page 1 of 10
3. Cipher-text: information that is not in a human or machine-readable format. The cipher text
is the encrypted version of the plain text. (example SDE15E7Ja)
4. Decryption: Converting process a cipher text to a plain-text at the destination.

Cryptographic Key
A cryptographic key is used on the operation for encryption and decryption of a text.
Each encryption algorithm has a key space that uses that space to generate the key. This space
actually contains a large number of random values. Now, the larger the key space, algorithm
can generates the more keys. For example, if an algorithm allows a key length of 2 bits, the
key space for that algorithm would be 4, which indicates the total number of different keys that
would be possible. The more random the keys are, the difficult it is for intruders to figure them
out.
Today, using key sizes are 128, 256, 512, 1,024 bits and larger. So a key size of 512 bits would
provide 2^512 possible combinations of the key space.

Cryptographic Methods
There are three primary types of modern encryption:

 Symmetric: It uses a single and same key to encrypt and decrypt. This type of encryption is
also called Secret Key Cryptography (SKC).
 Asymmetric: This method uses two different keys, one to encrypt and the other to decrypt.
 Hashing: This method uses one-way cryptographic conversion using an algorithm, but no key.

Types of Symmetric Key Algorithm

First of all, you need to know a few concepts.

Block Cipher: Block ciphers operate on a single fixed block of plaintext to produce the
corresponding cipher text. Using a given key in a block cipher, the same plaintext block always
produces the same cipher text block.

Round: It is a transformation (permutations and substitutions) that an encryption algorithm

performs on a block of plaintext to convert (encrypt) it into cipher text.
Page 2 of 10
 Different types of symmetric encryption algorithms:

 Data Encryption Standard (DES): It is operates on 64-bit blocks, and uses 56-bit Key
size that is too small to protect data consisting. This algorithm is consisting of 16 rounds
processing the data with the 16 intermediary round keys of 48-bit generated from 56-bit
cipher key by a Round Key Generator.
 RC2: A block-mode cipher that encrypts 64-bit blocks of data by using a variable-length key.
 RC4: A stream cipher that uses a variable length key (often 128 bit).
 RC5: Similar to RC2, but includes a variable-length key (0 to 2,048 bits), variable block size
(32, 64, or 128 bits), and a variable number of processing rounds (0 to 255).
 RC6: Derived from RC5 and a finalist in the AES selection process. It uses a 128-bit block
size and variable-length keys of 128, 192, or 256 bits.
 Triple DES (3DES): This standard extended the life of the DES algorithm. In Triple DES
implementations, a message is encrypted by using one key, encrypted by using the second
key and then again encrypted by using either the first key or a third key.
 International Data Encryption Algorithm (IDEA): This algorithm is a block cipher that
operates on 64- bit plaintext blocks by using a 128-bit key. IDEA performs eight rounds on
16-bit sub-blocks and can operate in four distinct modes similar to DES. Of course, the IDEA
isn’t not widely used today.
 Rivest Cipher: The Rivest Ciphers are a series of symmetric algorithms that include RC2,
RC4, RC5, and RC6.
 Advanced Encryption Standard (AES): Advanced Encryption Standard (AES) is a 128-bit
block cipher that employs 128, 192, or 256-bit keys. AES is official successor to DES.
 BLOWFISH: This algorithm operates on 64-bit blocks, employs 16 rounds, and uses
variable key lengths of up to 448 bits. To date, there are no known successful cryptanalytic
attacks against this algorithm.
 TWOFISH: This algorithm is a symmetric block cipher that operates on 128-bit blocks
employing 16 rounds with variable key lengths up to 256 bits. To date, there are no known
successful cryptanalytic attacks against this algorithm.

Page 3 of 10
All modes of the DES algorithm
 Electronic code book (ECB): This mode is the native mode for DES operation. ECB mode
operates on 64-bit blocks of plaintext independently and produces 64-bit blocks of cipher text.
This mode isn’t very reliable, because, the same plaintext, encrypted with the same key, always
produces the same cipher text.
 CIPHER BLOCK CHAINING (CBC): This mode is the most common mode of DES
operation. CBC mode operates on 64-bit blocks of plaintext to produce 64-bit blocks of cipher
text. However, CBC mode, produce a more random cipher text result. One disadvantage of
CBC mode is that errors propagate. However, this problem is limited to the block in which the
error occurs and the block that immediately follows, after which, the decryption
resynchronizes.
 CIPHER FEEDBACK: In this mode, previously generated cipher text is used as feedback for
key generation in the next keystream. The resulting cipher text is chained together, which
causes errors to be multiplied throughout the encryption process.
 OUTPUT FEEDBACK (OFB): It is often used to encrypt satellite communications. In this
mode, previous plaintext is used as feedback for key generation in the next keystream. Because
the resulting cipher text is not chained together, errors don’t spread throughout the encryption
process.

Page 4 of 10
 Cryptography- Part 2
Asymmetric Cryptography / Public Key Cryptography
In this CHAPTER2 PART2, two keys are used:

 Private Key: This key is only known by the owner itself.

 Public key: This key is issued by using Public Key Infrastructure (PKI) where a
trusted CERTIFICATION AUTHORITY certifies the ownership of key pairs.

Only the private key can decrypt the message; thus, an attacker possessing only the public key
can’t decrypt the message. A secure message guarantees the confidentiality of the message.

Everyone knows public key while one key is kept secret and is used to encrypt the data by the
sender. Each sender uses its secret key (known as a private key) for encrypting its data before
sending.

The receiver uses the respective public key of the sender to decrypt the data.

When two parties want to exchange an encrypted message by using asymmetric key cryptography,
they follow these steps:

1. The sender encrypts the plaintext message with the intended recipient’s public key.
2. This produces a cipher text message that can then be transmitted to the intended recipient.
3. The recipient then decrypts the message with his private key, known only to him.

Types of Asymmetric Key Algorithm

 Rivest, Shamir, and Adleman (RSA): This algorithm named after its inventors. It uses
a variable size encryption block as well as a variable size key. The algorithm uses a product of
two large prime numbers to derive the key pairs.
 Diffie-Hellman: This method is used primarily for private-key exchange over an insecure
medium.This method is vulnerable to Man-in-the-Middle Attacks.
 ElGamel: It is similar to Diffie-Hellman but extends the functionality of Diffie-Hellman by
including encryption and digital signatures.

Page 5 of 10
 Elliptic Curve Cryptography (ECC): This is an algorithm that generates keys from
elliptical curves. A 160-bit EC key is equivalent to a 1,024-bit RSA key. EC is significantly
faster and more efficient than other asymmetric algorithms and many symmetric
algorithms.
 Digital Signature Algorithm (DSA): This algorithm is primarily used for authentication
purposes in digital signatures.

CHAPTER 3 Cryptography- Part 3

Public Key Infrastructure (PKI)
A PKI is an arrangement whereby a central authority stores encryption keys or certificates
associated with users and systems. PKI is a key element in cryptography.

The four basic components of a PKI are:

 Certificate Authority (CA): It comprises hardware, software, and the personnel

administering the PKI. The CA issues certificates, maintains and publishes status information and
Certificate revocation Lists (CRLs), and maintains archives.
 Registration Authority (RA): It’s responsible for verifying certificate contents for the CA.
This component comprises hardware, software, and the personnel administering the PKI.
 Repository: It is a system that accepts certificates and CRLs from a CA and distributes them to
authorized parties.
 Archive: An archive offers long-term storage of archived information from the CA.

Key Management
The following are the major functions associated with managing encryption keys:

 Key generation: Keys must be generated randomly on a secure system. The keys should
not be displayed in the clear text.
 Key distribution: securely distributed is a major vulnerability in symmetric key
systems. The solution is to use an asymmetric system.

Page 6 of 10
  Key installation: This process should ensure that the key isn’t compromised during
installation, or incorrectly entered.
 Key storage: Keys must be stored on protected or encrypted storage media.
 Key change: Keys should regularly be changed, relative to the value of the information
being protected and the frequency of use.
 Key control: Different keys have different functions and may only be approved for certain
levels of classification. You need to control how they are used.
 Key disposal: There will come a time when we no longer need a specific key. So, this key
must be destroyed accurately and completely so that it can never be recovered and ensure
that its contents are never disclosed.

Digital Signatures
The sender encrypts a message with his or her own private key. In destination, the sender’s public
key, properly decrypts the message and authenticating the originator of the message.

Integrity
Cryptography can be used to ensure the integrity of information using a hashing algorithm and
message digest algorithm.

Cryptography- Part 4
Hashing: Hash functions are primarily used to provide integrity. Hashing and cryptography have a
very close relationship.

A one-way function ensures that the same key can’t encrypt and decrypt a message in an
asymmetric key system. A one-way function’s purpose is to ensure confidentiality. A one-way
hashing algorithm produces a hashing value (or message digest) that can’t be reversed; that is, it
can’t be decrypted.

Hashing provides encryption by using an algorithm without use any key. It is called one-way hash
functions because there is no way to reverse the encryption. A variable-length plaintext is hashed
into a fixed-length hash value, which is usually called a message digest or a hash.

Collisions: This means that one or more documents use the common hash.

Page 7 of 10
 Hashing Algorithms Family
 Message Digest (MD): It is a family of one-way hashing algorithms that includes MD
(obsolete), MD2, MD3 (not widely used), MD4, MD5, and MD6.
 Secure Hash Algorithm (SHA): This family is more secure, and widely used hashing
algorithm. There are several versions of this algorithm.

Common Hashing Algorithms

 MD5: It is one of the most popular hashing algorithms.MD5 produces a 128-bit digest.
Messages are processed in 512-bit blocks, using four rounds of transformation. The resulting
hash is typically represented as a 32-digit hexadecimal number. MD5 is susceptible to
collision.
 MD6: It uses very large input message blocks (up to 512 bytes) and produces variable-length
digests (up to 512 bits).
 SHA1: Published in 1995, it takes a variable size input (message) and produces a fixed-size
output (160-bit message digest, versus MD5’s 128-bit message digest). SHA-1 processes
messages in 512-bit blocks and ads padding to a message length, if necessary, to produce a
total message length that’s a multiple of 512. This algorithm is not stable, so it is recommended
not to use it.
 SHA2: Published in 2001, it consists of four hash functions — SHA-224, SHA-256, SHA-
384, and SHA-512 — that have digest lengths of 224, 256, 384, and 512 bits, respectively.
SHA-2 processes messages in 512-bit blocks for the 224, 256, and 384 variants, and 1,024-bit
blocks for SHA-512.
 SHA3: SHA-3: Published in 2015, SHA-3 includes SHA3-224, SHA3-256, SHA3-384, and
SHA3-512, which produce digests of 224, 256, 384, and 512 bits, respectively. SHAKE128
and SHAKE256 are also variants of SHA3.

Page 8 of 10
 Cryptanalytic Attacks
These attacks mean compromising keys by means of decipherment to find out the keys. The goal
of cryptanalysis is to decipher the private or secret key. Here are some examples of these attacks:

 Cipher text-only attacks: This refers to the availability of the cipher text to the
cryptanalyst. In this Attack, the cryptanalyst obtains the cipher text of several messages, all
encrypted by using the same encryption algorithm. The cryptanalyst then attempts to decrypt
the data by searching for repeating patterns and using statistical analysis. This type of attack
requires a large sample of cipher text.
 Chosen-cypher text attack: This type of attack is used to obtain the plaintext by choosing
a sample of cipher text.
 Chosen-plaintext attack: This refers to the availability of the corresponding cipher text to
the block of plaintext chosen by the analyst.
 Known-plaintext attack: In this attack, the cryptanalyst has obtained the cipher text and
corresponding plaintext of several past messages, which he or she uses to decipher new
messages.
 Adaptive-chosen-plain text attack: In this attack, cryptanalyst can choose the samples
of plaintext based on the results of previous encryptions in a dynamic passion.
 Adaptive-chosen-cypher text attack: This is similar to the chosen cipher text, but the
samples of cipher text are dynamically selected by the cryptanalyst.
 Man-in-the-Middle Attack: It involves an attacker intercepting messages between two
parties on a network and potentially modifying the original message.

Digital Rights Management (DRM)

DRM is about the protection of data, such as spreadsheets and email messages. The solutions
provide a common set of foundation features:

Restrict viewing of a document to a defined set of people

Expire a document (rendering it unreadable after a specified date)

 Restrict editing of a document to a defined set of people

Page 9 of 10
 Provide portable document protection such that the protection
 Restrict printing of a document to a defined set of people

Page 10 of 10