Cryptography Algorithms

Obfuscation

  • The act of making something difficult to understand.

  • Substitution Cipher - Substitutes one symbol for another.

    • Example: ROT13 (rotate 13 places)

  • XOR (eXclusive OR) - a logical operation that outputs true only when inputs differ (one is true, the other is false).

The Exclusive-OR function in terms of OR and AND.

Symmetric Algorithms

  • Data Encryption Standard (DES)

    • Adopted by NIST in 1977.

    • Block cipher using 64-bit blocks (56-bit key + 8 bits of parity).

    • Short key length subject to brute-force attacks.

  • 3DES (Triple DES)

    • DES algorithm computed three times.

    • Using a 'key bundle' three different DES keys, each of 56 bits = total bit strength of 168 bits (known as 3TDEA).

    • Also options to reuse keys.

    • Uses 48 rounds of computation.

      • Offers high resistance to differential cryptana

  • Advanced Encryption Standard (AES)

    • Original name 'Rijndael"

    • Free for any use public or private, commercial or non-commercial.

    • Adopted by NIST in 2001.

    • Block cipher with 128 block size.

    • Three key lengths: 128, 192, and 256.

    • It uses multiple encryption rounds to reach these key lengths:

      • 10 rounds for 128-bit

      • 12 rounds for 192-bit

      • 14 rounds for 256-bit

  • RC4 / RC5 / RC6 - Rivest Cipher

    • RC4 - Stream Cipher

    • RC5/6 - Block Ciphers

    • Works with key sizes between 40 and 2048 bits.

  • Blowfish / Twofish

    • A symmetric block cipher that can use variable-length keys from 32 bits to 447 bits.

    • Twofish uses 128-bit blocks.

  • International Data Encryption Algorithm (IDEA)

    • 128-bit key

    • Similar to DES, but more secure due to having a longer key.

    • Used in PGP.

  • One-Time Pad (OTP)

    • Most secure crypto implementation.

    • Use of a key as long as the plain-text message.

    • Only used once, then destroyed.

  • Skipjack

    • NSA developed block cipher used in clipper chip.

    • Uses an 80-bit key to encrypt 64-bit blocks of data.

  • GOST

    • A Soviet and Russian government standard symmetric key block cipher.

    • Block size of 64 bits.

    • Developed to counter Data Encryption Standard (DES).

  • Psuedo Random Number Generator (PRNG)

    • A type of algorithm that generates a number that is "random enough" for cryptographic purposes.

    • Used in AES, DES, and Blowfish.

Cipher Modes

  • Counter Mode (CTR)

    • Turns a block cipher into a stream cipher.

    • Used to generate a keystream.

    • Each block combines a nonce or IV with a sequentially assigned number to produce a unique counter block that is then encrypted.

  • Cipher-Block Chaining (CBC)

    • Uses an IV with the first block.

    • Thereafter, each block of plain text is obfuscated with the cipher text from the previous block before it is encrypted.

    • Introduces more diffusion & reduces effects of plain-text attacks.

  • Electronic Code Book (ECB)

    • The easiest method.

    • Direct encryption of each block of input plaintext.

    • Output is in form of blocks of encrypted ciphertext.

  • Cipher Feedback Mode (CFB)

    • Uses an initial chaining vector (ICV) in its processing.

    • Performs cipher feedback encryption.

    • Operates on segments instead of blocks.

  • Galois/Counter Mode

    • Used with symmetric-key key block ciphers.

    • An authentication encryption designed to give both integrity and confidentiality.

    • Used with 128 bit block ciphers.

Asymmetric Encryption

  • Uses two keys.

    • One for encryption.

    • One for decryption.

  • Keys are mathematically related.

  • Public / Private key encryption.

  • Only the private key needs to be kept secret.

  • Only the private key can decrypt the message.

Asymmetric Algorithms

  • Extra computational overhead.

  • Used primarily for:

    • Secure exchange of shared keys for symmetric encryption.

    • Digital signatures.

  • Solves the issue of key exchange with symmetric encryption.

  • Rivest, Shamir, and Adleman (RSA)

    • Used for key exchange and digital signatures.

    • Key can be any length.

    • Algorithm works by multiplying two large prime numbers.

    • Derives two different numbers: one public key and one private key.

  • Diffie-Hellman Key Exchange (D-H)

    • Two parties, without prior arrangement, can agree on a secret key that is known only to them.

    • Only used to generate a shared key (not encryption).

    • Key can be safely & secretly shared on a public network.

  • Diffie-Hellman Ephemeral (DHE)

    • Uses a different key for every conversation.

    • Supports perfect forward secrecy.

  • Elliptical Curve Cryptography (ECC)

    • Technique using elliptical curves to calculate simple but difficult-to-break encryption keys.

    • Uses smaller key sizes to obtain the same level of security (160-bit ECC = 1024-bit RSA).

    • Requires fewer resources than RSA.

  • Elliptical Curve Diffie-Hellman Ephemeral (ECDHE)

    • Variant of DHE using ECC for perfect forward secrecy.

  • El Gamal

    • An extension to the Diffie-Hellman using an ephemeral key.

  • Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG)

    • Developed by Phillip R. Zimmerman in 1991.

    • Used to encrypt and sign email messages.

    • Establishes a web of trust between the users.

      • A web of trust implies that the users generate and distribute their public keys.

      • These keys are signed by users for each other, establishing a community of users who trust each other for communication.

      • Every user has a collection of signed public keys stored in a file known as a web ring.

    • PGP provides the following functionalities:

      • Confidentiality through the International Data Encryption Algorithm (IDEA).

      • Integrity through the Message Digest 5 (MD5) hashing algorithm.

      • Authentication through public key certificates.

      • Non-repudiation through encrypted signed messages.

  • Knapsack {source}

    • AKA Merkle-Hellman Knapsack Crypotosystem

      • One of the earliest public key cryptosystems.

Hashing

  • 'Digital fingerprint'

  • Work by taking a string of any length and producing a fixed-length string for output.

  • Changing the original changes the hash value.

  • Originator takes a hash of the file and provides hash to receiver.

  • Receiver takes hash of file and compares with original to ensure file integrity.

Hashing Algorithms

  • Secure Hash Algorithm (SHA, SHA-1, SHA-2, SHA-3)

    • Developed by the US NSA

    • SHA-1 can generate a 160-bit hash from any variable-length string of data.

    • SHA-2 = SHA-22, SHA-256, SHA-348, and SHA-512 (based on their digest lengths)

    • SHA-3, published in 2012, not widely used yet.

  • Message Digest Algorithm (MD2, MD4, MD5)

    • The most widely known hashing function.

    • Produces a 16-byte hash value, usually expressed as a 32 digit hexadecimal number.

    • Considered compromised. Rainbow tables have been published which allow people to reverse MD5 hashes made without good salts.

  • Message Authentication Code (MAC)

    • Authentication of messages using a secret key.

    • Used in electronic fund transfers to protect against fraud.

  • Hash-Based Message Authentication Code (HMAC)

    • HMAC combines a cryptographic hash function and a secret crypto key.

    • HMAC does not encrypt the message, only the key.

  • Keyed Hashing for Message Authentication Code (KHMAC)

    • Used to digitally sign packets that are transmitted on Internet Protocol Security (IPSec) connections.

  • RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

    • Design based on MD4.

    • 160-bit version of the algorithm (RIPEMD-160) performs comparably to SHA-1.

  • HAVAL

    • Processes 1024-bit block sizes of information.

    • Creates message digests of variable sizes rather than a fixed output value.

    • Produces hashes in lengths of 128, 160, 192, 224, and 256.

Rainbow Tables and Salts

  • Rainbow Table

    • A pre-computed table for reversing cryptographic hash functions.

    • All of the possible hashes are computed in advance.

  • Salt

    • Random data that is used as an additional input to hash

Key Stretching

  • Processes used to take a weak key and make it stronger, usually by making it longer.

  • Bcrypt

    • Based on the blowfish algorithm.

    • Provides an adaptive hash function based on a key factor.

  • Password-Based Key Derivation Function 2 (PBKDF2)

    • Algorithm applies a pseudo-random function to the password combined with a salt of at least 64 bits, and then repeats the process at least 1000 times.