Cryptographic Solutions

I believe it is safe to claim that our moms were among the early adopters of encryption, with their "coded" ways of interacting with their children, ensuring their messages, particularly warnings, can only be understood by you. This can be achieved by winking the eyes, giving some type of facial expression, and so on. A wonderful scenario in which a visitor gives me a gift, my mother's "type of look or laughter" serves as a disguised communication, instructing me to gracefully decline the offer. At this time, she would persuade me to accept the gift, saying, "Timi, take it" before going on to tell the guest, "She's just a shy person!" Despite her prodding, my response should be firmly "No, thanks," as I discreetly hunt for the nearest exit to leave the situation.

In this analogy, my mother’s laughter/type of look and her words represent the encrypted message. To an outsider, it may seem like a lighthearted interaction, but for me, it carries a clear directive that only I understand. Similarly, encryption works by encoding information so that only those with the correct key or understanding can access the original message.

In this post, we will be discussing different cryptographic solutions. Stay Tuned!!!

First, what is cryptography?

Cryptography is the use of mathematical techniques to encrypt and decrypt information, transforming data for the purpose of preventing unauthorized access and ensuring only the intended recipient can read it.

Public key infrastructure (PKI)

Public Key Infrastructure (PKI) is a framework for managing digital keys and certificates to ensure secure and reliable digital communications.
It includes the hardware, software, procedures, and policies required to generate, distribute, use, store, and revoke digital certificates and public keys.

Simply put, PKI is the technology used to authenticate users and devices in the digital world.

Why do we need PKI?

PKI is needed to protect sensitive information, such as financial transactions, from unauthorized access, verify identities by functioning as a digital passport to prevent fraud and impersonation, encrypt data to keep communications confidential and unaltered, ensure compliance with data security regulations, and support secure e-commerce and the Internet of Things (IoT) by providing necessary tools for digital signatures and encryption.

Now, let us go over the key components of PKI

Public key: This is an openly distributed cryptographic key, It is used to validate digital signatures and encrypt information so that only the designated recipient may decrypt it using their private key.

Private key: A private key is a secret cryptographic key only known to the owner. The matching public key can be used to decrypt data or create digital signatures. It is kept confidential to maintain the integrity and security of digital communications.

Key escrow: This is a security measure where cryptographic keys are stored with a trusted third party. This approach makes it possible to recover keys in the event of a loss, ensuring that access to digital signatures or encrypted data can be regained as needed.

So we've been hearing the word Cryptography Key and don't seem to understand what it means.

A key is a string of characters used to change data presentation to make it seem random. It locks (encrypts) data, just like a real key, so that only the appropriate key can unlock (decrypt) it.

Encryption

Encryption is a data security technology that uses a cryptographic algorithm to convert readable data, or "plaintext," into an encoded format called "ciphertext." It ensures that data remains unreadable to unauthorized users and can only be accessed or processed after being decrypted with a specific cryptographic key.

Why do we need encryption?

Encryption helps prevent data breaches whether the data is in transit or at rest (e.g., if a corporate device is lost or stolen and its hard drive is properly encrypted, the data will remain secure), it prevents malicious behavior like on-path attacks, ensures compliance with regulatory standards like HIPAA, NDPR, and GDPR, and provides authentication to verify legitimate entities. Encryption ensures that no one can read communications or data at rest except the intended recipient or the rightful data owner.

Ever heard of the different states of data? Let's go over them, shall we?

Data at rest: This is data in storage, that is not being accessed(in use) or transferred(in motion)

Data in motion: is data moving between systems or locations

Data in use: This is data that is being accessed, modified, processed, and read by a system

Now, let us go over the 6 levels of encryption which answer to protecting data at rest

Full-disk: Full-disk encryption (FDE) secures data at rest by encrypting the entire physical storage device, including SSDs and hard disks, while protecting its metadata. It ensures that all data on the storage device is encrypted. BitLocker and FileVault are two examples of solutions that use FDE. it ensures that data on servers, PCs, and laptops remains secure even if the device is stolen.

Partition: This is encryption of specific partitions of a disk instead of the whole disk, permitting selective encryption of some partitions while leaving others unencrypted. it is useful to protect sensitive data in a partition.

File: This level of encryption is achieved with third-party programs or Microsoft's EFS (Encrypting File System), which encrypts individual files or folders without compromising the security of the system's other data.

Volume: Volume encryption secures an entire logical volume or virtual disk, which is commonly used in virtual machines or storage devices, by encrypting certain files or directories within that volume.

Database: Database encryption uses symmetric keys to provide transparent encryption, protecting sensitive data by encrypting the entire database. It can also be applied at the column, row, or table levels to protect data from transmission and unauthorized access.

Record: Record encryption uses different symmetric keys to encrypt each column within a database or file, providing greater protection.

we aren't neglecting encryption methods for data in motion, are we? let's go over them

Transport/communication Encrption: This type of encryption secures data as it travels across networks. here are key transport encryption methods/Protocols:

SSL (Secure Sockets Layer) and TLS (Transport Layer Security): encrypt data to secure network communications, such as web browsing (HTTPS) and email, with TLS being the updated, more secure successor to the outdated SSL.

IPSec (Internet Protocol Security): secures IP communications by authenticating and encrypting data packets at the network layer, commonly used in VPNs to protect data sent over the internet.

VPN(Virtual Private Network): VPNs create a secure, encrypted connection over the internet to protect all transmitted data and are used for secure remote access and privacy, with client-based VPNs using SSL/TLS and site-to-site VPNs using IPsec

we have discussed what encryption is, its use, and different methods of encrypting the different states of data, now let's discuss the 2 different types of encryption

Asymmetric/ Private Key Encryption: uses a single key for both encryption and decryption, is faster and has less computation overhead, but requires secure key distribution and lacks non-repudiation

Symmetric/Public Key Encryption: uses different keys (public and private) or encryption and decryption, where the public key can be shared freely and the private key remains secret, it is slower with more computational overhead than symmetric encryption.

When choosing an encryption method, several key factors should be considered

Key exchange: Securely sharing encryption keys is important, especially over insecure mediums. This can be done through out-of-band methods like using a telephone or courier for physical transfer, or in-band methods such as asymmetric encryption to transmit symmetric session keys. Real-time encryption demands fast, ephemeral keys, which must be carefully managed. Key exchange protocols such as Diffie-Hellman and Elliptic-Curve Diffie-Hellman (ECDH) enable secure key agreements.

Algorithms: An encryption algorithm is the mechanism used to change data into ciphertext. An algorithm will use the encryption key to alter the data predictably so that even though the encrypted data will appear random, it can be turned back into plaintext by using the decryption key.

Key length: Key length, measured in bits, determines the security of encryption algorithms, with longer keys offering stronger protection, especially against brute force attacks; symmetric encryption commonly uses 128 bits or a little higher, while asymmetric encryption employs much larger keys of 3,072 bits or larger.

Some common symmetric encryption algorithms include:

DES (Data Encryption Standard): Uses a 64-bit key (56 effective bits) to encrypt data in 64-bit blocks.

AES (Advanced Encryption Standard): Replaced DES and 3DES and supports 128, 192, or 256-bit keys and block sizes, and used for sensitive unclassified information.

Blowfish: has key sizes from 32 to 448 bits, developed as a DES replacement but not widely adopted

Some common asymmetric encryption algorithms include:

Diffie-Hellman: Used for secure key exchange and distribution over insecure channels, therefore it is commonly used in VPNs (IPSec).

RSA (Rivest-Shamir-Adleman): used in multi-factor authentication and Digital signatures. it works off the factorization of the product of two large prime numbers

Elliptic Curve Cryptography (ECC): Efficient and secure, based on elliptical curve mathematics, used in mobile and low-power devices.

Different Tools for Encryption

Trusted Platform Module (TPM): is a hardware-based security component designed for the secure storage of keys, passwords, and other sensitive data. It performs encryption and digital signing, features versatile memory for securely storing BitLocker keys and hardware configuration information, and is commonly used in BitLocker drive encryption for Windows devices while also offering protection against dictionary attacks.

Hardware security module (HSM): is a physical device designed to protect, store, and manage digital keys, it performs encryption and decryption while ensuring key security and regulatory compliance, often used in mission-critical scenarios like financial transactions and large environments with clusters and redundant power.

Key management system: is a centralized solution for managing the entire lifecycle of cryptographic keys, including their creation, storage, rotation, and destruction, ensuring efficient and secure key handling to protect data and prevent unauthorized access, while automating key management tasks and integrating with various systems to enforce encryption policies.

Secure Enclave: is an isolated coprocessor within a device that handles sensitive data and operations securely by providing extensive security features such as real-time memory encryption, monitoring system boot process, and root cryptographic keys, while being isolated from the main processor to protect sensitive data and prevent unauthorized access to devices.

Obfuscation

Obfuscation is the process of making data difficult to read or analyze by concealing it in plain sight or hiding it within other mediums.

Let us go over different obfuscation methods

Steganography: involves hiding data within other media such as images, audio, or video to make the message invisible but present, techniques include embedding messages in TCP packets, images, or modifying digital audio and video files, and is often used with encryption to enhance security while being challenging to detect due to its obscurity.

Tokenization: involves replacing sensitive data with non-sensitive placeholders. Unlike encryption and hashing, tokenization does not mathematically link the original data to the token, lowering the risk of sensitive data exposure during transactions. It is commonly used in payment systems and credit card processing to protect actual card details and meet security standards.

Data masking: is the process of masquerading original data to conceal sensitive information while keeping its authenticity and usability. It is widely used in testing environments, particularly for software development. Data masking is common in sectors that handle personal information, where it covers sensitive data such as credit card digits and social security numbers.

Hashing

Hashing is the process of converting data into a fixed-size string of characters known as a hash value or digest, which is then used to verify data integrity and assure security. Strong and widely used algorithms include SHA256, while MD5, despite being less secure, is still employed for compatibility.

Hashing is a one-way function, so the original data cannot be recovered from the hash. It is used for securely storing passwords and ensuring the integrity of downloaded data or files. A hash can also be used as a digital signature to ensure authenticity, non-repudiation, and integrity.

A hash function generates a unique digest for every input. A collision happens when two separate inputs provide the same hash value. MD5 is known to cause collisions and is not recommended for use in secure applications.

Salting

Salting is a security technique that adds random data (salt) to passwords before hashing, which guarantees that even identical passwords create different hash values and defend against attacks such as rainbow tables and brute-force attacks.

Digital Signatures

Digital signatures use a hash digest encrypted with a private key to authenticate the sender, verify the message's integrity, and ensure non-repudiation, with the recipient decrypting the signature with the sender's public key to confirm that the message was not altered and that the signature is genuine.

Key stretching

Key stretching is a technique that strengthens a weaker key by generating longer, more secure keys (at least 128 bits), thereby increasing the time required to crack the key, and is utilized in systems such as Wi-Fi Protected Access, Wi-Fi Protected Access version 2, and Pretty Good Privacy

Blockchain

Blockchain is a distributed ledger that tracks transactions through a shared immutable ledger, with each block containing the previous block's hash, a timestamp, and hashes of individual transactions, ensuring trust, transparency, and chronological order. It is widely used in cryptocurrencies such as Bitcoin and for payment processing, digital identification, supply chain monitoring, and digital voting.

Open public ledger

A public ledger is a secure and anonymous record-keeping system that protects users' identities, tracks cryptocurrency balances, and records all legitimate transactions inside a network.

Digital Certificates

Digital certificates are digitally signed electronic documents that link a public key to a user's identity and are used across individuals, servers, workstations, and devices. They follow the X.509 standard and include details such as the certificate holder's name, public key, serial number, version, signature algorithm, issuer, and extensions, with trust established through Certificate Authorities in a PKI system or a Web of Trust, and can be created through operating system or third-party options.

let us go over the concepts of issuing digital certificates

Certificate authorities: A Certificate Authority (CA) is a trusted third party that issues digital certificates, verifies certificate requestors' identities, and links their identities to a public key, with the certificate containing the CA's information and digital signature; this trust model ensures that certificates can be relied on for secure connections to websites and other entities as long as the CA is trusted, allowing for real-time verification of authenticity.

Certificate revocation lists (CRLs): Certificate Authorities (CAs) maintain a Certificate Revocation List (CRL), which consists of certificates that have been revoked before their expiration date, therefore preventing the use of compromised or outdated certificates; it is frequently updated with new revocations.

Online Certificate Status Protocol (OCSP): OCSP (Online Certificate Status Protocol) is used to check the real-time status of a digital certificate, enabling clients to query an OCSP responder for certificate validity rather than downloading a CRL, which is more efficient; OCSP stapling improves this by having the certificate holder regularly retrieve the OCSP status from the CA and include it in the SSL/TLS handshake, improving performance and reducing the load on CA servers.

The root of trust: The root of trust is the highest level of trust in a certificate validation hierarchy, established through a root certificate issued by trusted third-party providers like Verisign or Google It may include various components such as hardware security modules (HSMs), secure enclaves, and certificate authorities, ensuring trust in IT security.

Certificate signing request (CSR)generation: A Certificate Signing Request (CSR) is a unit of encoded text containing information about the entity requesting the certificate, including their public key, which is sent to a Certificate Authority (CA) for validation and signing, while the requester retains control of the private key; the CA verifies the request, confirms ownership details, and returns the signed certificate to the applicant.

let us go over some Types of Digital Certificates

Self-signed: Self-signed certificates are digital certificates signed by the same entity whose identity they validate; they provide encryption but lack third-party trust and are used for internal purposes or testing; for more general internal use, organizations can build their own CA, issue self-signed certificates, and install the CA certificate on all devices to create a trusted internal certification chain.

Third-party: Third-party certificate authorities (CAs) are built into browsers and systems, enabling you to obtain a web certificate that will be widely trusted. These CAs are in charge of verifying the certificate request, including confirming the certificate owner's identity, making them the preferred choice for public-facing websites due to their high credibility and recognition.

Wildcard: A wildcard certificate secures several subdomains with a single certificate, making maintenance easier and less expensive; nevertheless, if the wildcard certificate is compromised, all related subdomains are affected. likewise, the Subject Alternative Name (SAN) extension in X.509 certificates can list several domain names or subdomains, whereas a wildcard domain certificate covers all subdomains under a specific domain, such as *.cyvally.com.