For many centuries, various techniques were used to hide the contents of messages (encryption) from message carriers while also providing a way for the intended recipient to convert the hidden message to one that was readable (decryption). For example, Julius Caesar devised a method for encrypting messages by substituting each letter in the text by the third letter that follows it in the alphabet. Using the English alphabet, the letter `A' would become `D,' `B' would become `E,' `Z' would become" D" and so on. The following example shows the English clear text message and its encrypted form (cipher- text) using the Caesar Cipher method.
Clear Text: I came. I saw. I conquered.
Cipher Text: L fdph. L vdz. L frqtxhuhg.
The secret in this encryption scheme is the algorithm for substituting one character for another in order to encrypt and decrypt a message; and both sender and recipient of a message must know the algorithm. So long as the algorithm is kept secret from those who should not read it, the message is safe. Otherwise, the algorithm is compromised and can no longer be used to encrypt messages.
An encryption scheme is made more secure by changing the secret. Instead of the secret being the algorithm, it can be made a parameter to the algorithm called the encryption key. A message can then be encrypted only if the user has both the algorithm and the key. In this case, even if an unauthorized person knows the algorithm, that person could not decrypt a message without the key (which can be different for each message).
In the case of the Caesar Cipher method, the key could be the numeric position within the alphabet of the letter substituted for each clear-text letter. In the original example, the key is "3" If the key is changed to "7", the cipher text would be:
Cipher Text: P jhtl. P zhd. P jvuxblylk.
While more secure than the basic Caesar Cipher method, this technique is still very weak since there are only twenty-five possible keys that could be used. Cryptographic algorithms make use of this concept of a secret key with a public algorithm. The strength of the encryption lies in the difficulty of guessing the key for a particular message.
In the last example, it can be simple to guess the key for a given message because it is a single character and there are only twenty-five possibilities. Each possible key could be tried on a portion of the cipher-text until meaningful clear text is decrypted. This method of trying all the possible keys is called a brute force attack.
Modern algorithms, such as the Data Encryption Standard (DES), use longer, more complex keys, resulting in many more key possibilities. The key length is expressed as the number of binary digits required to store the key. DES, for example, uses a 56-bit key which produces 211--or 72 quadrillion--possible keys. This makes a brute force attack vastly more difficult.
The other factor affecting the strength of an algorithm is how quickly a single key can be tried in a brute force attack. The more quickly a key can be created and tested (for example, by using a faster computer), the more quickly all possible keys can be tried. Thus, as computing power increases, the strength of the key must increase to preserve the same level of security and ensure that brute force attacks remain computationally infeasible.
This method of encryption uses symmetric keys--the same key is used for both encryption and decryption. A further problem with symmetric keys is that both sender and recipient must know the key and yet the key must remain secret from unauthorized users. It can be difficult to maintain security of the key when it must be transmitted at least once by some method from the sender to the receiver.
To solve the problem of maintaining privacy of encryption keys, a new class of encryption algorithms was devised based on two keys that are mathematically related to each other. In this method, a message encrypted by one key of the pair can only be decrypted using the other key of the pair. These keys are asymmetric because the key that encrypted the message cannot decrypt it.
Asymmetric keys are often called public/private key pairs because of the way in which they are typically used. The "owner" of the key pair makes one of the keys publicly available and keeps the other secret (private). It does not matter who has access to this public key because it requires both keys to successfully encrypt and decrypt a message. The sender of a message uses the public key of the recipient to encrypt the clear text. The message can then be decrypted only with the private key, which is known only by the recipient.
This adds much greater complexity to the encryption scheme, increasing the difficulty of a brute force attack.
A hybrid cryptosystem combines symmetric key and public-key cryptography to gain the multiple benefits, while removing the limitations, of both types of cryptography.
Public-key algorithms are orders of magnitude slower in execution than symmetric key algorithms. For this reason, symmetric key algorithms are used for most encryption operations. Yet the problem of distributing the symmetric key without revealing it to anyone but the intended recipient remains.
The solution is to send the symmetric key in a message that is encrypted with the public key of the recipient. Since only the recipient knows the corresponding private key, the symmetric key is kept confidential. Once the symmetric key exchange has been completed securely, the sender's messages can be encrypted using the more efficient symmetric key algorithms.
Editorial Note: The above notes have been abstracted from a comprehensive White Paper entitled E-Business Data Exchange: Surviving The Security Audit produced by Sterling Commerce to illustrate the application of their `Connect' software security system for data transfer. Further details from www.sterlingcommerce.com
|Printer friendly Cite/link Email Feedback|
|Publication:||Database and Network Journal|
|Date:||Aug 1, 2002|
|Previous Article:||E- business data exchange-security essentials. (Security).|
|Next Article:||RealSecure top in latest NSS tests. (Security News).|