You will learn the terms encryption, encryption algorithm encryption key and symmetric encryption in this lesson.

Cryptography is the art and science of making data impossible to read. Cryptographic algorithms start with plain, readable data (plaintext) and scramble it so it becomes an unreadable ciphertext. Each encryption algorithm must also specify how the ciphertext can be decrypted back into the plaintext it came from, so that the intended recipient can read it. Encrypting the plaintext to ciphertext will give high security to your confidential data and only the authorized person who is supposed to read this document, can read it.

Encryption Terms
Following are some important terms related with encryption. Before continuing, you should know what these terms are. Plaintext: The information in its original form. This is also known as cleartext. Ciphertext: The information after it has been obfuscated by the encryption algorithm. Encryption: The process of changing the plaintext into ciphertext. Decryption: The process of changing the ciphertext into plaintext. Encryption Algorithm: An algorithm defines how data is transformed when original plaintext data scrambled to ciphertext. Both the data sender and the recipient must know the algorithm used for data transformation. The recipient should use the same algorithm to decrypt the ciphertext back into the original plaintext data. Encryption Key: A key is secret value, which is used as an input to the algorithm along with the plaintext data when plaintext is converted to ciphertext. The same secret key should be used to decrypt the ciphertext back into plaintext data. Cryptography: The art of concealing information using encryption. Cryptographer: An individual who practices cryptography. Cryptanalysis: The art of analyzing cryptographic algorithms for identifying the weaknesses. Cryptanalyst: An individual who uses cryptanalysis to identify the weaknesses in cryptographic algorithms.

What is Symmetric Encryption?

Symmetric encryption is the process of converting readable data unreadable format and converting it back to readable format using same key. Symmetric encryption algorithms use the same key for

encryption and decryption. The key must be exchanged so that both the data sender and the data recipient can access the plaintext data. The plaintext (Readable Text) is converted to ciphertext (unreadable text) using a key and at the receiving side the same key is used to covert back the ciphertext (unreadable text) to plaintext (Readable Text).

Symmetric Encryption Algorithms

1

Data Encryption Standard (DES): An encryption algorithm that encrypts data with a 56-bit, randomly generated symmetric key. DES is not a secure encryption algorithm and it was cracked many times. Data Encryption Standard (DES) was developed by IBM and the U.S. Government together. DES is a block encryption algorithm. Data Encryption Standard XORed (DESX): DESX is a stronger variation of the DES encryption algorithm. In DESX, the input plaintext is bitwise XORed with 64 bits of additional key material before encryption with DES and the output is also bitwise XORed with another 64 bits of key material. Triple DES (3DES): Triple DES was developed from DES, uses a 64-bit key consisting of 56 effective key bits and 8 parity bits. In 3DES, DES encryption is applied three times to the plaintext. The plaintext is encrypted with key A, decrypted with key B, and encrypted again with key C. 3DES is a block encryption algorithm. RC2 and RC5: Ronald Rivest (RSA Labs), developed these algorithms. They are block encryption algorithms with variable block and key sizes. It is difficult to break if the attacker does not know the original sizes when attempting to decrypt captured data. RC4: A variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use

of a random permutation and is commonly used for the encryption of traffic to and from secure Web sites using the SSL protocol. Advanced Encryption Standard (AES): Advanced Encryption Standard (AES) is a newer and stronger encryption standard, which uses the Rijndael (pronounced Rhine-doll) algorithm. This algorithm was developed by Joan Daemen and Vincent Rijmen of Belgium. AES will eventually displace DESX and 3DES. AES is capable to use 128-bit, 192-bit, and 256-bit keys. International Data Encryption Algorithm (IDEA): IDEA encryption algorithm is the European counterpart to the DES encryption algorithm. IDEA is a block cipher, designed by Dr. X. Lai and Professor J. Massey. It operates on a 64-bit plaintext block and uses a 128-bit key. IDEA uses a total of eight rounds in which it XORs, adds and multiplies four sub-blocks with each other, as well as six 16bit sub-blocks of key material. Blowfish: Blowfish is a symmetric block cipher, designed by Bruce Schneier. Blowfish has a 64-bit block size and a variable key length from 32 up to 448 bits. Bruce Schneier later created Twofish, which performs a similar function on 128-bit blocks. CAST: CAST is an algorithm developed by Carlisle Adams and Stafford Tavares. Its used in some products offered by Microsoft and IBM. CAST uses a 40-bit to 128-bit key, and its very fast and efficient. Note: Block Cipher: A block cipher divides data into chunks, pads the last chunk if necessary, and then encrypts each chunk in its turn. Streaming Cipher. A streaming cipher uses a series of random numbers seeded with a cipher key to encrypt a stream of bits.

What is Asymmetric Encryption?

1

Asymmetric encryption increases the security of the encryption process by utilizing two separate but mathematically related keys known as a public key and a private key. Asymmetric encryption algorithms use a key mathematically related key pair for encryption and decryption. One key of the key pair is is known as the public key and other one is private key. The private key is possessed only by the user or computer that generates the key pair. The public key can be distributed to any person who wishes to send encrypted data to the private key holder. It is impossible to compute the private key if you know the public key. Hence it is safe to publish the public key. If the public key is used for encryption, the associated private key is used for decryption.

If the private key is used for encryption, the associated public key is used for decryption

First, the data sender obtains the recipients public key. The plaintext is encrypted with asymmetric encryption algorithm, using the recipients public key and the ciphertext is created. After the encyprion process, the ciphertext is sent to the recepient through the unsecure network. The recipient decrypts the ciphertext with his private key and now he can access the plaintext from the sender.

Asymmetric Encryption Algorithms

3

The following are the major asymmetric encryption algorithms used for encrypting or digitally signing data. Diffie-Hellman key agreement: Diffie-Hellman key agreement algorithm was developed by Dr. Whitfield Diffie and Dr. Martin Hellman in 1976. Diffie-Hellman algorithm is not for encryption or decryption but it enable two parties who are involved in communication to generate a shared secret key for exchanging information confidentially. The working of Diffie-Hellman key agreement can be explained as below. Assume we have two parties who need to communicate securely. 1) P1 and P2 agree on two large integers a and b such that 1 < a < b. 2) P1 then chooses a random number i and computes I = a^i mod b. P1 sends I to P2. 3) P2 then chooses a random number j and computes J = a^j mod b. P2 sends J to P1. 4) P1 computes k1 = J^i mod b. 5) P2 computes k2 = I^j mod b.

6) We have k1 = k2 = a^(ij) mod b and thus k1 and k2 are the secret keys for secure transmission. Rivest Shamir Adleman (RSA): Ron Rivest, Adi Shamir, and Len Adleman released the Rivest-ShamirAdleman (RSA) public key algorithm in 1978. This algorithm can be used for encrypting and signing data. The encryption and signing processes are performed through a series of modular multiplications. The basic RSA algorithm for confidentiality can be explained as below. Ciphertext = (plaintext)^e mod n Plaintext = (ciphertext)^d mod n Private Key = {d, n} Public Key = {e, n} The basic RSA algorithm for authentication can be explained as below. ciphertext = (plaintext)^d mod n plaintext = (ciphertext)^e mod n private key = {d, n} public key = {e, n} Elliptic Curve Cryptography (ECC): Elliptic Curve Cryptography (ECC) provides similar functionality to RSA. Elliptic Curve Cryptography (ECC) is being implemented in smaller devices like cell phones. It requires less computing power compared with RSA. ECC encryption systems are based on the idea of using points on a curve to define the public/private key pair. El Gamal: El Gamal is an algorithm used for transmitting digital signatures and key exchanges. The method is based on calculating logarithms. El Gamal algorithm is based on the characteristics of logarithmic numbers and calculations. The Digital Signature Algorithm (DSA) is based on El Gamal algorithm. Digital Signature Algorithm (DSA). The Digital Signature Algorithm (DSA) was developed by the United States government for digital signatures. Digital Signature Algorithm can be used only for signing data and it cannot be used for encryption. The DSA signing process is performed through a series of calculations based on a selected prime number. Although intended to have a maximum key size of 1,024 bits, longer key sizes are now supported. When DSA is used, the process of creating the digital signature is faster than validating it. When RSA is used, the process of validating the digital signature is faster than creating it.

Public Key Cryptography

1

Public Key cryptography is based on asymmetric encryption. Asymmetric encryption makes use of a

mathematically linked pair of keys, one is known as the public and the other is known as the private key. The plaintext encrypted using one of the keys can only be decrypted using the other key, and it is impossible to compute private key, if public key is published. A user has his own pair of keys, keeping the private key absolutely private and the public key as public as possible. The following text explains the concept more clearly. If Alice has in hand her own public key (PubA), her own private key (PrivA), and Bob's public key (PubB), she can do the following: Encrypt the plaintext with Bob's public key (PubB) Calculate the hash sum of the plaintext and encrypt it with her own private key (PrivA) Combine the ciphertext and the encrypted hash sum in a message and send it to Bob. Upon receiving this message, Bob, who should have in his possession his own public key (PubB), his own private key (PrivB), and Alice's public key (PubA), can do the following: Decrypt the ciphertext with his own private key (PrivB) Decrypt the hash sum with Alice's public key (PubA) Calculate the hash sum of the plaintext and compare it with the decrypted hash sum Bob can now decrypt the ciphertext to plaintext and, if the hash sums are the same he can make sure that it hasn't been altered in network.

What is a Digital Certificate?

1

The data structure used to transport and validate keys is called a digital certificate. A certificate protects the key by guaranteeing the identity of the issuer, the identity of the owner, and the purposes for which the key can be used. A certificate cannot be forged because the issuing authority digitally signs it. The signature is applied to a hash of the certificate. This enables clients to validate the issuer's identity and find any alteration. The client decrypts the hash using the issuer's public key and then compares the result to a separate hash it performs on the certificate. If the results match, the certificate is valid.

A Digital Certificate contains the following fields (some are optional). Issued By: The Certification Authority (CA) that issued the digital certificate. Issued To: The recipient that obtained the digital certificate. If the recipient is a user, the name can be the user's logon ID, User Principal Name (UPN), or Distinguished Name (DN). Intended Uses (OID): A certificate has one or more uses. This shows the intended uses of the certificate. Version: The certificate version. Windows Certification Authority (CA) servers issue X.509 Version 3 certificates. Serial Number: This is a sequential number assigned by the CA to the certificate. The number is unique and acts as a validity check. Signature Algorithm: The hashing algorithm used to do the digital signature for the certificate. This is typically either SHA-1 or MD5.

Issuer: This is the X.500 distinguished name of the issuing server. Valid From: This is the issue date of the certificate. Valid To: This important field defines the expiry date of the certificate. Subject: This is the X.500 distinguished name of the certificate's owner. Public Key: This field contains the public key. CA Version: This field contains the version number (number of times the authorization certificate for a particular Certification Authority (CA) has been renewed). Subject Key Identifier: This field contains an SHA-1 hash of the Public Key field used to uniquely identify the contents. This prevents alteration of the public key. Certificate Template: This field is a Microsoft extension that contains name of the template used by the CA to generate this certificate. Key Usage: This field contains the OIDs of the purposes for the certificate. Authority Key Identifier: Contains an SHA-1 hash of the public key of the issuing CA along with the distinguished name of the CA. CRL Distribution Points (CDPs): CRL (Certificate Revocation List) information listed by LDAP path, URL, and file share name. Authority Information Access: Information for a client to find the certificate of the issuing CA. Thumbprint: A hash of the certificate. Thumbprint Algorithm: The algorithm used to obtain the certificate hash

What is Public Key Infrastructure (PKI)?

2

The Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke Digital Certificates. A Public Key Infrastructure (PKI) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The following are the major functions of Public Key Infrastructure (PKI).

Confidentiality: The privacy of user transactions is protected by encrypting data streams and messages. The confidentiality function may be intended to prevent the unauthorized disclosure of information locally or across a network. By using Public Key Infrastructure (PKI), users are able to ensure that only an intended recipient can unlock (decrypt) an encrypted message. Authentication: Authentication is the process of verifying that the user is who they say they are. PKI provides a means for senders and recipients to validate each other's identities. Integrity: Guaranteeing message integrity is another important function of Public Key Infrastructure (PKI). Public Key Infrastructure (PKI) has built-in ways to validate that all the outputs are equivalent to the inputs. Any alter of the data can be immediately detected and prevented. Non-Repudiation: Public Key Infrastructure (PKI) ensures that an author cannot refute that they signed or encrypted a particular message once it has been sent, assuming the private key is secured. Here Digital signatures link senders to their messages. Only the sender of the message could sign messages with their private key and therefore, all messages signed with the sender's private key originated with that specific individua

What is a Certificate Authority (CA)?

Certificate Authority (CA) is a trusted entity that issues Digital Certificates and public-private key pairs. The role of the Certificate Authority (CA) is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. The Certificate Authority (CA) verifies that the owner of the certificate is who he says he is. A Certificate Authority (CA) can be a trusted third party which is responsible for physically verifying the legitimacy of the identity of an individual or organization before issuing a digital certificate. A Certificate Authority (CA) can be an external (public) Certificate Authority (CA) like verisign, thawte or comodo, or an internal (private) Certificate Authority (CA) configured inside our network. Certificate Authority (CA) is a critical security service in a network. A Certificate Authority (CA) performs the following functions. Certificate Authority (CA) Verifies the identity: The Certificate Authority (CA) must validate the identity of the entity who requested a digital certificate before issuing it. Certificate Authority (CA) issues digital certificates: Once the validation process is over, the Certificate Authority (CA) issues the digital certificate to the entity who requsted it. Digital certificates can be used for encryption (Example: Encrypting web traffic), code signing, authentocation etc. Certificate Authority (CA) maintains Certificate Revocation List (CRL): The Certificate Authority (CA) maintains Certificate Revocation List (CRL). A certificate revocation list (CRL) is a list of digital

certificates which are no longer valid and have been revoked and therefore should not be relied by anyone

Comparison between Internal and External Certificate Authorities (CAs)

Advantages internal Certificate Authority (CA)

Simplified and ease of management is the main advantage of using internal Certificate Authority (CA). There is no need to depend an external entity for certificates. In a Microsoft Windows environment, internal Certificate Authority (CA) can be integrated in Active Directory. This further simplifies the management of the CA structure. There is no cost per certificate wen you are using an internal Certificate Authority (CA). Internal Certificate Authorities (CAs) are cheaper to configure, and expand the Public Key Infrastructure (PKI). The auto-enrollment feature of Windows Server 2003 further simplifies the certificate issuing process.

Disadvantages of internal Certificate Authority (CA)

Implementing internal Certificate Authority (CA) is more complicated than using external Certificate Authority (CA). The security and accountability of Public Key Infrastructure (PKI) is completely on the organization's shoulder. External parties normally will not trust a digital certificate signed by an internal Certification Authority (CA). The certificate management overhead of internal Certification Authority (CA) is higher than that of external Certification Authority (CA).

Advantages of external Certificate Authority (CA)

The external CA responsible for the security and accountability of Public Key Infrastructure. External parties normally trust a digital certificate signed by a trusted external CA, such as VeriSign, Thwate, Comodo, SecureNet etc.

 The certificate management overhead of external Certification Authority (CA) is lower than that of internal Certification Authority (CA).

Disadvantages of external Certification Authority (CA)

Integration between an external Certification Authority (CA) and the infrastructure of the organization is limited. Your organization need to pay per certificate when you are using the services of an external Certification Authority (CA). Less flexibility when configuring, expanding and managing certificates

Certificate Authority (CA) Hierarchy

1

Digital certificates created by a Public Key Infrastructure (PKI) Certificate Authority (CA) are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA), and any Certificate Authority (CA) which comes under Root Certificate Authority (Root CA) is known as a subordinate Certificate Authority (CA). The following figure shows the Certificate Authority Hierarchy.

Root CA: A Root CA is the topmost Certificate Authority (CA) in a Certificate Authority (CA) hierarchy. Each Certificate Authority (CA) hierarchy begins with the Root CA, and multiple CAs branch from this Root CA in a parent-child relationship. All child CAs must be certified by the corresponding parent CA back to the Root CA. The Root CA is kept in a secure area and it is usually a stand-alone offline CA (to make it topmost secure Certificate Authority (CA). The root CA provides certificates for intermediate CAs. The certificates can be revoked if they are compromised. Intermediate CAs: An intermediate Certificate Authority (CA) is a CA that is subordinate to another CA (Root CA or another intermediate CA) and issues certificates to other CAs in the CA hierarchy. Intermediate CAs are usually stand-alone offline CAs like root CAs. Issuing CAs: Issuing CAs are used to provide certificates to users, computers, and other services. There can be multiple issuing CAs, and one issuing CA can be used for generating computer certificates and another can be used for generating user certificate