Public Key Encryption

Although private key encryption is a secure way to keep information confidential, it can be a problem ensuring that the private key is transferred without being intercepted. Since the only foolproof way to exchange these private keys is in person, many people have turned to the use of public key encryption. In public key encryption, a public key and private key are used in combination to provide security to a message. The use of a public key encryption makes it much easier for people to communicate confidentially since it removes the need to exchange a private key before a message is sent.

In public key encryption, there is a public key that can be known to anyone, even an attacker. This public key is only used to encrypt messages, which can then be sent to the receiver securely. After the message is encrypted using the public key, a private key is used for decryption. Since only the person receiving the message has access to the private key, they can be assured that no one else will be able to decrypt the messages being sent.

One analogy of public key encryption involves mail being sent from one person to another securely. Imagine Alice wants to send a secure message to Bob, making sure that only Bob will be able to read this message. To do this, Alice asks Bob to send her his padlock through the mail. Alice then uses Bob’s padlock (public key) to lock the message, and sends it to Bob. Since Bob is the only one who has the (private) key to the padlock, he can be sure that no one else will be able to intercept Alice’s message.

Even though public key encryption eliminates the need to securely transfer private keys, it requires very large keys to encrypt and decrypt the data. This causes public key encryption to take much longer, and use more computing resources than symmetric encryption. Public key encryption is also less secure than symmetric encryption because all public key systems can hypothetically be cracked using brute force attacks. In order to combine the advantages of both systems, a hybrid encryption system called PGP (Pretty Good Protection) was created.

In PGP, a session key is added to the encryption process, adding another level of security. The session key is a unique key created every time you use PGP to encrypt data. When a message is sent using PGP, the plaintext is encrypted using the session key, creating the ciphertext. The session key is then encrypted using a public key and sent along with ciphertext to the receiver. When the message arrives, the private key is used to decrypt the session key, which is in turn used to decrypt the message. This system provides the speed of a private key system with the easy usability of public key encryption.

In my post about private key encryption, I discussed the keys used for encryption and decryption, and how long it would take for someone to brute force attack these keys. Although both types of encryption systems use keys, the types of keys used for each are very different. Even though a 56bit key in symmetric encryption can be broken in 250 days, the same 56bit key in the public key system can be cracked in a much shorter time. This means that public key encryption users much choose the proper key size depending on the amount of resources available, along with the amount of protection desired. A smaller key size could be used for less private information, while data such as credit card numbers should be handled with a much larger key. Users of public key encryption must always choose between better performance or better security. 

Private Key Encryption

When it comes to encryption, there are two different types of systems that can be used to ensure message integrity. The first is private key encryption, in which both the sender and receiver use only one key to encrypt and decrypt data. The second is public key encryption, which uses both a public and private key to secure the message. In this article I will explain private key encryption and the amount of security that it provides. I will also show how the modern encryption key is theoretically impossible to crack.

In private key encryption, both the sender and receiver use the same key to encrypt and decrypt the message being sent. This requires the sender and receiver to both have the secret key, which can become a problem if the people communicating are a far distance away from each other. Since this secret key can be used to encode and decode the message being sent, the people using this private key must have securely transferred the key from one person to another without anyone intercepting it. The most common form of private key cryptology used today is the AES (Advanced Encryption Standard), which replaced its predecessor, DES (Data Encryption Standard). The U.S. government has recently stated that AES provides enough security to encrypt classified and top secret information.

One reason the government finds AES secure enough to protect their data is due to large key sizes. The larger the key used to encrypt the data is, the longer it will take for someone to find the key. Finding an encryption key by testing every combination of numbers allowed in the key is called a brute force attack, and is theoretically impossible with the larger key sizes that are used in encryption today. When DES was first implemented, it contained a 56bit encryption key. This meant that an attacker would need to guess 2⁵⁶ combinations since each bit can be either 1 or 0 and there are 56 different bits. At the time it seemed that this was improbable, but the 56bit key became more and more crackable as computer processing power increased.

Since the DES was quickly becoming outdated, the AES was created to take its place. The AES is much more sophisticated, including the option for 128bit, 192bit, or 256bit encryption key. To show how secure these keys are, a contest was created that rewarded anyone able to crack these encryption keys a cash prize. A worldwide network of computer users and groups operating with the website distributed.net have been the most successful in cracking these keys. In 1997, the group broke the 56bit encryption key in 250 days. (One year later it was broken in 22 hours) In 2002, the group managed to crack the 64bit key after working for almost 5 years. When you think about how much longer it took to crack a key that was only 8bits larger, it is easy to see how a 256bit encryption key is theoretically impossible to crack.

To give another example of how hard a 256bit key is to crack, cryptologist Burt Kaliski came up with this analogy: Imagine a computer that is the size of a grain of sand, with the capability to calculate encryption keys at the speed of light. Now, create a network of these computers that covers the earth to a height of one meter. This network of computers would be able to crack a 128bit encryption key in roughly 1000 years. At the current time, it would take two planets full of computers to brute force a 256bit key. Since brute force cracks are theoretically impossible, attackers have turned to other methods of intercepting or corrupting data. Many of these techniques involve social engineering and side-channel attacks.

Sources:

http://www.codinghorror.com/blog/2006/07/brute-force-key-attacks-are-for-dummies.html

http://encyclopedia.jrank.org/articles/pages/6872/Public-Key-vs-Secret-Key-Encryption.html

Cryptology

Happy New Year’s everyone. In the next week I want to start discussing the topic of encryption and the different ways in which people’s information is kept secure. In order to do that however, I need to cover some basic concepts of cryptology. Cryptology is the practice of keeping information secret, and has been used since the invention of an alphabet. Since there are entire courses and majors devoted to cryptology and encryption, I will try to explain these concepts in a way that’s simple to understand.

Although the main idea of cryptology is to ensure the content of a message is confidential, there are other aspects of message integrity that must be taken into consideration. Along with ensuring the message is unreadable (encrypted), the sender and receiver also want to be sure the message has not been altered in any way. It is also important to make sure the message was actually sent by the person that the message claims it was sent from.

When a message is encrypted, the original content (plaintext) is made unreadable using an encryption algorithm. This algorithm encrypts the message into ciphertext, which cannot be read by any intruder or eavesdropper. Since the encryption algorithms are known by everyone, including would be attackers, there is another step that must be taken to prevent intruders from decrypting the message. This is why special keys are needed to decipher the original message. There are both private-key and public-key cryptology systems, and I will explain the advantages and disadvantages of both in upcoming posts.

Another important topic in secure communication is authentication, which ensures that the sender of a message is indeed who they claim to be. Authentication also ensures that the message has not been altered in any way since it was sent. The main way that messages are authenticated uses something called a digital signature. Digital signatures are created by using encryption along with other authentication techniques to provide a (theoretically) unforgeable signature that authenticates the message integrity.

In the next week I will explain the different types of encryption, along with the advantages or disadvantages of each type. I will also explain the different ways in which data is authenticated, including a detailed explanation of digital signatures and certificates. Along with these topics, I will also explain how personal information is stored confidentially in a database.