M. Ahmed

Encryption 101

Symmetric Encryption

  • Used for encryption at rest or in situations where data does not need to be transmitted among two unknown parties.
  • Consists of Plaintext, Encryption Key, Algorithm and Ciphertext.
  • Key + Plaintext >> Algorithm = Ciphertext
  • Ciphertext + Key >> Algorithm = Plaintext
  • One key is used to encrypt and decrypt data.
  • Mostly used for encryption at rest.

Asymmetric Encryption

  • Used for encryption in transit or situations where it needs to be transmitted among two unknown parties.
  • One key encrypts the data, and the other decrypts it.
  • Consists of Public Key, Private Key, Plain text, Cipher Text and Algorithm.
  • Public Key + Plaintext >> Algorithm = Ciphertext
  • Ciphertext + Private Key >> Algorithm = Plaintext
  • Used for encryption in transit.
  • It is computationally heavy, so it is used at start and then shifts to symmetric encryption.
  • Used by SSH, SSL/TLS, etc.

Signing

  • It is a process of verifying the private key by signing a message using the private key that the public key can see.
  • Because the public key would be able to see that the message was signed by the private key, it would know that the receiver is legitimate.
  • Used for identity verification.

Steganography

  • This is a process of hiding the process of encryption from the naked eye.
  • For example, encoding important information inside an image.
  • Complex algorithms are used to encode and decode the ciphers into a different data form.

Envelope Encryption

  • Combines the security of asymmetric encryption with the flexibility of symmetric encryption.
  • First, KEK - Key Encryption Key (Asymmetric) is used to encrypt the DEK - Data Encryption Key (Symmetric).
  • The Non-Encrypted DEK is used to encrypt every object, and the Encrypted DEK is stored alongside the Cipher-text.
  • This makes the DEK unique for every object, so in case of a breach, only that object is compromised.
  • To decrypt the object, the DEK is sent to KMS (In case of AWS), and it sends back the decrypted DEK, which is then used to decrypt the ciphertext.
  • This method is fast too, because the data sent over is very small, just the encrypted DEK, not the entire object.

Hardware Security Modules

  • Used to store encryption keys and encrypt and decrypt data.
  • Physically capable of withstanding attacks.
  • Hardware accelerated for certain tasks like encryption.
  • Keys never leave an HSM.
  • Used for Military, Government and high-risk operations.
  • A small, toned-down version is included in smartphones to protect biometric data.

Hashing

  • Take a variable amount of data and generate a fixed length of data.
  • Unique data should generate a unique hash.
  • The same data should always generate the same hash.
  • Older algorithms like md5 can cause collisions - two different objects generating the same hashes.
  • Modern algorithms like sha-256 should be used in production.
  • Hashes are irreversible. Unless you brute force and compare. VERY HARD.
  • Used for Passwords, Data verification, etc.

Digital Signatures

  • A way to verify the authenticity of data along with the verification of its author.
  • The author first hashes the data and then signs that hash with their private key.
  • The result is called a digital signature.
  • To verify the signature:
    1. The recipient decrypts the digital signature (hash) using a well-known public key (belonging to the author).
    2. They hash the received data themselves and compare the hash to the decrypted hash.
    3. If the hash matches, then it’s the correct data and by the correct entity.