The world of Cryptography in interesting if you get fundamentals clear in our head. Generally Cryptography is referred as Encryption and Decryption.
Do not confuse Encryption with Hashing. Encryption is two-way function. Plain text, which is encrypted, can be decrypted with valid key. Hashing is one-way function which scrambles plain text and generate hashed value (aka message digest). From message digest you can never get back the original plain text. More to come on Hashing in upcoming blogs.
To perform encryption we need two things. The Secret Key and the Algorithm. The algorithm processes plain text and secret key together, performs some logical and/or mathematical function and generate a scrambled/encrypted text. Decryption is reverse process where we use same algorithm as used in encryption plus same or different secret key on encrypted text to get back the original plain text.
Note that the encryption algorithm in not a secret. It’s open to public and everyone knows it. The secret part is the key, that why we call it Secret Key.
There are 2 types of Encryption mechanisms based on whether same key is used for both encryption and decryption or different keys, Symmetric Encryption and Asymmetric Encryption (aka Public Key Encryption). Lets look at both in a bit more detail.
Symmetric Encryption
In Symmetric Encryption exact same key is used for both Encryption and Decryption. Symmetric Encryption can be used for following 2 purposes, Storage and Communication.
Storage
Before storing data encrypt it and after reading decrypt it. Used for data storage in encrypted format so that any unauthorized person who get access to storage system (Disk, Database or Network Storage) can not see the data.
Key Management Challenges in Storage
- Keep the key secret. Any unauthorized person gets the key, can decrypt the data.
- Do not loose the key. You loose the key; you loose the data because you can not decrypt data without key, like anyone else.
Communication
For communication (data exchange between two or more parties) the sender encrypts data before sending and receiver decrypts data after receiving. This is needed to protect data during transport so that any unauthorized user intercepting communication can not see the real data.
For communication between two parties (Sender and Receiver) we need to share same key with both so that Sender can use it for encryption and Receiver can use it for decryption.
Key Management Challenges in Communication
- Now we have 2 copies of the key (one with each party). Both parties need to keep the key secret
- Key must be exchanged between 2 parties secretly using secured mechanism so that no one else can get hold of the key during exchange.
- Periodic Key rotation must be done to avoid or reduce risk in case current key is compromised. Point#2 above is applicable on every key rotation.
- Practically impossible to use Symmetric Key Encryption for communication if multiple or more than 2 parties are involved because exchanging key between multiple parties initially and after every rotation is not manageable and really opens door of key being compromised.
Asymmetric or Public Key Encryption for Communication
As we have seen above that Symmetric Key Encryption is not really practical and suitable for communication between multiple parties, there is a need of different way of encryption for this use case. That’s where Asymmetric Key Encryption mechanism is useful. It is also called Public Key Encryption.
In Asymmetric encryption different Keys are used for Encryption and Decryption. Lets see it in more detail how it works.
The Receiver generates a pair of keys and keeps one of the keys secret with it. This key is called Private Key. As the name says, it’s private. It should not be shared with anyone else, only recipient must know it. Receiver shares the other key with Sender(s). This key is called Public key. Public key is open to public as the name says. It can be shared with anyone. It is not a secret at all.
In a key pair, both keys have some special relationship with each other. Keys are related to each other in such a way that –
- Data encrypted by Public Key can only be decrypted by Private Key
- Data encrypted by Private Key can only be decrypted by Public Key
In other word same key can not be used for both encryption and decryption.
For encrypted Communication, data is encrypted by sending party using Public Key and decrypted by receiving party using Private Key.
Key Management Challenges
Sender need make sure that it’s using Public Key of intended recipient. That is where this approach is prone to Man-In-The-Middle attack (MITM).
The middleman can send it’s own public key to the sender. Sender encrypts data using middleman’s public key and sends message. Middleman intercepts the message, decrypt using it’s private key and can see the real data. Now middleman can encrypt data back using receiver’s Public Key and sends encrypted message to recipient. Receiver will be able to decrypt message using it’s Private Key because it was encrypted using it’s Public Key by the middleman. Both sender and receiver will have no idea that there is man in the middle intercepting and watching the communication data.
Certificate for Encrypted Communication
Certificate is a small document, which has name/identity of the party and other relevant information (issue date, expiry date etc.) along with Public Key. Certificate basically associates name or identity of the party with the Public Key.
In this approach receiver generates a key pair, and then creates a Certificate containing it’s identity and public key. The certificate is shared with all senders.
Sender first checks receiver’s identity using certificate. If it is intended receiver then take it’s Public key from certificate and encrypt data. Everything else remains same as Public Key encryption for communication.
Certificate for Authenticated Communication
Confidentiality is covered so far, which means no one else other than sender and receiver can see the data. Sender Authentication is also very important aspect of secured communication. It is required so that receiver can check and confirm by some means that a message is received from a authenticated and trusted sender.
For authenticated communication, since we need ability to authenticate sender, the Sender takes responsibility of generating key pair and certificate. Sender’s certificate is shared with Receiver.
For communication, Sender encrypts data using it’s Private Key and sends message. The Receiver uses sender’s certificate, check identity and decrypt message using Public Key of Sender. If Receiver is able to decrypt the message it means it was encrypted only by Sender’s Private key, which means the message is received from the authenticated sender.
Certificate for Authenticated and Encrypted Communication
We can combine the concept of authentication using certificate with concept of encryption using certificate to establish a communication, which is authenticated as well as encrypted.
Lets see it in a bit more detail how does both concepts work together.
Initial setup for the communication
- Receiver generates a key pair and share it’s certificate with Sender.
- Sender generates a key pair and share it’s certificate with Receiver
Remember that the certificate contains party’s identity along with Public Key.
Communication
(For readability assuming that both sender and receiver check each other’s identify from the certificate before doing anything else to avoid MITM attack)
- Sender: Encrypts data using Receiver’s Public Key
- Sender: Encrypts again using Sender’s Private Key. The message is now double encrypted.
- Receiver: First decrypts using Sender’s Public Key. If it is able to decrypt message it means it was encrypted only by Sender’s Private key, which means the message is received from the authenticated sender.
- Receiver: Decrypt again using Receiver’s Private Key to get real data.
I hope this article is helpful for you to understand basics and fundamentals of encryption and decryption.
Reference:
https://en.wikipedia.org/wiki/Cryptography
Please share it and help others if you found this blog helpful. Feedback, questions and comments are always welcome.
1 Comment