What is Cryptography?
Cryptography is the process of hiding or coding information so that only the person a message was intended for can read it. The art of cryptography has been used to code messages for thousands of years and continues to be used in bank cards, computer passwords, and ecommerce.
Modern cryptography techniques include algorithms and ciphers that enable the encryption and decryption of information, such as 128-bit and 256-bit encryption keys. Modern ciphers, such as the Advanced Encryption Standard (AES), are considered virtually unbreakable.
A common cryptography definition is the practice of coding information to ensure only the person that a message was written for can read and process the information. This cybersecurity practice, also known as cryptology, combines various disciplines like computer science, engineering, and mathematics to create complex codes that hide the true meaning of a message.
Cryptography can be traced all the way back to ancient Egyptian hieroglyphics but remains vital to securing communication and information in transit and preventing it from being read by untrusted parties. It uses algorithms and mathematical concepts to transform messages into difficult-to-decipher codes through techniques like cryptographic keys and digital signing to protect data privacy, credit card transactions, email, and web browsing.
The Importance of Cryptography
Cryptography remains important to protecting data and users, ensuring confidentiality, and preventing cyber criminals from intercepting sensitive corporate information. Common uses and examples of cryptography include the following:
Privacy and Confidentiality
Individuals and organizations use cryptography on a daily basis to protect their privacy and keep their conversations and data confidential. Cryptography ensures confidentiality by encrypting sent messages using an algorithm with a key only known to the sender and recipient. A common example of this is the messaging tool WhatsApp, which encrypts conversations between people to ensure they cannot be hacked or intercepted.
Cryptography also secures browsing, such as with virtual private networks (VPNs), which use encrypted tunnels, asymmetric encryption, and public and private shared keys.
Cryptography is regularly used to authenticate data and messages. It is vital for senders and receivers to authenticate or confirm each other’s identity and the destination and origin of the information being shared. For example, digital signatures are mathematical concepts that demonstrate the authenticity of a digital document or message.
Similar to how cryptography can confirm the authenticity of a message, it can also prove the integrity of the information being sent and received. Cryptography ensures information is not altered while in storage or during transit between the sender and the intended recipient. For example, digital signatures can detect forgery or tampering in software distribution and financial transactions.
Cryptography confirms accountability and responsibility from the sender of a message, which means they cannot later deny their intentions when they created or transmitted information. Digital signatures are a good example of this, as they ensure a sender cannot claim a message, contract, or document they created to be fraudulent. Furthermore, in email nonrepudiation, email tracking makes sure the sender cannot deny sending a message and a recipient cannot deny receiving it.
Key exchange is the method used to share cryptographic keys between a sender and their recipient.
Types of Cryptographic Algorithms
There are many types of cryptographic algorithms available. They vary in complexity and security, depending on the type of communication and the sensitivity of the information being shared.
Secret Key Cryptography
Secret key cryptography, also known as symmetric encryption, uses a single key to encrypt and decrypt a message. The sender encrypts the plaintext message using the key and sends it to the recipient who then uses the same key to decrypt it and unlock the original plaintext message.
Stream ciphers work on a single bit or byte at any time and constantly change the key using feedback mechanisms. A self-synchronizing stream cipher ensures the decryption process stays in sync with the encryption process by recognizing where it sits in the bit keystream. A synchronous stream cipher generates the keystream independently of the message stream and generates the same keystream function at both the sender and the receiver.
Block ciphers encrypt one block of fixed-size data at a time. It will always encrypt a plaintext data block to the same ciphertext when the same key is used. A good example of this is the Feistel cipher, which uses elements of key expansion, permutation, and substitution to create vast confusion and diffusion in the cipher.
The stages of encryption and decryption are similar if not identical, which means reversing the key reduces the code size and circuitry required for implementing the cipher in a piece of software or hardware.
Public Key Cryptography
Public key cryptography (PKC), or asymmetric cryptography, uses mathematical functions to create codes that are exceptionally difficult to crack. It enables people to communicate securely over a nonsecure communications channel without the need for a secret key. For example, proxy reencryption enables a proxy entity to reencrypt data from one public key to another without requiring access to the plaintext or private keys.
A common PKC type is multiplication vs. factorization, which takes two large prime numbers and multiplies them to create a huge resulting number that makes deciphering difficult. Another form of PKC is exponentiation vs. logarithms such as 256-bit encryption, which increases protection to the point that even a computer capable of searching trillions of combinations per second cannot crack it.
Generic forms of PKC use two keys that are related mathematically but do not enable either to be determined. Put simply, a sender can encrypt their plaintext message using their private key, then the recipient decrypts the ciphertext using the sender’s public key.
Common PKC algorithms used for digital signatures and key exchanges include:
RSA was the first and remains the most common PKC implementation. The algorithm is named after its MIT mathematician developers, Ronald Rivest, Adi Shamir, and Leonard Adleman, and is used in data encryption, digital signatures, and key exchanges. It uses a large number that is the result of factoring two selected prime numbers. It is impossible for an attacker to work out the prime factors, which makes RSA especially secure.
Elliptic Curve Cryptography (ECC)
ECC is a PKC algorithm based on the use of elliptic curves in cryptography. It is designed for devices with limited computing power or memory to encrypt internet traffic. A common use of ECC is in embedded computers, smartphones, and cryptocurrency networks like bitcoin, which consumes around 10% of the storage space and bandwidth that RSA requires.
Digital Signature Algorithm (DSA)
DSA is a standard that enables digital signatures to be used in message authentication. It was introduced by the National Institute of Standards and Technology (NIST) in 1991 to ensure a better method for creating digital signatures.
Identity-based Encryption (IBE)
IBE is a PKC system that enables the public key to be calculated from unique information based on the user’s identity, such as their email address. A trusted third party or private key generator then uses a cryptographic algorithm to calculate a corresponding private key. This enables users to create their own private keys without worrying about distributing public keys.
Public Key Cryptography Standards (PKCS)
All PKC algorithms and usage are governed by a set of standards and guidelines designed by RSA Data Security. These are as follows:
- PKCS #1 or RFC 8017: RSA Cryptography Standard
- PKCS #3: Diffie-Hellman Key Agreement Standard
- PKCS #5 and PKCS #5 v2.1 or RFC 8018: Password-Based Cryptography Standard
- PKCS #6: Extended-Certificate Syntax Standard (being replaced by X.509v3)
- PKCS #7 or RFC 2315: Cryptographic Message Syntax Standard
- PKCS #8 or RFC 5958: Private Key Information Syntax Standard
- PKCS #9 or RFC 2985: Selected Attribute Types
- PKCS #10 or RFC 2986: Certification Request Syntax Standard
- PKCS #11: Cryptographic Token Interface Standard
- PKCS #12 or RFC 7292: Personal Information Exchange Syntax Standard
- PKCS #13: Elliptic Curve Cryptography Standard
- PKCS #14: Pseudorandom Number Generation Standard
- PKCS #15: Cryptographic Token Information Format Standard
Diffie-Hellman and Key Exchange Algorithm (KEA)
The Diffie-Hellman algorithm was devised in 1976 by Stanford University professor Martin Hellman and his graduate student Whitfield Diffie, who are considered to be responsible for introducing PKC as a concept. It is used for secret key exchanges and requires two people to agree on a large prime number.
KEA is a variation of the Diffie-Hellman algorithm and was proposed as a method for key exchange in the NIST/National Security Agency’s (NSA) Capstone project, which developed cryptography standards for public and government use.
Hash functions ensure that data integrity is maintained in the encryption and decryption phases of cryptography. It is also used in databases so that items can be retrieved more quickly.
Hashing is the process of taking a key and mapping it to a specific value, which is the hash or hash value. A hash function transforms a key or digital signature, then the hash value and signature are sent to the receiver, who uses the hash function to generate the hash value and compare it with the one they received in the message.
A common hash function is folding, which takes a value and divides it into several parts, adds parts, and uses the last four remaining digits as the key or hashed value. Another is digit rearrangement, which takes specific digits in the original value, reverses them, and uses the remaining number as the hash value. Examples of hash function types include Secure Hash Algorithm 1 (SHA-1), SHA-2, and SHA-3.
What Are Cryptographic Key Attacks? What Are the Types?
Modern cryptographic key techniques are increasingly advanced and often even considered unbreakable. However, as more entities rely on cryptography to protect communications and data, it is vital to keep keys secure. One compromised key could result in regulatory action, fines and punishments, reputational damage, and the loss of customers and investors.
Potential key-based issues and attack types that could occur include:
Keys are essentially random numbers that become more difficult to crack the longer the number is. Key strength and length need to be relative to the value of the data it protects and the length of time that data needs to be protected. Keys should be created with a high-quality, certified random number generator that collects entropy—the information density of a file in bits or characters—from suitable hardware noise sources.
Incorrect Use of Keys
When keys are used improperly or encoded poorly, it becomes easier for a hacker to crack what should have been a highly secure key.
Reuse of Keys
Every key should only be generated for a specific single-use encrypt/decrypt purpose, and use beyond that may not offer the level of protection required.
Non-rotation of Keys
Keys that are overused, such as encrypting too much data on a key, become vulnerable to attacks. This is particularly the case with older ciphers and could result in data being exposed. Keys need to be rotated, renewed, and updated when appropriate.
Inappropriate Storage of Keys
Storing keys alongside the information they have been created to protect increases their chances of being compromised. For example, keys stored on a database or server that gets breached could also be compromised when the data is exfiltrated.
Inadequate Protection of Keys
Huge cyberattacks like Meltdown/Spectre and Heartbleed have been capable of exposing cryptographic keys stored in server memory. Therefore, stored keys must be encrypted and only made available unencrypted when placed within secure, tamper-protected environments, or even kept offline.
Insecure Movement of Keys
Moving keys between systems should only occur when the key is encrypted or wrapped under an asymmetric or symmetric pre-shared transport key. If this is not possible, then the key must be split up into multiple parts that are kept separate, re-entered into the target system, then destroyed.
Insider Threats (User Authentication, Dual Control, and Segregation of Roles)
Insider threats are one of the most serious threats posed to any key. This is most likely to occur through a rogue employee having access to a key, then using it for malicious purposes or giving or selling it to a hacker or third party.
Lack of Resilience
Resilience is vital to protecting the availability, confidentiality, and integrity of keys. Any key that suffers a fault with no backup results in the data the key protects being lost or inaccessible.
Lack of Audit Logging
Key life cycles must be logged and recorded in full to ensure any compromise can be tracked and enable subsequent investigations to occur smoothly.
Manual Key Management Processes
Recording key management processes manually on paper or spreadsheets runs the risk of human error and makes the keys highly vulnerable to attack or theft.
How to Minimize the Risks Associated with Cryptography
Organizations and individuals can minimize and mitigate cryptography-related threats with a dedicated electronic key management system from a reputable provider. The solution must use a hardware security module to generate and protect keys, and underpin the entire system’s security.
It needs to include features like full key management life cycle, strong key generation, strict policy-based controls, swift compromise detection, secure key destruction, strong user authentication, secure workflow management, and a secure audit and usage log. This will protect the organization's keys, enhance efficiency, and ensure compliance with data and privacy regulations.
Another potential solution is cryptography quantum, whereby it is impossible to copy data encoded in a quantum state.
How Fortinet Can Help
Fortinet next-generation firewalls (NGFWs) provide encrypted traffic inspection to protect businesses from potentially malicious behavior and cyberattacks. They add features like application-layer inspection, application control, advanced visibility, and intrusion prevention systems that secure businesses against the evolving threat landscape and prevent known and future threats.
Also, the Fortinet FortiMail Cloud solution provides comprehensive email security solutions like email encryption to safeguard employees and data from cyberattacks. It automatically quarantines or encrypts email messages containing sensitive information and prevents users from clicking on phishing links or installing malicious attachments that could lead to financial loss and reputational damage.