encryption and asymmetric (or public key)
encryption. Figure compares the two methods and provides
examples of each method: - Symmetric-key
encryption: Symmetric-key encryption, also called secret
key encryption, works when each computer has a secret key
(code) that the computer uses to encrypt information before the
information is sent over the network to another computer.
Symmetric-key encryption requires that someone know which
computers will be talking to each other so that the person can
configure the key on each computer. Symmetric-key encryption is
a secret code, or key, that each of the two computers must know
to decode the information.
For example, a sender
creates a coded message to send to a recipient where each
letter in the message is substituted with the letter that is
two letters down from the original in the alphabet;
"A" becomes "C," and "B" becomes
"D." In this case, the word SECRET, becomes UGETGV.
The sender has already told the recipient that the secret key
is "Shift by 2." When the recipient receives the
message ‘UGETGV’, the recipient computer decodes the message by
shifting back two and calculating ‘SECRET’. Anyone else who
sees the message sees only the encrypted message, which looks
like nonsense unless the person knows the secret key. The
drawback of symmetric-key encryption is that it involves
exchanging secret keys across the very insecure Internet.
- Asymmetric Encryption: Introduced in 1976,
asymmetric encryption uses different keys for encryption and
decryption. Knowing one of the keys does not allow a hacker to
deduce the second key and decode the information. One key
encrypts the message, while a second key decrypts the message.
It is not possible to encrypt and decrypt with the same key.
Public-key encryption uses a combination of a private key and a
public key. Only the sender knows the private key. The sender
gives a public key to any recipient that the sender with whom
he wants to communicate. To decode an encrypted message, the
recipient must use the public key, provided by the originating
sender, and the recipient’s own private key.
The
following example of a locked mailbox with a mail slot helps to
explain public key encryption. A mail slot is exposed and
accessible to the public. The street address of the mail slot
represents the public key. Anyone knowing the street address
can go to the address and put a message through the slot.
However, only the person who has the key to the mail slot
(asymmetric encryption’s private key) can open the mailbox and
read the message. Computing Power Requirements of
Cryptographic Algorithms
Asymmetric encryption demands
significantly more computing power than symmetric encryption
demands. The table in Figure compares symmetric key lengths to
asymmetric key lengths. A symmetric algorithm using a 256-bit
key is comparable to an asymmetric algorithm using a 15,360-bit
key. The longer the key is, the more processing power is used.
Typically symmetric encryption is used to encrypt large amounts
of data because it is far more efficient than using asymmetric
encryption. Asymmetric encryption is typically used for
authentication purposes. With IPsec, once the tunnel is active,
traffic through the tunnel uses symmetric encryption if
encryption is requested. However, to set up the tunnel,
asymmetric encryption is used to authenticate both ends of the
tunnel.
Content 3.1 Introducing VPN
Technology 3.1.8 Symmetric Encryption
Algorithms Symmetric-key algorithms can be divided into
stream ciphers and block ciphers. Stream ciphers encrypt the
bits of the message one at a time, and block ciphers take a
number of bits and encrypt them as a single unit. A block
cipher operates on fixed-length groups of bits, termed blocks,
with an unvarying transformation. When encrypting, a block
cipher might take, for example, a 128-bit block of plaintext as
input, and output a corresponding 128-bit block of ciphertext.
The exact transformation is controlled using a second input—the
secret key. Decryption is similar: the decryption algorithm
takes, in this example, a 128-bit block of ciphertext together
with the secret key, and yields the original 128-bit block of
plaintext. On the other hand, stream ciphers operate on
individual digits one at a time and the transformation varies
during the encryption. Figure shows the basic encryption and
decryption process of a block cipher. Data Encryption Standard
(DES), developed at IBM and published as a standard in 1977,
has influenced the development of block cipher designs in use
today. A successor to DES, the Advanced Encryption Standard
(AES) algorithm approved by the National Institute of Standards
and Technology (NIST) in December 2001 uses 128-bit blocks. The
table in Figure lists common symmetric encryption algorithms
and shows the differences in security levels that are offered
by various algorithms. Work factor (O) represents the strength
of the algorithm. The following three descriptions show how
symmetric encryption has developed from a relatively weak
solution, to the current and more widely accepted algorithm.
Symmetric Encryption: DES
The DES is a cipher that
was selected as an official Federal Information Processing
Standard (FIPS) for the United States in 1976. For this reason,
DES became widely implemented internationally. The algorithm
was initially controversial, with classified design elements
and a relatively short key length. DES consequently was
subjected to intense academic scrutiny and motivated the modern
understanding of block ciphers and their cryptanalysis. Some
documentation refers to DES as the Data Encryption Algorithm
(DEA). DES is a block cipher encryption algorithm. The DES
algorithm takes a fixed-length string of plaintext bits and
transforms it through a series of complicated operations into
another ciphertext bitstring of the same length and returns
ciphertext blocks of the same size. Given that you have 64
bits, you have 2^64 possible combinations. DES simply
rearranges the bits into combinations that require the reverse
procedure to decode the plaintext. DES uses a key to customize
the transformation, so that decryption can only be performed by
those who know the particular key used to encrypt. The key
ostensibly consists of 64 bits; however, only 56 of these are
actually used by the algorithm. Eight bits are used solely for
checking parity, and are thereafter discarded. Hence the
effective key length is 56 bits, and it is usually quoted as
such. DES is now considered to be insecure for many
applications, mainly due to the DES 56-bit key size being too
small. DES keys have been broken in less than 24 hours. There
are also some analytical results that demonstrate theoretical
weaknesses in the cipher. The algorithm is believed to be
secure in the form of Triple DES (3DES), although there are
theoretical attacks that break 3DES. In recent years, the
cipher has been superseded by the AES. Symmetric Encryption:
3DES
3DES, or Triple DES, is a block cipher that was
formed from the DES cipher. 3DES was developed by Walter
Tuchman (the leader of the DES development team at IBM) in 1978
and is specified in FIPS Pub 46-3. There are several ways to
use DES three times; not all ways are 3DES and not all ways are
as secure as 3DES. 3DES is defined as performing a DES
encryption, then a DES decryption, and then a DES encryption
again. In the evolution from DES to 3DES, the obvious skipping
of the middle step of Double DES needs to be explained. 2DES
was rendered ineffective due to a type of attack known as the
meet-in-the-middle attack. The meet-in-the-middle attack is a
brute force search done from both ends of the 2DES key. The
first operation encrypts plain text with all possible DES keys,
and second decrypts the product cipher text with all possible
DES keys while looking for matches. When a match is found, the
attacker has both keys in Double DES. To overcome this attack,
a third DES operation was added. Thus, while 3DES has a key
length of 168 bits (three 56-bit DES keys), its effective key