Getting a Networking Job: Cryptography Basics - dummies

Getting a Networking Job: Cryptography Basics

By Peter H. Gregory, Bill Hughes

Networking professionals need to be familiar with cryptography. Cryptography is the art and science of hiding data in plain sight, and plays a key role in protecting data from onlookers and adversaries. Here, you discover how it’s used to protect sensitive data.

Basic concepts in cryptography

Encryption is the process of transforming plaintext into ciphertext through an encryption algorithm and an encryption key. Decryption is the process of transforming ciphertext back into plaintext, again with an encryption algorithm and the encryption key. In part, the strength of encryption is based on the key length and the complexity of the encryption key.

An implementation of encryption and encryption keys is known as a cryptosystem. An attack on a cryptosystem is called cryptanalysis.

Most encryption algorithms employ a pseudorandom-number generator (PRNG), which is a technique for deriving a random number for use during encryption and decryption.

Types of encryption

The two basic ways to encrypt data are by block cipher and by stream cipher. Details follow:

  • Block cipher: A block cipher encrypts and decrypts data in batches, or blocks. Block ciphers are prevalent on computers and on the Internet, where they encrypt hard drives and thumb drives, and protect data in transit with SSL and TLS. Notable block ciphers are

    • Advanced Encryption Standard (AES): Selected in 2001 by NIST (National Institute of Standards and Technology) to replace DES, AES is based on the Rijndael cipher and is in wide use today.

    • Data Encryption Standard (DES): The leading official encryption standard in use from 1977 through the early 2000s. DES was considered obsolete mostly because of its short key lengths.

    • Triple DES (3DES): Derived from DES, 3DES is essentially DES with a longer key length and, hence, more resistant to compromise than DES.

    • Blowfish: Developed in 1993, Blowfish was developed as an alternative to DES, which was nearly twenty years old. Blowfish is unpatented and in the public domain.

    • Serpent: Another public domain algorithm, Serpent was a finalist in the AES selection process.

  • Stream cipher: A stream cipher encrypts a continuous stream of information such as a video feed or an audio conversation. The most common stream cipher is RC4.

Block ciphers are most often used to encrypt Internet-based streaming services. On the Internet, everything is transmitted in packets, which are individually encrypted using block ciphers.

Hashing, digital signatures, and digital certificates

Hashing is used to create a short fixed-length message digest from a file or block of data; this is something like a fingerprint: Message digests are unique and difficult to forge. Hashing is often used to verify the integrity of a file, or the originator of a file, or both. Common hashing algorithms include the following:

  • MD-5 is a formerly popular hashing algorithm developed in 1992. It is now considered too weak for reliable use.

  • SHA-1 is another popular hashing algorithm that was determined in 2005 to be too weak for continued use. By 2010, U.S. government agencies were required to replace SHA-1 with SHA-2.

  • SHA-2 is a family of hashing algorithms: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. These are all considered reliable for ongoing use.

A digital signature is a hashing operation carried out on a file. Depending on the implementation, the digital signature may be embedded in the file or separate. A digital signature is used to verify the originator of the file.

A digital certificate is an electronic document that consists of a personal or corporate identifier and a public encryption key, and is signed by a certificate authority (CA). The most common format for a digital certificate is X.509. The use of digital certificates and other tools such as strong authentication can lead to the failure for an individual to be able to plausibly deny involvement with a specific transaction or event. This process is known as nonrepudiation.

Encryption keys

The two main types of encryption keys in use today are

  • Symmetric key: Both the sender and the receiver have the same encryption key.

  • Asymmetric key: Also known as public key cryptography, utilizes a pair of encryption keys — a public key and a private key. A user who creates a keypair would make the public key available widely and protect the private key as vigorously as one would protect a symmetric key.

Private keys and symmetric keys must be jealously guarded from adversaries. Anyone who obtains a private or symmetric encryption key can decrypt any incoming encrypted message. The management and protection of encryption keys is known as key management.

Software programs often employ passwords to protect encryption keys.

Encryption alternatives

Two encryption alternatives provide some of the same features as a cryptosystem:

  • Steganography (stego): A message is hidden in a larger file, such as an image file, a video, or sound file. Done properly, this technique can be as effective as encryption.

  • Watermarking: A visible (or audible) imprint is added to a document, an image, a sound recording, or a video recording. Watermarking is a potentially powerful deterrent control.

Emerging issues in cryptography

There are numerous worries ranging from new types of attacks to official government misbehavior.

  • Man-in-the-middle attacks: Many attacks on cryptosystems involve a man-in-the-middle attack at the onset of a so-called secure communications session.

  • Improper uses of cryptography: Two examples are failing to salt when hashing passwords and failing to adequately protect an encryption key.

  • Brute-force attacks: A bruteforce attack employs fast computers to guess every possible combination until the correct one is found.

  • Precompromised encryption algorithms: In 2012–2013, revelations uncovered the plausibility that various government-spying organizations have been able to subvert the development or implementation or both of certain encryption algorithms and cryptosystems. The result is a serious crisis of trust in the cryptosystems used to protect sensitive information from adversaries.

  • Persistent use of compromised cryptosystems: Encryption algorithms have a limited shelf life, after which some technique for compromising them is revealed.