SecureBlackbox 16: Encryption Schemes and Mechanisms in SecureBlackbox


This article outlines the encryption mechanisms available in SecureBlackbox.

Symmetric Encryption

This is the simplest mechanism, which constitutes the basis of cryptography. The improper use of symmetric encryption leads to information leaks and security breaches.

Symmetric encryption takes blocks of data and transforms them according to the algorithm's rules. Symmetric encryption uses a so-called symmetric key — rather short byte sequences (8 to 32 bytes usually) that must be kept secret.

Text passwords and pass phrases are usually converted to symmetric keys using some key derivation algorithm, so when the application uses the password for encryption, in fact the symmetric key is used.

As this straightforward encryption does not produce any output besides the encrypted data, you also need to find a way to store the checksum of the data somehow and to ensure that decryption is successful (i.e., that the recipient has used the correct key for decryption).

A common sample of symmetric encryption nowadays is AES encryption.

Asymmetric Encryption

This mechanism uses key pairs, which consist of a public and a private key. Asymmetric keys differ in size and the widely used RSA and Elgamal keys have a length of 1024 bits and more (nowadays 2048 bits is preferred).

Asymmetric algorithms are often called public-key algorithms (though they use public keys for encryption and signature verification and private keys for decryption and signing).

Due to the specifics of asymmetric algorithms, only short blocks of data (not larger than the key size) can be encrypted directly. So to encrypt larger amounts of data a hybrid scheme is used: the data is encrypted using a symmetric algorithm and a generated random symmetric key, then the symmetric key is encrypted using a public-key algorithm and transferred with the encrypted data.

This encryption scheme requires a certain standard for putting the encrypted data and the encrypted session key together.

Most widespread asymmetric encryption is RSA encryption and the PKCS#1 scheme.

PKCS#7 and CMS

These schemes (or different generations of one scheme) use X.509 certificates to encrypt the data. The X.509 certificate is used for asymmetric encryption. It holds an embedded public key and has an associated private key as well as supplementary information. Encryption can be done for one or more certificates; i.e., the encrypted data can have one or several recipients who own the private keys that correspond to the certificates used for encryption. PKCS#7/CMS uses asymmetric encryption and symmetric encryption for its purposes.

The schemes support not only encryption, but digital signing, time stamping, and compression of data. Still, they are limited to the use of X.509 certificates.

When the data is encrypted using PKCS#7/CMS, it is wrapped with an "envelope", so if you encrypt, for example, a PDF document, the PDF reader will not recognize the encrypted data as a PDF document.

OpenPGP

OpenPGP is similar to PKCS#7 / CMS as it uses asymmetric cryptography to encrypt (and also to sign and compress data). However, asymmetric key pairs are presented in the form of OpenPGP keys rather than of X.509 certificates. Also, OpenPGP uses a slightly different set of symmetric and asymmetric algorithms.

One of the benefits of OpenPGP is that this scheme supports the use of pass phrases for encryption. This means that asymmetric cryptography is not required (unlike PKCS#7/CMS). When the data is encrypted using OpenPGP, it is wrapped with the "envelope", so if you encrypt, for example, a PDF document, the PDF reader will not recognize the encrypted data as a PDF document.

One of the key differences between X.509 certificates and OpenPGP keys is that the X.509 certificate infrastructure has a hierarchical nature with a small number of topmost Root Certificate Authorities (CAs), while OpenPGP is completely decentralized and OpenPGP keys are created usually by the end-users themselves, rather than issued by CAs.

XML Encryption

XML encryption is defined in the XMLEnc standard. It lets you encrypt XML documents, nodes of XML documents, or any binary data. XML encryption is a higher-level mechanism that can use symmetric encryption, asymmetric encryption with RSA keys, X.509 certificates, and OpenPGP keys for encryption and signing.

The encrypted XML document has the form of a valid XML document and can be handled by almost any XML parser/reader.

PDF Encryption

PDF encryption is part of the PDF document format. This high-level scheme lets you use symmetric encryption and asymmetric encryption. Asymmetric encryption can be done using "plain" RSA keys and X.509 certificates.

The benefit of the scheme is that the encrypted PDF document has the form of a valid PDF document and can be handled by almost any PDF reader.

Office Document Encryption

This mechanism is very similar to XML and PDF encryption and slight differences in details depend on the particular Office document format and version.

Data Security During Transfer

The mechanisms described above are used to encrypt the data when you store or transfer it. However, they are hardly usable "as is" when you are communicating over the network. In this case some secure channel mechanism must be introduced.

When the data is transferred via a secure channel, it is encrypted on-the-fly when the data is sent to the channel and decrypted on-the-fly when it is received on the other side. This is different from "static" encryption described above, as security is provided only during transfer (endpoints are considered to be safe and secure).

Currently, the most widespread mechanisms are SSL / TLS and SSH.

SSL / TLS

SSL / TLS is a complex scheme that includes encryption, authentication, and several other features (compression, etc.). It can use many different mechanisms for data protection. Symmetric encryption and asymmetric encryption are two cornerstones of the scheme of course, but X.509 certificates, symmetric keys, one-time passwords, and OpenPGP keys are involved as well.

SSL/TLS is used by many application-level protocols including HTTP and FTP to secure the transfer.

SSH

The SSH protocol is similar to SSL / TLS; it differs in its support for channel multiplexing, in its authentication schemes, and, slightly, in its symmetric encryption algorithms. The SSH family of protocols includes SFTP (SSH File Transfer Protocol) to enable the secure transfer of files.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.