The fundamentals of cryptography apply to many aspects of IT security. In this video, you’ll learn about cryptographic concepts such as keys, lightweight cryptography, key stretching, and homomorphic encryption.
<< Previous Video: Secure Data Destruction Next: Symmetric and Asymmetric Cryptography >>
The word cryptography is derived from the Greek word kryptos, which means hidden or secret. That’s certainly how we use cryptography in IT security. This includes confidentiality, which means we can make information secretive. We can encrypt data so that nobody else can see that data. We can also provide authentication and access control, so that we can verify a person who might be logging into a system is really that person.
And we can provide non-repudiation, which means if someone sends us information, we can verify that they were really the person who provided us with that information. And cryptography also provides us with a way to verify integrity. If we download a file or an email, we can verify that that email or that file was never changed from the time that it was originally sent.
There are a number of terms that you’ll hear use with cryptography. The first one we’ll look at is plain text. This is the unencrypted message that you usually start with. We often refer to this as in the clear message. When we encrypt this plain text, it’s called a ciphertext. That’s because we used a cipher to be able to encrypt and protect the information contained in that plain text.
If you’re a researcher who’s trying to find vulnerabilities in these ciphers, then you’re performing cryptanalysis. This is the art of cracking the encryption that already exists. And finding those vulnerable ciphers is an important part of cryptography. It allows us to identify and stop using vulnerable cryptography and focus instead on using strong cryptography.
When you’re encrypting data, it’s very common for everyone to understand the encryption and decryption process. And very commonly, those ciphers are publicly available for anyone to read. The part that is unknown is the key. The cryptographic key is information that is added to the cipher to be able to encrypt the plain text. Usually, larger keys create more secure encrypted data. And sometimes using multiple keys in this encryption cipher create another level of protection.
Because larger keys tend to be more secure, we like to use encryption methods that use the largest possible keys. But we don’t always have a large encryption key that we’re able to use. So instead of using a large encryption key, we’ll take a relatively small encryption key and find ways to make it larger. For example, we could hash a password and then hash the hash of the password, and so on. This is sometimes referred to as key stretching, or key strengthening.
This makes it very difficult for an attacker to be able to brute force the original plain text. They would have to brute force each one of the subsequent hashes to be able to finally get back to the original plaintext. This means the attacker has to spend much more time on the brute force process, making it that much more difficult to be able to determine what the original plaintext might have been.
Fortunately if you’re a programmer, you don’t have to create one of these key-stretching algorithms from scratch. There are a number of libraries that already exist to do this. For example, the bcrypt library will generate hashes from passwords and it is an extension to the already existing UNIX crypt library. Bcrypt uses the Blowfish cipher to perform these multiple rounds of hashing on the plain text.
Another common key-stretching library is the PBKDF2. This is the password-based Key Derivation Function Number Two. It’s part of the RSA public key cryptography standards, and it’s a library that you can use to make your applications much more secure. If you’re performing a cryptographic function, this usually requires extensive CPU and additional resources.
But there’s a type of cryptography that’s focused on providing these cryptographic functions without having a high-end CPU, and without using a lot of power. This is lightweight cryptography. And the emphasis of this line of research is coming from internet of things devices, or IoT devices, which have limited CPU and limited power available. There’s a great deal of research being done on lightweight cryptography. And it’s being led by the National Institute of Standards and Technology, or NIST.
They want to find ways to provide the most powerful cryptography using the least amount of power, which would be perfect for these internet of things devices. Another emerging cryptographic technology is homomorphic encryption, or HE. When you work with encrypted data, it’s very difficult to perform some type of action to that data. You would commonly need to decrypt the data, perform the function on the decrypted data, and then re-encrypt the answer once you have it. With homomorphic encryption, you perform the calculation, while the data remains encrypted.
You can perform calculations on data, in its encrypted form, and save the results as encrypted data, the entire time never having decrypted any of that information. This provides a number of advantages, especially if you’re storing information in the cloud. That data can always be in an encrypted form. And it also allows people to perform actions on this data, and get research information from the data, without ever having access to the original data source.