Difference between revisions of "Encrypting everything"

Revision as of 17:19, 24 July 2015

Until it is destroyed ^[1], or we run out of resources to maintain its cables, bridges, root servers and data centers, or some idiot(s) replace(s) the current internet with a panopticon-like or a military-and-corporate-only global network, the web seems to be here to stay ... but it has an ad-hoc security model added post-hoc and it is up to us to make it better!?! WTF?

For centuries, nations around the world have operated Black Chambers, secret rooms where they attempted to decode the messages being sent by their rivals. The French operated the Cabinet Noir, in Vienna the Geheime Kabinets-Kanzlei was the home of Austria's greatest codebreakers, and in Britain there was Room 40 and then Bletchley Park. Visit Simon Singh's virtual Black Chamber, where you can learn about codes and codebreaking, encrypt your own messages, crack those of your enemies, and play with interactive enciphering programmes http://www.simonsingh.net/The_Black_Chamber/

The imitation game is a nail-biting race against time following Alan Turing (pioneer of modern-day computing and credited with cracking the German Enigma code) and his brilliant team at Britain’s top-secret code-breaking centre, Bletchley Park, during the darkest days of World War II. Turing, whose contributions and genius significantly shortened the war, saving thousands of lives, was the eventual victim of an unenlightened British establishment, but his work and legacy live on http://theimitationgamemovie.com/

Before the digital age, the biggest users of cryptography were governments, particularly for military purposes. With the advent of the net we can all use it for:

Enabling authorised transactions.
Defending free expression.
Protecting our space, our objects and channels, from unauthorised access.
Collectively failing at putting crypto into our own hands.

This page is on the latter. See some of the below concepts applied in anonymising your traffic with linux (mostly channels), object encryption on linux and clean up all the things.

Crypto concepts

The Crypto Museum is a virtual museum that can only be visited on the internet. The main purpose of the Crypto Museum is to preserve history. This is done by collecting, restoring and describing historical cipher machines such as the well-known Enigma machine, spy equipment and the likes http://www.cryptomuseum.com/

The science of sending concealed messages is known as steganography (concealed writing). It is not very secure by itself. If someone finds the hidden message, all its secrets are revealed.
Manipulating a message so that it can not be read even if it were intercepted is known as cryptography(hidden writing).
Cryptography takes two forms: codes and ciphers.
A code is essentially a secret language invented to conceal the meaning of a message, a system for hiding the meaning of a message by replacing each word or phrase in the original message with another character or set of characters (codegroups). The list of replacements is contained within a codebook. To protect a message in this way is called encoding. Encoding has no built-in flexibility.
A cipherconceals a plaintext message by replacing or scrambling its letters. This process is known as enciphering and results in a ciphertext message. Converting a ciphertext message back to a plaintext message is known as deciphering. Each cipher can be split into two halves: the algorithm and the key. The key gives a cipher some built in flexibility.
There are two classes of ciphers. A substitution cipher changes the letters in a message to another set of letters, or cipher alphabet, while a transposition cipher shuffles the letters around.
Coded messages are often enciphered to improve their security, a process known as superencipherment.
Encryption covers both the act of encoding and enciphering.
Decryption covers both decoding and deciphering.
Cryptotext covers both codetext and ciphertext but encicode is sometimes used instead.
The science of breaking cryptotext or encicode is known as cryptanalysis.
The two fields cryptography and cryptanalysis together make up the science of cryptology.

Most forms of cryptography used today rely on computers. Ciphers are better known today as algorithms, the guides for encryption -- they provide a way in which to craft a message and give a certain range of possible combinations. A key, on the other hand, helps a person or computer figure out the one possibility on a given occasion.

Symmetric-key encryption

In symmetric key cryptography (alias secret key cryptography) the same key is used to encrypt and decrypt the data.

There are many different algorithms using symmetric key cryptography, offering anything from minimal to nearly unbreakable security. Some of these algorithms offer strong security, easy implementation in code, and rapid encryption and decryption. Such algorithms are very useful for encrypting files stored on a computer to protect them in case an unauthorised individual gains access to the machine. They are somewhat less useful for sending messages from one computer to another, because both ends of the communication channel must possess the key and must keep it secure. Distribution and secure storage of such keys can be difficult and can open security vulnerabilities.

Symmetric ciphers have historically been susceptible to known-plaintext attacks, chosen plaintext attacks, differential cryptanalysis and linear cryptanalysis. Careful construction of the functions for each round can greatly reduce the chances of a successful attack.

Data Encryption Standard (DES)

The Data Encryption Standard is a popular symmetric-key encryption method developed in 1975 and standardised by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key and uses the block cipher method, which breaks text into 64-bit blocks and then encrypts them.

DES is now considered to be insecure for many applications. This is mainly due to the 56-bit key size being too small; in January, 1999, Cryptography Research, Inc., Advanced Wireless Technologies, and the EFF. collaborated to publicly break a DES key in 22 hours and 15 minutes ^[2].

Triple DES, also referred to as 3DES, is a mode of the DES encryption algorithm that encrypts data three times. Three 64-bit keys are used, instead of one, for an overall key length of 192 bits (the first encryption is encrypted with second key, and the resulting cipher text is again encrypted with a third key).

Advanced Encryption Standard (AES)

Twofish

Serpent

Asymmetric key cryptography

In asymmetric key cryptography (alias public-key encryption) different keys are used for encrypting and decrypting a message. The asymmetric key algorithms that are most useful are those in which neither key can be deduced from the other. In that case, one key can be made public while the other is kept secure. This provides some distinct advantages over symmetric encryption: the necessity of distributing secret keys to large numbers of users is eliminated, and the algorithm can be used for authentication as well as for cryptography.

Diffie-Hellman key agreement

The Diffie-Hellman key agreement algorithm was developed by Dr. Whitfield Diffie and Dr. Martin Hellman in 1976 to enable two parties who are involved in communication to generate a shared secret key for exchanging information confidentially. It uses modular arithmetic https://en.wikipedia.org/wiki/Modular_arithmetic.

Modulus or modulo (abbreviated as "mod") is the Latin word for "remainder, residue" or more in "what is left after parts of the whole are taken". Thus, "modular" or "mod arithmetic" is really "remainder arithmetic". For example:

When 7 is divided by 3 it leaves a remainder of 1, thus: 7 mod 3 = 1
When 8 is divided by 3 it leaves a remainder of 2: 8 mod 3 = 2
When 9 is divided by 3 it leaves no remainder: 9 mod 3 = 0.

Now imagine the following scene from Wuthering Heights:

Cathy and Heathcliff exchange public keys. These keys must have the same modulo portion, a prime p. (see RFC 5114)
Cathy and Heathcliff each encrypt a shared, non-secret value, g (also usually taken from RFC 5114), using their private keys, and they exchange these encrypted values.
Cathy encrypts the encrypted value received from Heathcliff with her private key, and vice versa. These values are used as a shared session key.

For example, Cathy says: 5,23 (base g = 5 and prime number p = 23, randomly chosen by Cathy)

    O_/                                         7_O_/
  _/|      ---------------5,23-------------->    (/
  __)\                                           /\/'
 `    \                                          7
 Cathy                                          Heathcliff

Heathcliff chooses a private number = x = 6 and says (g^{my private number} mod p = 5⁶ mod 23 =) 8

    O_/                                         7_O_/
  _/|      <----------------8----------------    (/
  __)\                                           /\/'
 `    \                                          7
Cathy                                          Heathcliff

Cathy chooses private number = y = 15 and says (g^{my private number} mod p = 5¹⁵ mod 23 =) 19

    O_/                                         7_O_/
  _/|      -----------------19-------------->    (/
  __)\                                           /\/'
 `    \                                          7
 Cathy                                          Heathcliff

Cathy received the 8 from Heathcliff, and thinks, (heathcliffs public number)^{my private number} mod 23 = 8¹⁵ mod 23 = 2. Aha! Now I know the key is 2.
Heathcliff comes to a similar conclusion using what Cathy shouted from afar (19) for the world to hear: 19⁶ mod 23 = 2.
And both encrypt their communication with 2.

This solves the problem of how to pass a secret key between two parties without having any eavesdropper knowing the key. This does not solve the man in the middle attack (authentication): Someone can pretend to be heathcliff and share a key with Cathy and Cathy will send encrypted information to "Heathcliff".

Rivest Shamir Adleman (RSA)

Ron Rivest, Adi Shamir, and Len Adleman released the Rivest-Shamir-Adleman (RSA) public key algorithm in 1978. This algorithm can be used for encrypting and signing data. The encryption and signing processes are performed through a series of modular multiplications http://mersennewiki.org/index.php/Modular_arithmetic.

It’s easy for a computer to multiply two large prime numbers together but if you gave this new number to a computer and asked it to tell you what prime numbers you multiplied to construct it, the computer would struggle. And the bigger the prime numbers get, the more the computer struggles, exponentially so. This is called a trapdoor, meaning it’s easy to go one way, but very hard to go the other. This mathematical difficulty is what ensures the strength of our encryption.

The RSA algorithm works as follows:

Find two huge (at least 100 digits each!) prime numbers p and q, and multiply them together to get the even bigger number n.
Also combine p and q in a different way to generate another number e (details of this below).
Publish these two numbers {n,e} as "public key", with the knowledge that there is enormous difficulty with even the world’s fastest computers breaking n into its constituent prime atoms p and q.
The numbers {n,e} can be used by people to encrypt a message to send to me, and I can use my secret primes p and q to decrypt it.

In the unfolding love story, Heathcliff wants to encrypt and send Cathy his age (42 or forty-two). The RSA algorithm deals with sending numbers, but any text can be converted to digits in a variety of ways, so we can securely transmit information of any type.

Cathy knows that Heathcliff wants to send her a message, so she selects two prime numbers, say p = 17 and q = 29 (n = p x q = 17 x 29 = 493).
Cathy also needs to generate another number, e. She creates this number first by subtracting 1 off of each of her prime numbers p and q and then multiplies these two together ((p-1) x (q-1) = 448). This number is not e. The number e is allowed to be any number, which has no factors in common with this new number 448 (= 2 x 2 x 2 x 2 x 2 x 2 x 7). Now e is just any number which, when broken down into primes, does not possess a 2 or a 7 as a factor. There are lots of possibilities to choose from. Suppose Cathy picks e = 5.
Cathy then gives the numbers n = 493 and e = 5 to Heathcliff.
With these two numbers n and e, Heathcliff now encrypts his secret message: 42^e mod n = 42⁵ mod 493 = 42 x 42 x 42 x 42 x 42 mod 493 = 130,691,232 mod 493 = 383
Cathy has received the number 383 from Heathcliff and needs to decrypt it to read it. Her first step, is to use her secret prime numbers p and q and the public number e to form another number d, which she can use to decrypt Heathcliff’s message. Cathy lists the multiples of 5: 5, 10, 15, 20, 25, 30, 35, 40 ... and the multiples of 448: 448, 896, 1344, 1792, 2240, 2688 ... to find a number in the first sequence which is exactly one more than a number in the second sequence. That is the 269th term which is 1345, one more than the 3rd term 1344 in the 448 sequence. d = 269.
Now Cathy can decode the message by doing one big calculation. She has Heathcliff's encrypted number, 383, and her new number, d = 269. The plaintext message = (ciphertext)^d mod n = 383 ²⁶⁹ mod 493 = 42

Public:

   ==0                                          _O/ 
    /\/   ------------- 493,5 -------------->     \
   |\                                             /\_    
  /  |                                            \  ` 
 oo  oo                                            `
 Cathy                                          Heathcliff

   ==0_/                                          ,                                      
    /\_   <-------------- 383 ---------------    /    
   |\                                         `\_\
  /  |                                            \ 
 oo  oo                                          /O\ 
 Cathy                                         Heathcliff

Basic RSA algorithm for confidentiality:

Ciphertext = (plaintext)^e mod n
Plaintext = (ciphertext)^d mod n
Private Key = {d, n}
Public Key = {e, n}

Basic RSA algorithm for authentication:

Ciphertext = (plaintext)^d mod n
Plaintext = (ciphertext)^e mod n
Private key = {d, n}
Public key = {e, n}

RSA is the best possible type of public key cryptography, yet due to the high computation involved it is often not used to encrypt/decrypt simple messages. Instead, it’s used for signatures and protocol negotiations to allow two sides to receive private keys to use for their communication. The RSA algorithm is but one of many systems where a set of mathematical theorems, often from number theory, can be synthesised to construct an encryption scheme.

ElGamal

ElGamal is an algorithm used for transmitting digital signatures and key exchanges. The method is based on calculating logarithms. The algorithm is based on the characteristics of logarithmic numbers and calculations https://en.wikipedia.org/wiki/ElGamal_encryption.

Digital Signature Algorithm (DSA)

The Digital Signature Algorithm (DSA) is based on the ElGamal algorithm and was developed by the United States government for digital signatures. DSA can be used only for signing data and it cannot be used for encryption. The DSA signing process is performed through a series of calculations based on a selected prime number. Although intended to have a maximum key size of 1,024 bits, longer key sizes are now supported https://en.wikipedia.org/wiki/Digital_Signature_Algorithm.

Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography provides similar functionality to RSA and is implemented in smaller devices like cell phones, in TLS, PGP and SSH, and in Bitcoin and other cryptocurrencies. It requires less computing power than RSA. ECC encryption systems are based on the idea of using points on a curve to define the public/private key pair.

DSA or Diffie-Hellman need a finite, cyclic group with the following characteristics:
- Group elements must be representable with relatively little memory.
- The group size must be known and be a prime number (or a multiple of a known prime number) of appropriate size (at least 160 bits for the traditional security level of "80-bit security").
- The group law must be easy to compute.
- It shall be hard (computationally infeasible, up to at least the targeted security level) to solve discrete logarithm in the group https://en.wikipedia.org/wiki/Discrete_logarithm.
DH, ElGamal, DSA are primarily defined in the group of non-zero integers modulo a big prime p, with modular multiplication as group law. The characteristics we look for are reached as long as p is large enough, at least 1024 bits (minimal size for discrete logarithm to be hard in such a group).
Elliptic curve are another kind of group useful for group-based cryptographic algorithms.
An elliptic curve is defined with:
- A finite field https://en.wikipedia.org/wiki/Finite_field, usually consisting in integers modulo some prime p (there are also other fields that can be used).
- A curve equation, usually y² = x³ + ax +b, where a and b are constant values from the finite field.
The curve is the set of pairs of values (x,y) which match the equation, along with a conventional extra element called the point at infinity. Since elliptic curves initially come from graphical representations (when the field consists in the real numbers ℝ), the curve elements are called "points" and the two values x and y are their "coordinates".
Then we define a group law, called point addition and denoted with a + sign. The definition looks quite artifical, with all the business about tracing a line and computing the intersection of that line with the curve; but the bottom-line is that it has the characteristics required for a group law, and it is easily computable (there are several methods; as a rough approximation, it costs about 10 multiplications in the base field).

Elliptic curves are said to be the next generation of cryptographic algorithms in order to replace RSA. The involved mathematics is a bit harder than with RSA, and there have been patents, so implementers are a bit wary. Yet elliptic curves appear to become more common.

Cryptographic hash functions

Digital signatures

Digital certificates

Cryptanalysis

Is the clock ticking for encryption?

Resources

References

↑ How to destroy the internet http://gizmodo.com/5912383/how-to-destroy-the-internet
↑ Frequently Asked Questions (FAQ) About the Electronic Frontier Foundation's "DES Cracker" Machine https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html

[1] How to destroy the internet http://gizmodo.com/5912383/how-to-destroy-the-internet

[2] Frequently Asked Questions (FAQ) About the Electronic Frontier Foundation's "DES Cracker" Machine https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html

[1]

[2]

@@ Line 38: / Line 38: @@
 There are many different algorithms using symmetric key cryptography, offering anything from minimal to nearly unbreakable security. Some of these algorithms offer strong security, easy implementation in code, and rapid encryption and decryption. Such algorithms are very useful for encrypting files stored on a computer to protect them in case an unauthorised individual gains access to the machine. They are somewhat less useful for sending messages from one computer to another, because both ends of the communication channel must possess the key and must keep it secure. Distribution and secure storage of such keys can be difficult and can open security vulnerabilities.
+Symmetric ciphers have historically been susceptible to known-plaintext attacks, chosen plaintext attacks, differential cryptanalysis and linear cryptanalysis. Careful construction of the functions for each round can greatly reduce the chances of a successful attack.
 === Data Encryption Standard (DES) ===
@@ Line 48: / Line 50: @@
 === Advanced Encryption Standard (AES) ===
+=== Twofish ===
+=== Serpent ===
 == Asymmetric key cryptography ==