Encryption and Public Key
Infrastructures
The previous methods of access and flow
control, despite being strong control measures, may not be able to protect
databases from some threats. Suppose we communicate data, but our data falls
into the hands of a nonlegitimate user. In this situation, by using encryption
we can disguise the message so that even if the transmission is diverted, the
message will not be revealed. Encryption
is the conversion of data into a form, called a ciphertext, which cannot be easily understood by unauthorized
persons. It enhances security and privacy when access controls are bypassed,
because in cases of data loss or theft, encrypted data cannot be easily
understood by unauthorized persons.
With this background, we adhere to following
standard definitions:
·
Ciphertext: Encrypted (enciphered) data.
·
Plaintext (or cleartext): Intelligible data that has meaning and can be
read or acted upon without the
application of decryption.
·
Encryption: The process of transforming plaintext into ciphertext.
·
Decryption: The process of transforming ciphertext back into plaintext.
Encryption
consists of applying an encryption algorithm to data using some prespecified
encryption key. The resulting data has to be decrypted using a decryption key
to recover the original data.
1. The Data Encryption and Advanced Encryption
Standards
The Data
Encryption Standard (DES) is a system developed by the U.S. government for
use by the general public. It has been widely accepted as a cryptographic
standard both in the United States and abroad. DES can provide end-to-end
encryption on the channel between sender A
and receiver B. The DES algorithm is
a careful and complex combination of two of the fundamental building blocks of
encryption: substitution and permutation (transposition). The algorithm derives
its strength from repeated application of these two techniques for a total of
16 cycles. Plaintext (the original form of the message) is encrypted as blocks
of 64 bits. Although the key is 64 bits long, in effect the key can be any
56-bit number. After questioning the adequacy of DES, the NIST introduced the Advanced Encryption Standard (AES). This algorithm has a
block size of 128 bits, compared with DES’s
56-block size, and can use keys of 128, 192, or 256 bits, compared with
DES’s 56-bit key. AES introduces more possible keys, compared with DES, and
thus takes a much longer time to crack.
2. Symmetric Key Algorithms
A symmetric key is one key that is used for
both encryption and decryption. By using a symmetric key, fast encryption and
decryption is possible for routine use with sensitive data in the database. A
message encrypted with a secret key can be decrypted only with the same secret
key. Algorithms used for symmetric key encryption are called secret-key algorithms. Since secret-key
algorithms are mostly used for encrypting the content of a message, they are
also called content-encryption
algorithms.
The major liability associated with secret-key
algorithms is the need for sharing the secret key. A possible method is to
derive the secret key from a user-supplied password string by applying the same
function to the string at both the sender and receiver; this is known as a password-based encryption algorithm. The
strength of the symmetric key encryption depends on the size of the key used.
For the same algorithm, encrypting using a longer key is tougher to break than
the one using a shorter key.
3. Public (Asymmetric) Key Encryption
In 1976, Diffie and Hellman proposed a new kind
of cryptosystem, which they called public
key encryption. Public key algorithms are based on mathematical functions
rather than operations on bit patterns. They address one drawback of symmetric
key encryption, namely that both sender and recipient must exchange the common
key in a secure manner. In public key systems, two keys are used for
encryption/decryption. The public key
can be transmitted in a non-secure way, whereas the private key is not transmitted at all. These algorithms—which use
two related keys, a public key and a private key, to perform complementary
operations (encryption and decryption)—are known as asymmetric key encryption algorithms. The use of two keys can have
profound consequences in the areas of confidentiality, key distribution, and
authentication. The two keys used for public key encryption are referred to as
the public key and the private key. The private key is kept
secret, but it is referred to as a private
key rather than a secret key (the
key used in conventional encryption) to avoid confusion with conventional
encryption. The two keys are mathematically related, since one of the keys is
used to perform encryption and the other to perform decryption. However, it is
very difficult to derive the private key from the public key.
A public key encryption scheme, or infrastructure, has six ingredients:
1. Plaintext. This is the data or readable message that is
fed into the algorithm as input.
2. Encryption algorithm. This algorithm performs various transformations on the plaintext.
3. and 4. Public
and private keys. These are a pair of keys that have been selected so that
if one is used for encryption, the other is used for decryption. The exact
transformations performed by the encryption algorithm depend on the public or
private key that is provided as input. For example, if a message is encrypted
using the public key, it can only be decrypted using the private key.
5. Ciphertext. This is the scrambled message produced as
output. It depends on the plaintext
and the key. For a given message, two different keys will produce two different
ciphertexts.
6. Decryption algorithm. This algorithm accepts the ciphertext and the matching key and produces the original
plaintext.
As the name suggests, the public key of the
pair is made public for others to use, whereas the private key is known only to
its owner. A general-purpose public key cryptographic algorithm relies on one
key for encryption and a different but related key for decryption. The
essential steps are as follows:
·
Each
user generates a pair of keys to be used for the encryption and decryption of
messages.
·
Each
user places one of the two keys in a public register or other accessible file.
This is the public key. The companion key is kept private.
·
If a
sender wishes to send a private message to a receiver, the sender encrypts the
message using the receiver’s public key.
·
When the
receiver receives the message, he or she decrypts it using the receiver’s
private key. No other recipient can decrypt the message because only the
receiver knows his or her private key.
The RSA Public Key Encryption Algorithm. One of the first public key schemes was introduced in 1978 by Ron Rivest, Adi Shamir, and Len Adleman
at MIT and is named after them as the RSA
scheme. The RSA scheme has since then reigned supreme as the most widely
accepted and implemented approach to public key encryption. The RSA encryption
algorithm incorporates results from number the-ory, combined with the
difficulty of determining the prime factors of a target. The RSA algorithm also
operates with modular arithmetic—mod n.
Two keys, d
and e, are used for decryption and
encryption. An important property is that they can be interchanged. n is chosen as a large integer that is a
product of two large distinct prime numbers, a and b, n = a × b. The encryption key e
is a randomly chosen number between 1 and n
that is relatively prime to (a – 1) × (b – 1). The plaintext
block P is encrypted as Pe where Pe = P mod n. Because the exponentiation is
performed mod n, factoring Pe to uncover the encrypted
plaintext is difficult. However, the decrypting key d is carefully chosen so that (Pe)d mod n = P. The decryption key
d can be computed from the condition
that d × e =
1 mod ((a – 1) × (b – 1)). Thus, the
legitimate receiver who knows d
simply computes (Pe)d mod n = P and recovers P without having to factor Pe.
4. Digital Signatures
A digital signature is an example of using
encryption techniques to provide authentication services in electronic
commerce applications. Like a handwritten signature, a digital signature is a means of associating a mark unique to an
individual with a body of text. The mark should be unforgettable, meaning that
others should be able to check that the signature comes from the originator.
A digital signature consists of a string of
symbols. If a person’s digital signature were always the same for each message,
then one could easily counterfeit it by simply copying the string of symbols.
Thus, signatures must be different for each use. This can be achieved by making
each digital signature a function of the message that it is signing, together
with a timestamp. To be unique to each signer and counterfeit-proof, each
digital signature must also depend on some secret number that is unique to the
signer. Thus, in general, a counterfeitproof digital signature must depend on
the message and a unique secret number of the signer. The verifier of the
signature, however, should not need to know any secret number. Public key
tech-niques are the best means of creating digital signatures with these
properties.
5. Digital Certificates
A digital certificate is used to combine the
value of a public key with the identity of the person or service that holds the
corresponding private key into a digitally signed statement. Certificates are
issued and signed by a certification authority (CA). The entity receiving this
certificate from a CA is the subject of that certificate. Instead of requiring
each participant in an application to authenticate every user, third-party
authentication relies on the use of digital certificates.
The digital certificate itself contains various
types of information. For example, both the certification authority and the
certificate owner information are included. The following list describes all
the information included in the certificate:
The
certificate owner information, which is represented by a unique identi-fier
known as the distinguished name (DN) of the owner. This includes the owner’s
name, as well as the owner’s organization and other information about the
owner.
The
certificate also includes the public key of the owner.
The date
of issue of the certificate is also included.
The
validity period is specified by ‘Valid From’ and ‘Valid To’ dates, which are
included in each certificate.
Issuer
identifier information is included in the certificate.
Finally,
the digital signature of the issuing CA for the certificate is included. All
the information listed is encoded through a message-digest function, which creates the digital signature.
The digital signature basically certifies that the association between the
certificate owner and public key is valid.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.