Symmetric encryption Vs Asymmetric encryption

What are encryption vulnerabilities?

 

Breaking symmetric encryption

There are two methods of breaking symmetric encryption - brute force and cryptanalysis.
Brute Force Attack is a form of attack in which each possibility is tried until success is obtained. Typically, a ciphertext is deciphered under different keys until plaintext is recognized. No encryption software that is entirely safe from the brute force method, but if the number of possible keys is high enough, it can make a program astronomically difficult to crack using brute force. But the more bits in a key, the more secure it is, so choose software with as many bits as possible.
Cryptanalysis is a form of attack that attacks the characteristics of the algorithm to deduce a specific plaintext or the key used.

Weak passwords
 
In every kind of encryption software, there is some kind of password that must be created so that the recipients of the information can read it. Creating a strong password that cannot be easily guessed is just as important as choosing a good algorithm or strong encryption software.

Remembering passwords
 
If you forget your password, you will not be able to decrypt data that you have encrypted. Be sure to make a backup copy of your password and store it in a safe place.

Secret keys exchanging and storing
 
Symmetric key algorithms require sharing the secret key - both the sender and the receiver need the same key to encrypt or decrypt data. Anyone who knows the secret key can decrypt the message. So it is essential that the sender and receiver have a way to exchange secret keys in a secure manner. The weakness of symmetric algorithms is that if the secret key is discovered, all messages can be decrypted. So, secret key need to be changed on a regular basis and kept secures during distribution and while using.

Asymmetric Encryption (Public Key Encryption)

Asymmetric encryption uses different keys for encryption and decryption. The decryption key is very hard to derive from the encryption key. The encryption key is public so that anyone can encrypt a message. However, the decryption key is private, so that only the receiver is able to decrypt the message. It is common to set up "key-pairs" within a network so that each user has a public and private key. The public key is made available to everyone so that they can send messages, but the private key is only made available to the person it belongs to.

How Asymmetric Encryption (Public Key Encryption) works:
 
The sender and the recipient must have the same software. The recipient makes a pair of keys - public key and private key (both keys can be unlocked with a single password). Public key can be used by anyone with the same software to encrypt a message. Public keys can be freely distributed without worrying since it is only used to scramble (encrypt) the data. The sender does not need the recipient's password to use his or her public key to encrypt data. The recipient's other key is a private key that only he or she can use when decrypting the message. Private Key should never be distributed since the private key assures that only the intended recipient can unscramble (decrypt) data intended for him or her.
To understand asymmetric encryption better please read an example:
For example, Jack makes public key A and private key A, and Jill makes public key B and private key B. Jack and Jill exchange their public keys. Once they have exchanged keys, Jack can send an encrypted message to Jill by using Jill's public key B to scramble the message. Jill uses her private key B to unscramble it. If Jill wants to send an encrypted message to Jack, she uses Jack's public key A to scramble her message, which Jack can then unscramble with his private key A. Asymmetric cryptography is typically slower to execute electronically than symmetric cryptography.

Some Asymmetric Algorithms (public key algorithms) such as RSA allow the process to work in the opposite direction as well: a message can be encrypted with a private key and decrypted with the corresponding public key. If the recipient wants to decrypt a message with Bob's public key he/she must know that the message has come from Bob because no one else has sender's private key. Digital signatures work this way.

Some examples of popular asymmetric encryption algorithms:
RSA
DSA
PGP

RSA encryption

RSA is the best known public key algorithm, named after its inventors: Rivest, Shamir and Adleman. RSA uses public and private keys that are functions of a pair of large prime numbers. Its security is based on the difficulty of factoring large integers. The RSA algorithm can be used for both public key encryption and digital signatures. The keys used for encryption and decryption in RSA algorithm, are generated using random data. The key used for encryption is a public key and the key used for decryption is a private key. Public keys are stored anywhere publicly accessible. The sender of message encrypts the data using public key, and the receiver decrypts it using his/her own private key. That way, no one else can intercept the data except receiver.

DSA

The Digital Signature Algorithm (DSA) is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS).

PGP

PGP (Pretty Good Privacy) is a public-private key cryptography system which allows for users to more easily integrate the use of encryption in their daily tasks, such as electronic mail protection and authentication, and protecting files stored on a computer. PGP was originally designed by Phil Zimmerman. It uses IDEA, CAST or Triple DES for actual data encryption and RSA (with up to 2048-bit key) or DH/DSS (with 1024-bit signature key and 4096-bit encryption key) for key management and digital signatures. The RSA or DH public key is used to encrypt the IDEA secret key as part of the message.

Combination of Symmetric Encryption and Asymmetric Encryption

If we want the benefits of both types of encryption algorithms, the general idea is to create a random symmetric key to encrypt the data, and then encrypt that key asymmetrically. Once the key is asymmetrically encrypted, we add it to the encrypted message. The receiver gets the key, decrypts it with their private key, and uses it to decrypt the message.

How strong is protection in Encryption and Decryption?

Encryption and Decryption uses AES 256-bit key encryption algorithm. AES provides strong encryption and was selected by NIST as a Federal Information Processing Standard in November 2001 (FIPS-197). Currently, there are no computers that could break the encryption key in a reasonable amount of time (it will take millions of years). A password, or more precisely its hash (SHA 256), is used to protect the encryption key. Neither the password nor its hash is stored anywhere. If the password is not correct, it will be impossible to get the encryption key and consequently to decrypt information

Encryption

What is encryption?

Encryption is the conversion of data into a form, called a cipher text. There are two basic techniques for encrypting information: symmetric encryption (also called secret key encryption) and asymmetric encryption (also called public key encryption).

How encryption works

Encryption program uses an encryption algorithm (complex mathematical processes) to encrypt and decrypt the data. Encryption algorithm creates specific strings of data used for encryption - keys that consist of long strings of bits or binary numbers. The more bits in the key, the more the number of possible combinations of binary numbers that makes the code more difficult to break. Then encryption algorithm scrambles data by combining the bits in the key with the data bits. In symmetric encryption, the same key is used to scramble (encrypt) and unscramble (decrypt) data. In asymmetric key encryption, two different keys are required - one for encryption and one for decryption.

Why you need encryption

   Nowadays when more and more sensitive information is stored on computers and transmitted   over the Internet, we need to ensure information security and safety.

   One of the most common uses of encryption is encrypting emails. Sending sensitive messages, documents and files over the Internet is like sending a postcard as all emails are transmitted in an unsecured form. It doesn't depend on if you send emails via public and private networks. Your message is totally open to interception by anyone along the way - so anybody - your ISP, your boss, etc. can read your emails. Even if you connect to your server and send your emails via SSL, it only means that your emails can't be seen while transmitting between you and your server. When your email reaches your server, it can be seen by your email service provider. Then your server usually sends your email to the recipient in an unsecured way and your email can also be easily seen by anyone.

Private network, where email goes directly to a mail server and resides there until it is retrieved, also doesn't provide necessary security level, as you email can be seen e.g. by network administrator, your boss, etc.

   Of course, you may believe that your personal email does not contain any private information, but everyone has got something to keep in secret from his family, neighbours or colleagues. It could be financial, sexual, social, political, or professional secrets. There is really only one sure way to protect your email privacy - using encryption.

Symmetric Encryption

Symmetric Encryption (also known as symmetric-key encryption, single-key encryption, one-key encryption and private key encryption) is a type of encryption where the same secret key is used to encrypt and decrypt information or there is a simple transform between the two keys.
A secret key can be a number, a word, or just a string of random letters. Secret key is applied to the information to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. Symmetric algorithms require that both the sender and the receiver know the secret key, so they can encrypt and decrypt all information.
There are two types of symmetric algorithms: Stream algorithms (Stream ciphers) and Block algorithms (Block ciphers).

Types of Symmetric algorithms (Symmetric-key algorithms)

Symmetric algorithms (Symmetric-key algorithms) use the same key for encryption and decryption. Symmetric-key algorithms can be divided into Stream algorithms (Stream ciphers) and Block algorithms (Block ciphers).

Stream Ciphers
Stream ciphers encrypt the bits of information one at a time - operate on 1 bit (or sometimes 1 byte) of data at a time (encrypt data bit-by-bit). Stream ciphers are faster and smaller to implement than block ciphers, however, they have an important security gap. If the same key stream is used, certain types of attacks may cause the information to be revealed.

Block Ciphers

Block cipher (method for encrypting data in blocks) is a symmetric cipher which encrypts information by breaking it down into blocks and encrypting data in each block. A block cipher encrypts data in fixed sized blocks (commonly of 64 bits). The most used block ciphers are Triple DES and AES.

Some examples of symmetric encryption algorithms:

AES/Rijndael
Blowfish
CAST5
DES
IDEA
RC2
RC4
RC6
Serpent
Triple DES
Two fish

AES/Rijndael encryption

AES stands for Advanced Encryption Standard. AES is a symmetric key encryption technique which replaces the commonly used Data Encryption Standard (DES).
It was the result of a worldwide call for submissions of encryption algorithms issued by the US Government's National Institute of Standards and Technology (NIST) in 1997 and completed in 2000.
The winning algorithm, Rijndael, was developed by two Belgian cryptologists, Vincent Rijmen and Joan Daemen. AES provides strong encryption and was selected by NIST as a Federal Information Processing Standard in November 2001 (FIPS-197).
The AES algorithm uses three key sizes: a 128-, 192-, or 256-bit encryption key. Each encryption key size causes the algorithm to behave slightly differently, so the increasing key sizes not only offer a larger number of bits with which you can scramble the data, but also increase the complexity of the cipher algorithm.

Blowfish

Blowfish is a symmetric encryption algorithm (64-bit cipher) designed in 1993 by Bruce Schneier as an alternative to existing encryption algorithms. Blowfish has a variable key length - from 32 bits to 448 bits. Since then Blowfish has been analyzed considerably, and is gaining acceptance as a strong encryption algorithm.

CAST

CAST stands for Carlisle Adams and Stafford Tavares, the inventors of CAST. CAST is a popular 64-bit block cipher allowing key sizes up to 128 bits.

Data Encryption Standard (DES)

Data Encryption Standard (DES) is a block cipher with 64-bit block size that uses 56-bit keys. DES was invented over 20 years ago by IBM in response to a public request from the National Bureau of Standards. Due to recent advances in computer technology, some experts no longer consider DES secure against all attacks; since then Triple-DES (3DES) has emerged as a stronger method. Using standard DES encryption, Triple-DES encrypts data three times and uses a different key for at least one of the three passes giving it a cumulative key size of 112-168 bits.

IDEA

IDEA stands for International Data Encryption Algorithm. IDEA is a symmetric encryption algorithm that was developed by Dr. X. Lai and Prof. J. Massey to replace the DES standard. Unlike DES though it uses a 128 bit key. This key length makes it impossible to break by simply trying every key.

RC2

RC2 is a variable-key-length cipher. It was invented by Ron Rivest for RSA Data Security, Inc. Its details have not been published.

RC4

RC4 was developed by Ron Rivest in 1987. It is a variable-key-size stream cipher. It is a cipher with a key size of up to 2048 bits (256 bytes).
 

RC6

RC6 is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. RC6 encryption algorithm was selected among the other finalists to become the new federal Advanced Encryption Standard (AES).

Serpent

Serpent is a block cipher developed by Ross Anderson, Eli Biham and Lars Knudsen. Serpent can work with different combinations of key lengths. Serpent was also selected among other five finalists to become the new federal Advanced Encryption Standard (AES).

Triple DES

Triple DES is a variation of Data Encryption Standard (DES). It uses a 64-bit key consisting of 56 effective key bits and 8 parity bits. The size of the block for Triple-DES is 8 bytes. Triple-DES encrypts the data in 8-byte chunks. The idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys.

Twofish

Twofish is a symmetric block cipher. Twofish has a block size of 128 bits and accepts keys of any length up to 256 bits.
Twofish encryption algorithm was designed by Bruce Schneier, John Kelsey, Chris Hall, Niels Ferguson, David Wagner and Doug Whiting. The National Institute of Standards and Technology (NIST) investigated Twofish as one of the candidates for the replacement of the DES encryption algorithm.

How SSL Works

       SSL is a protocol that provides privacy and integrity between two communicating applications   using TCP/IP. The Hypertext Transfer Protocol (HTTP) for the World Wide Web uses SSL for secure communications.

The data going back and forth between client and server is encrypted using a symmetric algorithm such as DES or RC4. A public-key algorithm-usually RSA-is used for the exchange of the encryption keys and for digital signatures. The algorithm uses the public key in the server's digital certificate. With the server's digital certificate, the client can also verify the server's identity. Versions 1 and 2 of the SSL protocol provide only server authentication. Version 3 adds client authentication, using both client and server digital certificates.

The SSL Handshake

   An SSL connection is always initiated by the client. At the beginning of an SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session.

 

1. The client sends a client "hello" message that lists the cryptographic capabilities of the client (sorted in client preference order), such as the version of SSL, the cipher suites supported by the client, and the data compression methods supported by the client. The message also contains a 28-byte random number.
2. The server responds with a server "hello" message that contains the cryptographic method (cipher suite) and the data compression method selected by the server, the session ID, and another random number.

Note:

The client and the server must support at least one common cipher suite, or else the handshake fails. The server generally chooses the strongest common cipher suite.

3. The server sends its digital certificate. (The server uses X.509 V3 digital certificates with SSL.)

If the server uses SSL V3, and if the server application (for example, the Web server) requires a digital certificate for client authentication, the server sends a "digital certificate request" message. In the "digital certificate request" message, the server sends a list of the types of digital certificates supported and the distinguished names of acceptable certificate authorities.

4. The server sends a server "hello done" message and waits for a client response.
5. Upon receipt of the server "hello done" message, the client (the Web browser) verifies the validity of the server's digital certificate and checks that the server's "hello" parameters are acceptable.

If the server requested a client digital certificate, the client sends a digital certificate, or if no suitable digital certificate is available, the client sends a "no digital certificate" alert. This alert is only a warning, but the server application can fail the session if client authentication is mandatory.

6. The client sends a "client key exchange" message. This message contains the pre-master secret, a 46-byte random number used in the generation of the symmetric encryption keys and the message authentication code (MAC) keys, encrypted with the public key of the server.

If the client sent a digital certificate to the server, the client sends a "digital certificate verify" message signed with the client's private key. By verifying the signature of this message, the server can explicitly verify the ownership of the client digital certificate. 

Note:

An additional process to verify the server digital certificate is not necessary. If the server does not have the private key that belongs to the digital certificate, it cannot decrypt the pre-master secret and create the correct keys for the symmetric encryption algorithm, and the handshake fails.

7. The client uses a series of cryptographic operations to convert the pre-master secret into a master secret, from which all key material required for encryption and message authentication is derived. Then the client sends a "change cipher spec" message to make the server switch to the newly negotiated cipher suite. The next message sent by the client (the "finished" message) is the first message encrypted with this cipher method and keys. 
8. The server responds with a "change cipher spec" and a "finished" message of its own.
9. The SSL handshake ends, and encrypted application data can be sent.