S 3.23 Introduction to basic cryptographic terms

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

The use of crypto products can result in additional effort for the users or, depending on the complexity of the products used, even require in-depth knowledge. Therefore, all employees who are to use cryptographic procedures and products should be made aware of the value and necessity of cryptographic procedures and introduced to basic cryptographic terms. Of course, this applies especially to those who are to create a crypto-concept and/or select, install or support crypto products.

The following text is supposed to provide a basic understanding of the essential cryptographic mechanisms. In the following, examples are used to explain in which situation which cryptographic technique can be used.

Cryptography elements

Mathematical methods and techniques that can be used to protect information against unauthorised acquisition and/or deliberate manipulations are referred to as cryptographic methods and techniques. The protection of information applying cryptographic procedures is in contrast to infrastructural and technical security safeguards of mathematical-logical nature.

For cryptographic procedures, a mathematical arithmetic procedure, i.e. an algorithm, is implemented into a concrete technique. Its efficiency is based on the fact that a potential attacker cannot solve a certain mathematical problem, and this not because of a lack of skills, but due to a lack of knowledge of very specific "key" information.

Cryptographic procedures always refer to the following situation: A sender A (as is usual in cryptography, referred to as "Alice") sends a message to a recipient B (referred to as "Bob") using an insecure channel.

Here, senders and recipients can also be identical; in this case, "channel" refers to any transport medium. When encrypting local data, the sender and recipient are of course identical; in this case, "channel" refers to the storage medium.

Basic cryptographic objectives

Due to theoretical and practical considerations, a distinction is made between four basic cryptographic objectives:

It is obvious that there are relationships between these objectives, but one basic understanding of modern cryptography is the following: Ensuring confidentiality and/or authenticity are independent basic objectives of a cryptographic system: Authentication limits the group of potential senders of a message, whereas non-disclosure restricts the group of potential recipients.

The essential cryptographic procedure to protect confidentiality is encryption, the essential procedures to ensure integrity, authenticity and non-repudiation are hash functions, Message Authentication Codes (MACs), digital signatures and cryptographic logs. In the following, the individual cryptographic concepts are presented briefly.

I. Encryption

Encryption (coding) transforms a clear text depending on an item of additional information (known as the key) into a corresponding secret text (cipher text or enciphered text), which should not be decryptable for anyone not in possession of the key. The reverse conversion - restoring the clear text from the cipher text - is known as decryption or decipherment. In all modern encryption algorithms, clear texts, secret texts and keys are available as bit sequences in each case.

To be able to be used in practice, encryption algorithms must fulfil the following minimum requirements:

The requirement of decipherment resistance must always be taken into consideration based on the current technical and mathematical possibilities. When assessing encryption algorithms, it is important that it should be virtually impossible at the time of use to decrypt the cipher text without knowing the key, i.e. not using the then available technique within an acceptable period of time.

When A and B want to set up a confidential connection, they proceed as follows:

There are two classes of ciphering procedures:

Symmetric encryption procedures use the same key both for encryption and for decryption. Thus, symmetric procedures are sometimes also referred to as "one-key" procedure, since knowing one key is sufficient to be able to cipher and decipher.

Well-known symmetric encryption procedures are, for example, DES, Triple-DES, IDEA or RC5.

For symmetric procedures, a further distinction is made between stream ciphers and block ciphers.

For stream ciphers, the key is used to generate a bit sequence looking as randomly as possible (a bitstream) that is added to the clear bit sequence (modulo 2). The clear bit sequence is thus encrypted bit by bit (adding key stream bits). For the security of stream ciphers, it is essential that two (different) messages are never encrypted using the same key stream; this must be ensured by means of special safeguards (synchronisation information in the form of a message key). Examples of stream ciphers are RC4 and SEAL.

Ciphering
Figure: Ciphering

For block ciphers, however, an entire block of bits is encrypted in every encryption cycle; today, this block usually amounts to 64 bits. Most symmetric encryption procedures are block ciphers; they also include DES, IDEA or RC5. For block ciphers, a number of operating modes are defined (and standardised). These modes include:

When applying symmetric procedures, it must be generally taken into account that the key(s) has(have) been previously exchanged between the communication partners. The keys must be exchanged using a secure channel (e.g. courier, personal handover) and both parties must keep the key secret afterwards. There are different secure key exchange procedures. In closed systems, the keys can be usually exchanged without any problems, since "secure channels" are available in most cases. In open systems with a large number of communication partners, exchanging the keys is more difficult. In general, however, there is the problem that a corresponding number of keys must be exchanged prior to the actual communication if there is a large number of potential communication partners and that the potential communication partners must be known in advance.

Asymmetric (public key) ciphering procedures, however, use two different (but mathematically related) keys: a "public" key for encryption and a "private" key for decryption. Here, the key pair must have the following characteristic: For all persons who know the "public key", it must be virtually impossible to determine the associated "private key" or to decrypt a message encrypted using the "public key".

Asymmetric encryption has thus an "one-way" characteristic: A message cannot be restored if the "private key" was forgotten or deleted.

The designation "public key" encryption is due to the fact that the "public key" can be made public without compromising the security of the procedure. The "private key", however, must be kept secret.

If Alice now wants to send a message Bob in encrypted form, Alice gets Bob's public key from a freely accessible file and encrypts the message using this key. Upon receipt of the message, Bob uses his secret key to decrypt the message received by Alice. When Alice and Bob use an asymmetric procedure for confidentiality purposes, they do not require a secure channel for exchanging the keys, but Alice must be sure that she actually uses Bob's public key and not a false key made available to her as Bob's key If Alice encrypted a message with a false key made available to her, the perpetrator knowing the suitable secret key would be able to decrypt the message. In general, the sender needs the confirmation by a trusted third party that the public key of the recipient actually belongs to the latter. In general, this confirmation, the "certificate", is also generated by a cryptographic procedure and added to the public key.

Two known asymmetric encryption procedures are the RSA procedure (named after the inventors Rivest, Shamir, Adleman) and the class of ElGamal procedures. The last class of procedures also includes encryption procedures based on elliptic curves.

To some extent, symmetric and asymmetric ciphering procedures have complementary advantages and disadvantages:

Advantages of (good) symmetric procedures:

Disadvantages of symmetric procedures:

Advantages of (good) asymmetric procedures:

Disadvantages of asymmetric procedures:

Hybrid procedures try to combine the advantages for both types of encryption: They use asymmetric encryption to transmit a session key for a symmetric procedure and encrypt the mass data applying the symmetric procedure. The session key is usually only used for a session (transmission) and destroyed afterwards. Depending on the circumstances, the asymmetric key pair is used for a long period of time.

II. Integrity protection

The goal of integrity protection is to ensure that a recipient of a message can determine whether they have received this message in an unaltered form. The basic principle of integrity protection is to send the message in an unencrypted and unchanged manner, but, at the same time, to also send along certain control information, allowing the recipient to check the integrity of the actual message. This requires, however, that the recipient receives the control data without any manipulation. Thus, the following conditions must be fulfilled for this control data:

To calculate the control information, two procedures are typically used: hash functions and Message Authentication Codes.

A (one-way) hash function is a data transformation with the following characteristics:

Using a hash function known to both communication partners, A and B can check the integrity of a message: Alice hashes her message and transmits it and the hash value to Bob in such a way that the integrity of the hash value is ensured. Bob also hashes the received message and compares his result with the hash value provided by Alice. If both values are identical, he can assume that no bit of the message has been changed.

A Message Authentication Code (MAC) is a cryptographic checksum to protect messages, i.e. it is a data transformation, in which a secret key with the following characteristics is additionally included in the calculation:

If Alice and Bob have a MAC and a shared, secret MAC key, Alice authenticates her message simply by calculating the MAC value of the message and sending it together with the message to Bob. Bob, in turn, calculates the MAC value of the received message using the MAC key that is also known to him. If this value is identical to Alice's value, he can assume that the message is authentic (i.e. that it was not changed and actually sent by Alice). Alice has thus authenticated her message towards Bob using the key which is only known to her and Bob.

MACs are often created based on symmetric ciphering procedures. The best-known method is the encryption of a message using DES or another block cipher procedure in the CBC or CFB mode. In this case, the last block encrypted is appended to the message as the MAC. In addition, however, there are also MACs that are not based on ciphering procedures. The MAC value of a message can be considered to be a key-dependent, cryptographic checksum of this message ensuring integrity protection. When applying MACs for authentication purposes,

it is necessary that both parties protect the secret authentication key in a reliable manner. As a side effect of integrity protection, the recipient of the message is able to check at the same time using the procedures outlined above that the message verified to be free from any manipulation could only be sent by the actually known sender. This conclusion can be drawn, since only this sender knows the key required for encryption and/or determining the control information.

III. Proof of authenticity

For the authentication of users towards communication partners/IT systems and/or clients towards servers, the following requirements must be met:

For this purpose, procedures are required allowing all persons involved to clearly determine the identity of their communication partners. This includes a time aspect: Alice wants to convince Bob in "real time" that she is actually communicating with him. The main technique for this type of authentication are cryptographic challenge response logs.

Here, Bob sends data to Alice and asks her to provide him with proof (challenge), on the possession of a secret (i.e. a key information) and Alice demonstrates this possession to him without disclosing the secret itself by sending him an answer that is dependent on the secret ad his challenge (response). Bob, in turn, checks on the basis of Alice's answer that the correct secret was actually used for the calculation of the answer.

For "strong" authentication, the challenges must not be repeated. For challenge-response procedures, both symmetric and asymmetric techniques can be used.

Example: Alice and Bob agree upon a symmetric encryption procedure and a shared cryptographic key in advance. For authentication, Bob sends a random number to Alice as challenge. Alice, in turn, encrypts this random number using the shared secret key and sends the result back to Bob. In the next step, Bob decrypts the message and compares whether the result is identical to the random number previously selected by him. If they are identical, it is indeed Alice, because only she knows the secret key.

IV. Digital signature

The cryptographic construct of a digital signature serves the goal of being able to use an equivalent to the handwritten signature for digital files and messages. For this purpose, several of the cryptographic procedures explained above such as hash functions and asymmetric procedures are combined. The essential prerequisite for digital signatures is that each participant has only one secret know to them, with which they can create a digital signature for any files. Based on public information, it must be possible to check this digital signature.

In this context, a digital signature constitutes special integrity protection with additional particularities. A digital signature is an item of check information appended to a message or file and associated with the following characteristics:

If it is also possible to verify the digital signature based on the publicly accessible information, the integrity of the signed file is ensured on the one hand and the non-repudiation on the other hand, because only the person who can be clearly assigned the digital signature has been able to create this signature based on their secret information. It should be noted that different files can also result in different digital signatures and that smallest changes to the files can result in signatures that cannot be verified.

Example: A widely used procedure for digital signatures is the reverse application of the RSA procedure. In this case, each participant only has one secret signing key known to them. Verification key certificates in which the suitable public key and information on the owner of the suitable secret signing key are linked with each other so that it cannot be altered can be publicly accessed. These certificates are issued by trusted bodies which have checked the participants' personal data in advance.

To calculate and check a digital signature for any file, the following steps are taken:

It must be stressed that digital signatures only ensure the goals of integrity and non-repudiation, but do not guarantee the goal of confidentiality in no way. A digitally signed message is transmitted in clear text; if it is confidential, it must be additionally encrypted.

If a digitally signed file contains a declaration of intent of the signing person, this declaration of intent can be undeniably attributed to the signing person based on the signature, even before court if necessary.

The used verification key certificates, in turn, are themselves digitally signed files by the trusted body that can be checked analogously and provide information on the verification key and the person having the respective suitable secret signing key.

Please note the differences between MACs and digital signatures:

With Article 3 of the Information and Communication Services Act (Federal Law Gazette 1879, Part 1, 1997), a Digital Signature Act came into force for the Federal Republic of Germany. This Act regulates which security requirements have to be met by the technical components used for digital signatures and which tasks certificate authorities issuing the verification key certificates have. In addition, it is regulated how the required security of the components and certificate authorities is checked. Ultimately, digital signatures are also conceded a high level of security before court in accordance with the Signature Act.

Key management

Whenever using encryption, it is necessary to manage the keys appropriately. The question arises how

are carried out during the entire life cycle of the keys. The key management can and will usually also make use of cryptographic techniques. It must be carried out for all of the crypto modules of a security system based on cryptography. Secret keys must be protected against unauthorised disclosure, modification and replacement. Secret keys must be protected against unauthorised modification and replacement. An appropriate key management is the prerequisite to ensure that information can be protected by means of cryptographic procedures at all. Key management needs resources specifically dedicated to this task!

Certificate authorities

Trust centres and/or certificate authorities are required whenever you want to use asymmetric cryptographic procedures for the digital signature or for encryption for a number of participants that is no longer manageable. Such procedures require another key for generating signatures and/or encryption than the key required for checking signatures and/or decryption. For this purpose, a key pair of corresponding keys is generated in a user-related manner. A key, referred to as public key, is publicly disclosed. The other key, referred to as private key, must be kept secret under all circumstances. Using the private key, and only using this key, a digital signature can be generated and/or a text decrypted and verified and/or encrypted using the corresponding public key, and only using this key. If you want to ensure the authenticity of the public keys and the secure assignment of the keys to persons, trust centres / certificate authorities already mentioned above confirming the assignment of a person to a public key by means of a certificate are required.

Typically, the following tasks are carried out in such certificate authorities:

In addition to this, trust centres can also offer the storage of keys as a service, when the cryptographic keys are to be used for encryption. In order to be still able to access the encrypted data when a key was lost, the owner of the key (and only the owner of the key) can receive a key duplicate that is stored securely in the trust centre.

Key distribution centres

The security of symmetric encryption procedures depends on whether the shared secret key is only known to the users authorised to access the protected information. With respect to the protection of stored data which is only to be accessed by its owners, this can be ensured relatively easily, as this owner must only protect the key in such a way that unauthorised persons cannot access it.

However, matters are quite different when messages to be transmitted by a sender to a recipient via an insecure transmission medium are to be protected using a symmetric encryption procedures. In this case, the secret key must be available to both the sender and the recipient, i.e. it must be possible to exchange the information between the two communication partners in a protected manner. In practice, this is often realised by the encrypted distribution of communication keys by key distribution centres (KDCs), in which case entire hierarchies of keys depending on each other from a security point of view are created. The procedures used in this context are sometimes very complex and depend on various components regarding their security, especially on the physical, organisational, personnel and technical security of the KDCs and the keys agreed upon with the KDCs for communication.

Compromising a secret key, i.e. its disclosure towards an unauthorised third party, results in the loss of the confidentiality of all data the encryption of which was carried out using this key and/or depends on this key. This is especially critical if one of the central keys of a key distribution hierarchy was compromised.

Use of cryptographic procedures

When used properly, cryptographic procedures are ideally suited to ward off the following threats:

Using only cryptographic procedures, however, is not sufficient to ward off all threats.