Architecture & Design 2.8: Cryptography Concepts
Asymmetric Encryption
Encryption that involves multiple keys
Low latency encryption use case
-Fast computation time -Symmetric encryption, small key
High resiliency encryption use case
-Larger key size -Encryption algorithm quality -Hashing
Low power device encryption use case
-Smaller encryption keys -ECC for asymmetric encryption
Blockchain process
1. Initiate Transaction 2. Validate Transaction 3. Create a Block 4. Calculate and insert a hash 5. Complete transaction
Stream Cipher
Encryption that is done one bit or byte at a time. High speed. Low hardware complexity. Symmetric encryption for less overhead.
Block Cipher
A cipher that manipulates an entire standard size of a block of plaintext at one time.
Quantum Communication
A communications network that relies on qubits made of photons (light) to send multiple combinations of 1s and 0s simultaneously which results in tamper resistant and extremely fast communications
GCM (Galois Counter Mode)
A mode of operation used for encryption. It combines the Counter (CTM) mode with hashing techniques for data authenticity and confidentiality.
Initialization Vector (IV)
A non-secret binary vector used as the initializing input algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment.
Steganography
A technology that makes it possible to embed hidden information in documents, pictures, and music files
CBC (Cipher Block Chaining)
Adds some randomization where each block is XORed with the previous ciphertext block.
Elliptic Curve Cryptography (ECC)
An algorithm that uses elliptic curves instead of prime numbers to compute keys.
Perfect Forward Secrecy (PFS)
An encryption method that ensures that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. To work properly, requires two conditions: Keys must not be reused, and new keys must not be derived from previously used keys. -Requires additional computing power -Browsers need to be able to support this function
Symmetric Encryption
An encryption method whereby the same key is used to encode and to decode the message. Aka Shared Secret Algorithm -Difficult to scale -Very fast to use
Supporting Non-repudiation
Confirm the authenticity of data. Digital signature provides both integrity and non-repudiation.
Lightweight cryptography
Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.
Homomorphic Encryption (HE)
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first.
Mode of operation
Implementation of a block symmetric cipher, with some modes allowing secure encryption of a stream of data, with or without authentication for each block.
Private key
In an asymmetric encryption scheme the decryption key is kept private and never shared, so only the intended recipient has the ability to decrypt a message that has been encrypted with a public key.
Key Strength
Larger keys and more bits are signs of better encryption and stronger keys. Symmetric: 128 bit+ Asymmetric: 3072 bit+
Supporting Obfuscation
Modern malware tries to hide itself. Encrypted data hides the active malware code. Decryption occurs during execution.
Hash collision
Occurs when the hashing algorithm creates the same hash from different text strings. Occurred w/MD5 (don't use)
Public key
One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.
Supporting authentication
Password hashing. Protect the original password. Add salts to randomize the stored password hash.
XOR (Exclusive OR)
Performing a different set of input and output to that data to add some randomization. -Initial plaintext gets an IV before encryption, encrypted output is used as the IV for the next block of data
Supporting integrity
Prevent modification of data. Validate the contents with hashes. File download, password storage, etc.
Quantum Key Distribution (QKD)
Protocol which uses quantum mechanics to securely send encryption keys over fibre optic networks
Digital Signatures
Provide authentication of a sender and integrity of a sender's message. -Created w/private key, verified with public key
Salted Hash
Random data added to passwords when hashing (helps secure a situation where it's possible that multiple people are using the same password)
Supporting confidentiality
Secrecy and privacy. Encryption (file-level, drive-level, email)
In-band key exchange
Sending an encryption key over the network and having it appear instantly on the other side it uses asymmetric encryption when sending the symmetric key to someone else
Cryptography Limitations
Speed, Size, Weak keys, Time, Longevity, Predictability, Reuse, Entropy, Computational overheads, and Resources vs. security constraints.
Session key
Symmetric key that is used only during a single communication session between two parties (ephemeral, need to be switched often)
Hash
Take any type of input and create a very specific unique string of text that's associated with that file (think of a fingerprint, also called message digest). -One way trip -Often used to store passwords, verify document is the same as an original, do digital signatures -Always a unique hash
key stretching
Taking a relatively small encryption key and find ways to make it larger. For example, we could hash a password and then hash the hash of the password, and so on.
ECB (Electronic Code Book)
The most simplistic encrpytion, in which each plaintext block is encrypted with the same key
Key Exchange
The process of sending and receiving secure cryptographic keys. Challenge is sending over a medium that is insecure (logistical challenge)
cryptographic key
Used by an algorithm to transform plaintext into ciphertext or ciphertext into plaintext (larger it is the more secure)
CTR (Counter Mode)
Uses an incremental counter to be able to add randomization to the encryption process. With this mode, we start with the incremental counter and then we encrypt that counter with the block cipher encryption. After that encryption has been done, we will perform the exclusive or to the plain text to finally create the ciphertext.
Quantum computing
Uses the principles of quantum physics to represent data and perform operations on these data. No longer bits but qubits. More scalable.
Diffie-Hellman key exchange
an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.
Plaintext
normal text that has not been encrypted
Cyphertext
the encrypted form of a message
Cryptanalysis
the study and practice of finding weaknesses in ciphers
Out-of-band key exchange
two parties must exchange keys in a separate communication channel other than communication channel that is exchange data between parties (phone call, in-person etc.)
Key stretching libraries
• Already built for your application - No additional programming involved • bcrypt - Generates hashes from passwords - An extension to the UNIX crypt library - Uses Blowfish cipher to perform multiple rounds of hashing •Password-Based Key Derivation Function 2 (PBKDF2) - Part of RSA public key cryptography standards (PKCS #5, RFC 2898)