Algorithms and Techniques

Stream Ciphers: Bits of data are encrypted as a continuous stream. One by one bits bits are fed into the cipher and encrypted usually by an XOR operation. When used with encryption- XOR takes two inputs: the data bits and the key bits. If the bits match, the output is 0, and 1 if they do not.
When using XOR if the key length is smaller than the data, the cipher will be vulnerable to frequency analysis.

Block Ciphers: bits are split into blocks (usually 64 bits) before being encrypted. They use transposition and substitution in their algoriths and are slower than stream ciphers.

Concealment Cipher: a message that is concealed in some way. For example, the following text includes a secret message: "Leaving Evansville after vacation emblazed nutshells over Wesley." The key is every first letter of each word, so the message is "leave now"

Symmetric Encryption: One key is used both to encrypt and decrypt the data. Both sender and receiver need to have the key. For this reason, key management is an issue as you have to have a safe way of sharing the key. Due to its speed, it is great for bulk encryption. Scalability is a concern because the number of keys that must be generated goes up exponentially as the number of nodes in the network increases. It does not prove the sender's identity (non-repudiation). The formula for calculating how many key pairs you will need is N (N – 1) / 2 where N is the number of nodes in the network.

A few symmetric algorithms:
  1. 3DES: A block cipher that uses a 168-bit key. 3DES (called triple DES) can use up to three keys in a multiple-encryption method. It’s much more effective than DES, but is much slower.
  2. AES (Advanced Encryption Standard): A block cipher that uses a key length of 128, 192, or 256 bits, and effectively replaces DES. Much faster than DES or 3DES.
  3. Blowfish: A fast block cipher, largely replaced by AES, using a 64-bit block size and a key from 32 to 448 bits. Blowfish is considered public domain.

Asymmetric Encryption: With key distribution being an issue in symmetric algorithms, asymmetric encryption came to life. This is a two key pair system, where the public key is the encryption key and can be sent to anyone, and the private key is kept secured on the system and used for decryption. Asymmetric encryption provides both confidentiality and non-repudiation. It also solves the problems of key distribution and scalability. Really the only downside of asymmetric encryption the performance and processing power.

A few asymmetric algorithms:
  1. Diffie-Hellman: Developed for use as a key exchange protocol, Diffie-Hellman is used in Secure Sockets Layer (SSL) and IPSec encryption. Can be vulnerable to man-in-the-middle attacks, however, if the use of digital signatures is waived.
  2. El Gamal :Not based on prime number factoring, this method uses the solving of discrete logarithm problems for encryption and digital signatures.
  3. RSA: An algorithm that achieves strong encryption through the use of two large prime numbers. Factoring these numbers creates key sizes up to 4,096 bits. RSA can be used for encryption and digital signatures and is the modern de facto standard.

Hash Algorithms: A hash algorithm is NOT an encryption algorithm, but rather output from a one-way mathematical function. It is used to verify the integrity of data. Changing a single bit of the input data will generate a different hash. The attack against hashing algorithms is known as collision. A collision occurs when two or more files create the same output—which is not supposed to happen. If this were to happen, an attacker may be able to pass off the fake file as the original. For example MD5 will generate 2^128 possible combinations; with the speed of modern systems, it is not infeasible to re-create a hash; however this will take a lot of time. If you are interested in cracking hashes here and here is a great resource rainbow tables.

Example hash algorithms:
  1. MD5 (Message Digest algorithm): Produces a 128-bit hash value output, expressed as a 32-digit hexadecimal. Created by Ronald Rivest, MD5 was originally very popular for ensuring file integrity. However, serious flaws in the algorithm, and the advancement of other hashes, have resulted in this hash being rendered obsolete (U.S. CERT, August 2010). Despite its past, MD5 is still used for file verification on downloads and, in many cases, to store passwords.
  2. SHA-1: Developed by the NSA (National Security Agency), SHA-1 produces a 160-bit value output, and was required by law for use in U.S. government applications. In late 2005, however, serious flaws became apparent and the U.S. government began recommending the replacement of SHA-1 with SHA-2 after the year 2010 (see FIPS PUB 180-1).
  3. SHA-2 Actually holds four separate hash functions that produce outputs of 224, 256, 384, and 512 bits. Although it was designed as a replacement for SHA-1, SHA-2 is still not as widely used.
Public Key Infrastructure: (PKI) is a structure designed to verify and authenticate the identity of individuals within the domain taking part in a data exchange. The systems starts with a neutral party know as the Certificate Authority (CA) -which stamps something as vaild. It creates and issues digital certificates to verify identity. The CA keeps track of the certificates using the Certificate Revocation List (CRL).