Cryptographic Methods in Today’s Telecommunications – Article 4 in the series “Why organisations need to take responsibility for securing their telecommunications?”
- Introduction. Prior to the invention of asymmetric cryptography, encrypted communications depended on the parties to the communication sharing a secret code, or key. The parties would normally exchange the key using a trusted method such as a face-to-face meeting. Thereafter, the key holders would be able to communicate securely. Asymmetric cryptography, also known as public-key cryptography, is so called because the key used to encrypt the message is not the same as the key used to decrypt it. Each party to the communication has two keys – a public key and a private key. The keys are mathematically related, but it is computationally infeasible to derive the private key from the public key. This means while an attacker can derive the key given unlimited time and resources, it is unlikely the code can be broken within a finite period that delivers any practical value. If A wants to send a message to B, A uses B’s public key (which can be made available to anyone without compromising the security of the system) to encrypt the message. B then decrypts the message using B’s private key, which is only known to B.
- 1st practical method: the “Diffie-Hellman key exchange”. Whitfield Diffie and Martin Hellman published the first practical method of asymmetric cryptography in 1976. Their method, known as Diffie-Hellman key exchange, is still important in modern cryptography.
- 2nd practical method: RSA. The following year, three cryptographers at MIT developed a method based on the difficulty of factoring the product of very large prime numbers. Their method, RSA, is still the most widely used method of asymmetric cryptography.
- 3rd practical method: ECC. A third method, known as Elliptic Curve Cryptography (ECC) was developed in 1985 independently by Neil Miller and Victor Koblitz. ECC depends on a more complex and difficult mathematical problem called the elliptical discrete logarithm problem. The practical result of this difference in complexity is that significantly smaller keys can be used with ECC to achieve the same level of security as a RSA-based system. ECC is also more resistant to decryption. ECC was quickly recognised by cryptographers as possessing efficiency and security advantages over RSA, and subsequent attempts to find weaknesses in the method were unsuccessful. However, RSA was firmly established in the market for secure communications devices, and ECC has only recently gained a meaningful foothold.
- Symmetric cryptography uses identical or similar keys for both the encryption and decryption process.
- DES. An early symmetric cipher, the Data Encryption Standard (DES), was implemented in 1977. DES was controversial from the beginning because it used a relatively short key (56 bits) and was suspected of being vulnerable to a backdoor attack by the National Security Agency (NSA). By 1997, a DES key had been decrypted; by 1998, it was possible to determine a DES key using brute force methods in just two days. DES is no longer considered a secure encryption standard.
- Blowfish and Twofish. In 1993, when it was already clear that the key size used by DES was insufficient, a related symmetric encryption algorithm, Blowfish, was developed. Twofish, the second generation of Blowfish, was first published in 1998, and used variable-length keys from 128 to 256 bits.
- AES. However, when the National Institute of Standards and Technology (NIST) announced a competition for the successor to DES that would be used to protect sensitive government information, an algorithm called Rijndael emerged victorious. Rijndael was rebranded as the Advanced Encryption Standard (AES) and is now the dominant symmetric cryptographic standard.
ASYMMETRIC VERSUS SYMMETRIC
- Advantage of asymmetric cryptography. The obvious advantage of asymmetric cryptography over symmetric cryptography is that the parties need not meet face to face, or rely on a possibly insecure third party (such as a postal system or Internet Service Provider) to communicate a shared key. Such meetings may be realistic when the number of parties who will need to communicate is relatively small. However, global business communications require that thousands of people be able to communicate rapidly, sometimes before a secure key exchange can be arranged.
- Advantage of symmetric cryptography. The advantage of symmetric cryptography is in its speed. In practice, symmetric cryptographic methods are hundreds to thousands of times faster than their comparably secure asymmetric counterparts. In modern telecommunications, where very large quantities of data must be transmitted at very high bandwidth rates, computational speed is an important consideration.
HYBRID CRYPTOGRAPHIC TECHNOLOGIES
- The solution to the problem of secure mobile telephone communications lies in the adoption of hybrid cryptographic technologies. This enables public key exchange, a virtual necessity in the global business environment, while taking advantage of the computational efficiencies of symmetric key cryptography.
- ECIES. One such hybrid system is the Elliptic Curve Integrated Encryption Scheme (ECIES). ECIES is an implementation of Elliptic Curve Cryptography based on ECC that uses Diffie-Hellman-type key exchange and a message authentication code (MAC) for key encapsulation, coupled with a symmetric encryption scheme for data encapsulation. ECIES is designed to be semantically secure against attacks where the adversary can select text to be encrypted and know the encrypted text. It offers an attractive mix of provable security and efficiency. It was proven secure based on a variant of the Diffie-Hellman problem. It is an efficient as, or more efficient than, comparable schemes.
Source: Goldlock Company