Cryptography and Encryption Basics - I

-

Cryptography and Encryption Basics I


What is encryption

Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized can't. 

Converts information from plain text into encrypted ciphertext.

But how...?

Encryption used algorithm!

An algorithm is a procedure that the encryption process follows. The specific algorithm is called the ciper or code. there are many types so encryption algorithms. The encryption's goal and level of security determine the most effective solution. Triple DES, RSA and Blowfish are some examples of encryption algorithms or Ciphers.

What is Decryption?

Decryption is the process of taking encoded or encrypted text or other data and converting it back into text that you or the computer can read and understand. 

converts information from encrypted ciphertext into plain text 

Basic Example 


Private key vs Public Key

Private Key (symmetric key): This means that encryption and decryption keys are the same. the two parties must have the same key before they can achieve secure communication. 

Public key: this means that the encryption key is published and available for anyone to use. Only receiving party has access to that decryption key that enables them to read the message. 


Symmetric and Asymmetric cryptography 

Note: In cryptography, symmetry refers to keys, rather than shapes, clock cycle

Symmetric Algorithm:  Encryption and Decryption operations use the same key
Asymmetric Algorithm:  Encryption and Decryption operations use the different same key

Symmetric Algorithm 


  • Is the simplest kind of encryption that involves only one secret key that involves both  Cipher and decipher the text. 
  • Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric encryption.
  • AES-128, AES-192, and AES-256 are the most widely used symmetric algorithm.
  • Disadvantage:  All parties involved have to exchange the key used to encrypt the data before they can decrypt it.

The challenges of symmetric cryptography

  • Larger groups require more symmetric key s
  • The number of keys required can be expressed with the term : (n(n+1)) /2 
Private key: Held in secret by the user not disclosed by anyone else
Public key: Freely distributed to everyone with whom the user would like to communicate. 

Asymmetric Algorithm 



  • Is also known as public-key cryptography, which is a relatively new method, compared to symmetric encryption. 
  • It uses two keys to encrypt plain text. 
  • Secret keys are exchanged over the Internet or a large network. It ensures that malicious persons do not misuse the keys.
  • It is important to note that anyone with a secret key can decrypt the message and this is why asymmetric encryption uses two related keys to boost security. 
  • A public key is made freely available to anyone who might want to send you a message. The second private key is kept a secret so that you can only know.
  • A message that is encrypted using a public key can only be decrypted using a private key, while also, a message encrypted using a private key can be decrypted using a public key. Security of the public key is not required because it is publicly available and can be passed over the internet. Asymmetric key has far better power in ensuring the security of information transmitted during communication.
  • Asymmetric encryption is mostly used in day-to-day communication channels, especially over the Internet. 
  • ElGamal, RSA, DSA, Elliptic curve techniques, and PKCS are examples

Cryptography Goals

  • Confidentiality  
    • Authorized access only
    • means data can be kept secret or private
  • Integrity 
    • No Unauthorized changes 
    • Is ensuring your data is authentic, accurate and reliable
    • Is cannot prevent the alternation of data but provides a means for detecting whether data has been manipulated. 
  • Authentication
Proof of identity claims 
  • Nonrepudiation
    • Non-repudiation complements authentication by ensuring data originates from a valid, trusted source.
    • Authentication alone doesn't prove data was sent from the source.
    • Non-repudiation can be added to critical data elements using cryptographic signing.
    • Cryptographic signing ensures each message is trusted if it has a valid signature, verifiable by any receiver with a valid public key.
Verifiable origin of a message 

Traditional Security Vs Zero-Trust Model




Traditional security relies on a single perimeter layer, trusting internal access and requiring authentication once. It employs firewalls, WAFs, and MFA for access control. In contrast, Zero Trust, developed for cloud security, distrusts everything and verifies continuously. It abandons the traditional perimeter, extending or removing it entirely. Zero Trust employs incident monitoring, least privilege, micro-segmentation, and MFA. Micro-segmentation eliminates the perimeter, with each network having its firewall and monitoring. MFA ensures strong authentication between devices and networks. To maintain Zero Trust, incident reports are analyzed, attacks identified, and access controlled tightly at every point. By embracing a multi-layered approach and continuously verifying access, Zero Trust seeks to combat both internal and external threats effectively.

IP Mobility:

IP mobility extends the principles of the zero-trust model by enabling devices like smartphones and vehicles to seamlessly transition across different networks, even across countries and continents, while maintaining a consistent IP address. Traditionally, IP networks have fixed addresses, making them static and easily monitorable. However, with IP mobility, devices can move extensively without disrupting connectivity.

In automotive applications, where vehicles can travel significant distances, IP mobility transforms them into IoT devices akin to smartphones, utilizing TCP-IP networking for various services and applications. Previously, as vehicles moved, their IP addresses changed, necessitating continuous authentication from the backend. With IP mobility technology, the identity of the vehicle remains constant, streamlining authentication processes and ensuring continuous connectivity regardless of location changes. This not only enhances the efficiency of automotive systems but also aligns with the zero-trust paradigm by maintaining security and access controls even in dynamic network environments.

Data Classification Concepts:



Data Classification involves categorizing structured or unstructured data based on sensitivity, context, or other factors to determine appropriate handling procedures and risk mitigation strategies. It addresses the question of how data should be managed, considering potential risks and measures to safeguard it.

Commonly, data is classified into four levels: Public, Internal, Confidential, and Restricted. Each level signifies the degree of sensitivity and the corresponding level of access controls and protection measures required.

One critical aspect of data classification is identifying Personally Identifiable Information (PII). PII refers to information that, either on its own or in combination with other data, can identify an individual. Examples of PII include names, addresses, phone numbers, and social security numbers. Recognizing PII is essential for ensuring compliance with privacy regulations and implementing appropriate security measures to protect individuals' personal data.

By understanding the types of data that constitute PII and distinguishing them from non-identifying information, organizations can effectively tailor their data classification policies and security protocols to mitigate the risks associated with handling sensitive personal data.

Authentication Methods

  1. Username and Password:
    1. Common method of authentication.
    2. Passwords can consist of letters, numbers, or special characters.
    3. Creating strong passwords with a combination of these elements enhances security.
  2. Multi-Factor Authentication (MFA):
    1. Requires two or more independent means of identification.
    2. In addition to a password, users must pass an additional challenge.
    3. Challenges may include codes generated on a smartphone, captcha tests, fingerprints, voice, or facial recognition.
  3. Certificate-Based Authentication:
    1. Utilizes digital certificates to authenticate users or devices.
    2. Digital certificates contain a user's identity, a public key, and the digital signature of a certification authority.

Code and Ciphers 

Codes: A system that substitutes one worker or phrase for another c. code are intended to provide secrecy and/or efficiency
Cipher: A system that uses mathematical algorithms to encrypt and decrypt messages.

Two ways Ciphers process messages

Stream Ciphers: Operate on one character, (or) bit, or message at a time.  Stream Ciphers convert one symbol or plain text directly into a symbol of ciphertext. 

Advantages:

  • Speed of transformation: algorithms are linear in time and constant in space. 
  • Low error propagation: an error in encrypting one symbol likely will not affect subsequent symbols. 

Disadvantages:

  • Low diffusion: all information of a plaintext symbol is contained in a single ciphertext symbol. 
  • Susceptibility of insertion/modifications: An active interceptor who break the algorithm might insert spurious text that looks authentic. 

Block Ciphers: Operate on a large segment of messages at the same time 
Block Cipher encrypts a group of plaintext symbols as one block. 

Advantages:

  • High diffusion: information from one plaintext symbol is diffused into several ciphertext symbols. 
  • Immunity to tampering: difficult to insert symbols without detection.

Disadvantages:

  • Slowness of encryption: An entire block must be accumulated before encryption/decryption can begin.
  •  Error propagation: An error in one symbol may corrupt that entire block.

Key Management 

Importance of key Life cycle management 

  • Types of keys 
  • Corresponding usage 
  • Key Generation 
  • How long should the life cycle of the key should be?
  • What is the key used for? 

Basic phase of key life cycle

  • Generation
  • Back up and Storage 
  • Distribution and  loading 
  • Normal use and replacement 
  • Archival 
  • End of keys life cycle 

Data Encryption Standard (DES):

It is one of the most widely accepted, publicly available cryptographic systems today. ITs was developed by IBM in the 1970s but was later adopted by the US government and the national bureau of standards as an official federal information processing standard for the United States in 1976. It uses a 56-bit key to encrypt the 64-bit block size data. it processes 64-bit inputs into 64-bit cypher-text and algorithms perform 16 iterations. 


This secret key encryption algorithm uses a key that is 56-bit (7 bytes) long. At that time it is believed that trying out all possible keys is would be impossible because a computer could not possibly ever become fast enough. In 1988  Electronic Frontier Foundation ( EFF) build a special-purpose machine that could decrypt messages by trying all possible keys in less than 3 days. The machine costs less than $210,000 and searched over 88 billion keys per sec.

Summary

The DES is a secret key encryption scheme adopted as a standard in the USA in 1977. It uses a 56-bit key, which today is considered by many to be insufficient as it can with moderate effort be cracked by brute force. A variant called Triple-DES (TDES or 3DES) uses a longer key and is more secure, but has never become popular. The Advanced Encryption Standard (AES) is expected to supersede DES ( and 3DES) as the standard encryption algorithm. 

Note: DES is no longer considered secure!


Triple DES(3 DES)

Developed in 1998 and derived from DES. IT applies the DES cipher algorithm three times to each of the data blocks. Triple data encryption standard (DES) is a type of computerized cryptography where block cipher algorithms are applied three times to each data block. The key size is increased in Triple-DES to ensure additional security through encryption capabilities. Each block contains 64 bits of data. Three keys are referred to as bundle keys with 56bit per key. There are three keying options in data encryption stands: All keys being independent, key 1and key 2 being independent keys,  and all three keys being identical

Advanced Encryption Standard (AES)

The more popular and widely adopted symmetric encryption algorithm likely to be encountered nowadays is the Advanced Encryption Standard (AES). It is found at least six times faster than triple DES.

A replacement for DES was needed as its key size was too small. With increasing computing power, it was considered vulnerable to exhaustive key search attacks. Triple DES was designed to overcome this drawback but it was found slow.

The features of AES are as follows
  • Symmetric key symmetric block Cipher
  • 128-bit data, 128/192/256-bit keys
  • Stronger and faster than Triple-DES
  • Provide full specification and design details
  • Software implementable in C and Java

Blowfish:
blowfish is a keyed, symmetric cryptographic block cipher designed by Bruce Schneier in 1993 and placed in the public domain. Blowfish is included in a large number of cipher suites and encryption products. Blowfish's security has been extensively tested and proven. As a public domain cipher, blowfish has been subject to a significant amount of cryptanalysis, and full blowfish encryption has never been broken. Blowfish is also one of the fastest blocker ciphers in public use. 

Schneier designed blowfish as a general-purpose algorithm, intended as a replacement for ageing DES and free of problems associated with other algorithms.

Notable features of the design include key-dependent S- boxes and a highly complete key schedule. 



Two fish:

It was derived from blowfish by bruce Schneier in 1998. It is freely available in the public domain as it has not been patented. It is an asymmetric key block cipher having the key size of 128,192,256 bits used to encrypt the 128-bit block size data in 16 rounds. The algorithm makes use of s-boxes and makes the key generation process very complex and secure.
  • Symmetric encryption algorithm
  • Block-Cipher Operating on 128-bit blocks. 
  • The key length of 128,192, or 256 bits


Summary:
  • Designed as  a DES replacement
  • Placed into the public domain
  • Uses a Feistel network
  • Combines substitution and transportation 
The AES algorithm has six modes of operation. Amode is a construction method that can be the encryption algorithm more robust. 
  1. ECB (Electronic Code Book)Fast, simple and supports parallel encryption/decryption. This mode has some security risks and is not recommended for use. 
  2. CBC (Cipher Block Chaining): This is used to encrypt and decrypt large plaintext.
  3. CFB (Cipher FeedBack): Plain text is divided into a block and encrypted separately at 64 bits. 
  4. OFB (Output FeedBack): Similar to the CBC mode but uses the encrypted output as feedback instead of the actual cipher.
  5. CTR (Counter): A simple counter-based block cipher.
  6. GCM (Galois/Counter Mode): High-performance symmetric-key cryptographic block
Advantages and Disadvantages

Symmetric Algorithm:

Advantages:
    • Speed: Faster Encryption and decryption, for large data
    • Efficiency: Used fewer computational resources 
    • Simplicity: Easy to implement 
Disadvantages:
    • Key Distribution: Secure Key sharing is challenging 
    • Single Key Vulnerability:  Compromise the Key endangers data 
    • No Authentication: Can't Verify the sender's Identity

Asymmetric Algorithm:

Advantages:
  • Secure Key Exchange: Public Keys can be shared openly 
  • Authentication:  Supports digital signature for identity verification 
  • Confidentiality: Strong encryption for sensitive data 
Disadvantages:
  • Slower: More Computationally intensive 
  • Complexity: More complex to implement 
  • Higher Resource Usage: Require more processing power and storage





Comments

Post a Comment

Popular posts from this blog

Overview of ISO/SAE 21434 Standard

-
Image
ISO/SAE 21434, jointly published by the International Standardization Organization (ISO) and the Society of Automotive Engineers (SAE), serves as a comprehensive cybersecurity framework for electronic systems within road vehicles. Developed to bolster cybersecurity across the entire lifecycle of automotive products, this standard outlines essential vocabulary, objectives, requirements, and guidelines. Purpose and Scope: The primary objective of ISO/SAE 21434 is to enhance cybersecurity measures for vehicles throughout their lifecycle. By providing a standardized framework, this standard facilitates the establishment of cybersecurity policies, risk management practices, and a cybersecurity-oriented culture within organizations operating in the automotive industry. Three Pillars: ISO/SAE 21434 is structured around three main pillars: Cyber Security Governance:   Establishing policies, processes, and cultural norms to govern cybersecurity activities within organizations. Risk Man...
Read more

ECU LIST

-
Image
 1. BCM (Body Control Module)    - Function: The BCM is responsible for controlling various electronic systems within the vehicle's body. This includes functions like interior lighting, power windows, door locks, windshield wipers, and other comfort and convenience features.    - Importance: It acts as a central hub for various sensors and inputs, ensuring that the vehicle’s body-related electronics operate smoothly.  2. Gateway ECU    - Function: The Gateway ECU acts as a communication hub between different networked ECUs in the vehicle. It ensures that data is correctly routed between systems like powertrain, infotainment, and body control.    - Importance: Vital for ensuring seamless communication between various subsystems in modern vehicles.  3. ETM (Electric Traction Motor)    - Function: Manages the electric traction motor, which provides propulsion in electric or hybrid vehicles. It controls the motor's speed, torq...
Read more