Introduction to Encryption - Terminology and Technology | Frank Hissen | Skillshare

Introduction to Encryption - Terminology and Technology

Frank Hissen, IT Security Development & Consulting

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
13 Lessons (42m)
    • 1. Overview

    • 2. Motivation: Why do why encrypt?

    • 3. What does Encrypting mean?

    • 4. Basics: Symmetric and asymmetric Encryption

    • 5. Hybrid Encryption

    • 6. Password-based Encryption

    • 7. Algorithms

    • 8. Technical Parameters for Encryption I

    • 9. Technical Parameters for Encryption II

    • 10. Cryptographic Key Formats

    • 11. Encryption Programming Practice (Java example)

    • 12. File and System encryption

    • 13. Conclusion


About This Class


AES-128, Public Key, Certificates? What do symmetric and asymmetric encryption actually mean? Where are these used? This course provides a basic introduction to the field of encryption.

The course explains the common terminology but also the technical background. This course is right for everybody who wants to understand what encryption means in practice and what to watch out for.

If you care about data security and privacy you are already on the right track. This course can deepen your knowledge and turn your focus where to look at.

General background knowledge in IT is an advantage but not required.


1. Overview: Hello and welcome to the online course introduction to encryption terminology and technology. A few words about me. My name is Frank, isn't I'm a computer scientist from Germany. I am self employed and I have over 15 years experience in the area off information technology. I'm working equally as a consultant and the developer. I have over 10 years experience in I t security projects. And my main focus is application security as well as cryptography. The topics off this course I will give a basic introduction to encryption what encryption actually means and why we do it. Then I will explain what symmetric encryption and s symmetric encryption actually are. And I will explain what is important when it comes to password based encryption. We will see which kind of algorithms exists and take a deeper look at the technical para meters off these algorithms. I will say a few words about cryptographic keys and finally give a practical insight into file and system encryption systems. 2. Motivation: Why do why encrypt?: Why are we encrypting at all? Well, generally speaking, we want to protect private and business data from being accessed by unauthorized individuals. This applies in general for files images, your text declaration, customer data, master data, financial data, credit card data, business plans, blueprints whatever you can think off that is stored on a computer, unauthorized access can take place locally or remotely. Local would mean someone directly excesses your computer or laptop smartphone, tablet or a is D card, flesh card or USB drive. Remote access would be by sniffing into your Internet traffic YR. Http or your mail server or any data you have in cloud services or cloud storage is take surfing on the Web as an example. When you access a webpage, why your Web browser? You should be aware of that. About 10 visible hops are between your personal computer and an Internet server for a better understanding what it means to serve on the Internet. I want to demonstrate something. Therefore I opened a command console under windows. If you perhaps not know how to do that under Windows seven Ohio, you can press the windows button on your keyboard to open the start menu and type the letters C m D. Then you can simply start the program. Command prompt. Alternatively, you can press Windows Key plus power for run and again type CMD and press enter. Under windows, there exists the tool trace IRT, which is a trace routing tool. Using that tool, it is simply put possible to trace the route that an Internet pack. It goes from your computer to a certain Internet or Web server, and to display that route, I will not explain how this tool works in detail. Important for you understanding is if you surf on the Internet, your computer or device, it could also be a laptop smartphone. Tablet etcetera becomes part off the Internet so part off a computer network. If you open the website off a Web shop or online bank like Google or Amazon, you do not have a direct connection to their server or computer. However, there's a route from your computer to the corresponding server, which consists off different multiple computers, which forward the request off your computer. Let's take google dot com as an example, which is not only used for searches but also for Gmail and the Web master tools, etcetera. As you can see, the router off, my local network is called Fritz Box that is the first top from my PC to the fritz box. Next is my Internet service provider, and then there are many other service until, after a couple of steps, we finally reach the actual server off Google. If you look at this table, it is fair to say the six computers in between I do not know or recognize, but all these six computers get in contact with my Internet traffic. So think, for example, off making an online banking transaction. This is transmitted over all these computers. Be aware. Depending on the final computer you want to reach, there could be many more computers in between and at a different time. This could be totally different computers. These are not always the same. Routing on the Internet works dynamically in case one off the computers it's not available or there would be some faster route. Your next request would go a different route. Moreover, these computers between me and my destination are only the ones which can be traced and made visible by a trace route. There surely are various components in between that I cannot make visible at all. These computers could theoretically be Hecht or be administered by Roque system operators, etcetera. And this is the reason why you want your Internet traffic being encrypted here. I do not even talk about the current media courage off intelligence agencies accessing data off certain Internet services. 3. What does Encrypting mean?: now, what does encrypting actually mean? In general, you could say, make data unreadable for third parties. Only specific people or entities are allowed to read this data. I also include entities because we're maybe not talking about people but machine to machine communication. To make the data readable again, we use decryption. The decryption can take place just in memory. Take a password manager as an example. Passwords are only decrypted for a short amount of time and not permanently or a decryption could be permanently. For instance, when you decrypt a file archive, encrypting takes place on the basis off secret cryptographic keys. Technically speaking, in the ideal case, a plain text so unencrypted data becomes seemingly pure random data, which can only become readable again using the correct cryptographic key random data means , in fact, random numbers start buying a reform. Hence, through unauthorized access, nobody can tell anything about content or structure off the original data to get a better feeling for what encryption actually means. On the technical level, I want to demonstrate a file encryption. I will now use the open source to crack a crypt file to encrypt a simple plain text file the text file is called License. I will open it quickly in a normal text. Editor. As you can see, it is a simple text file containing a couple of paragraphs and this I will encrypt. Now I use a simple password based encryption. I am also using a very simple passwords, but that is not important here. And now we have here the encrypted file, which is also called License. I will know also open this file within the text editor to compare to the original file. The simple plan text file became a binary file. All the different black characters thes special characters are asking special and command characters. The editor I'm using is able to display these. The result off a binary analysis would be that this file contains only random numbers which are stored in binary form It, as you can see from this binary data, you cannot tell anything about the structure nor content off the original plain text file. This is exactly the purpose off encryption 4. Basics: Symmetric and asymmetric Encryption: Let's take a deeper look at encryption technologies. What does symmetric encryption actually mean? Most important, symmetric encryption means that encryption and decryption used the same secret key. The big advantage in practice off symmetric encryption is that it's very fast. The biggest problem off this kind of encryption is that exchanging the plane secret key is very hard. It cannot simply be transmitted over a insecure network because then anybody has access to this key. Then there is s a metric encryption, also known as public key encryption. Here, the encryption and decryption take place on the basis off a key pair. The key pair consists off the public key and the private key. The encryption is performed using the public key. The public key can be publicly read by anyone. Decryption is done using the private key. The private key has never to be shared by the owner. With anyone in practice, the big disadvantage off s symmetric encryption is that technically speaking, it's very, very slow. The big advantage is that exchanging the plane public key is very easy because there's set before the public E can be read by anyone. You can just encrypt something with this key. Nevertheless, it has to be ensured that a certain public he belongs to a certain identity or person. For instance, the center often email can easily be faked so someone could send you a public key claiming to be a certain person. If you would use that public key, you would encrypt sensitive data to the wrong person. One example for providing identity checks for public keys is the usage off signed certificates. There exists basically three approaches for public. He exchange direct exchange or direct trust PK I X and open PGP. In case off the direct exchange, the public key is transmitted in a simple way so directly and the verification off the public key ownership is performed manually by comparing a check some well, you, which was provided by the key owner in advance. The best example for this form off key exchanges as his H P K I X so PK eyes build upon X 509 certificates is the nowadays most commonly used public exchange. How does it work? The public key is embedded into a X 509 certificate, which is signed by a trusted certification authority. Also called C A. The C A has to be trusted by someone who wants to use this public key or the certificate. The certificate includes an identify off the key owner, for instance, an email address or a domain name. Best examples here are https So TLS or SSL, respectively, and as mine. The open PGP approach is also called the Web Off Trust. It allows everyone to sign keys in small groups of people. The trust works directly. However, in large groups like on an enterprise level, there are usually additional tools involved. These air used to ensure the key ownership. This is accomplished by using, for instance, a trusted LDF directory. Typical application examples here are PGP, new PG and, of course, most used email, encryption and signage, but file encryption as well. 5. Hybrid Encryption: having heard now about symmetric and asymmetric encryption. What is the actual used encryption scheme today while using the best off? Both worlds meaning symmetric and asymmetric encryption today were mostly using hybrid encryption. This is the standard encryption scheme off nearly all crypto systems. Today, for instance, https TLS passes L s mime broken P g, p s S H and S C P. How does this work? A symmetric session key meaning a dynamically generated key for every encryption process. A non permanent key. It's used to encrypt the actual data and then wrapped by public key encryption toe ensure only the appropriate recipient can decrypt the symmetric key and hence the actual data. So the decryption works in two steps. First, you have to decrypt the symmetric key using your private key. Then you have this session key to decrypt the actual data. So the advantages off this scheme are that the speed off symmetric encryption as well as the easy key distribution off s symmetric encryption can be used together. This all happens totally transparent for users. Take outlook as an example. If you want to encrypt an email using outlook, the end user can only see the certificate off the male recipients, but the actual encryption on the data is done using a symmetric encryption algorithm. This is how technology actually works, and you should be aware of that. For instance, you could see an iris. A 4096 certificate, which is a strong because very long are, is a key. But the actual encryption could be done using a discontinued cipher like RC four. This detailed configuration is much more known when you look at TLS or SSL configurations in Web service. Most security standards demand to adjust the TLS cipher suites that are configured within your Web server from all possible cipher suites. You usually want to de select all insecure Sisyphus using insecure algorithms. For instance, nowadays you want cipher suites providing perfect forward secrecy as the cipher suites, having priority number one for a better understanding. I want to illustrate hybrid encryption for a second, So let's say you have a plain text that you want to encrypt, and you have a public key in whatever form off recipient. You then create a symmetric key. You use the public key to encrypt this symmetric key, and to use the symmetric key to encrypt the plain text. So what you are transmitting over an insecure network is the encrypted encryption key. So the symmetric key and, of course, the encrypted message for the decryption. The recipient first has to decrypt the symmetric key using his private key. Then he can decrypt the actual message. Sometimes the term encrypted encryption key is confusing, but the symmetric key is the key that is used to actually encrypt data. So it's the encryption key, which itself becomes encrypted using public key encryption. 6. Password-based Encryption: Now, what does password based encryption mean? Password based encryption is usually used if you have no infrastructure, PK I or tokens off any kind. Password based encryption works solely symmetric, but the symmetric key is derived from a user password using additional algorithms. Secure password hashing involves secure hash functions and additional cryptographic schemes to mitigate brute force attacks on short and weak passwords. This also applies for password hashing in operating systems or for Web applications. For simple authentication, secure password hashing schemes involved salts and IT orations. We will take a look on the details year later. Also, most key file technologies use password based encryption to secure private keys stored in flat files. For instance, PK CIA's 12 files, or PGP, curing files. 7. Algorithms: Now that we've learned how these encryption schemes work, Basically what are common? Used algorithms in the case off symmetric encryption. This is A S, the advanced encryption standard. The algorithm is actually called Randall. The Randall algorithm was proposed for the so called A S Challenge. So was to fish and right now then became the advanced encryption standard. The two fish algorithm is also a secure algorithm. It just didn't make it to the A s standard. The same is true for serpent. Older algorithms are deaths triple deaths or cast five, which should not be used anymore if you don't need to. The most used s symmetric encryption algorithm is ours A which can also be used for digital signatures. There's another algorithm called Eric Hamada and for signatures only. There's also the DS A the digital signatures algorithm. Common hash functions are shar one and MD five, which should again not be used anymore if you don't need to. Up to date hash functions are the shot to family where, for instance, shar 512 is part off, or world pool, which was used, for instance, in true crypt, one of the most used and discussed password to key derivation functions is PB KD of two from the ARS, a standard p k CS five PB Katie of To Means Passport based Key derivation function words in two and one off the most prominent examples using this is true crypt and it's secure successes. 8. Technical Parameters for Encryption I: Now we want to take a more deeper look into the technology. What are para meters off the symmetric encryption? First of all, there's the ciphers, or algorithms. Block length asymmetric encryption algorithm is designed to encrypt a certain block off data with a specific length for instance, 16 bytes or 128 bits for A S. So a symmetric cipher is mathematically or cryptographic lee designed for exactly this block lengths. Only. Next there is the block saif remote or mode off operation, Knowing about the block length to encrypt an arbitrary size off data. A specific block cipher moat is used. The data to encrypt is chunked into blocks for the encryption process, following a specific scheme which has to be respected by the decryption process. Examples here are PCB or a CBC. Many modes of operation involved an initialization vector, or ivy, which is a vector off random data in block size. That is then combined with the encrypted blocks in a certain way to ensure the secrecy off repeating data patterns. So the background here is because we only encrypt blocks. We don't want repeating patterns in the plane source to be reflected in the encrypted data . This ivory is also a para meter for the encryption. And finally, of course, a symmetric key is needed, which is suitable for the corresponding algorithm in the case off A s. The key, for instance, has a size off 128 196 or 256 bits. In this case, a key can be seen as a random byte vector. In the case off s symmetric encryption. The perimeters are a little bit simpler because, as symmetric encryption is usually not used for actual data encryption. So what you need here is a key pair which is suitable for the corresponding algorithm in the case off ours A. This could be 2048 off 4096 pits. Please note A ours. A key pair is not a random byte vector like in the symmetric case s symmetric key pairs are mathematically depending on each other. They are derived using a special mathematical algorithm and what we actually call a private or public key are multiple mathematical perimeters which storage together. That is what we then called finally the private or public key. From that being said, you should realize that you can't say the longer the key the better. This is only true for a single algorithm, but you can't compare key length between different algorithms, for instance. And our Zaky is much longer than an A s key. But from that you can't compare the security off both skis because the algorithms work in a completely different way. Please also note that keys are usually created for a certain purpose. So in practice, for instance, signature keys and encryption keys or signature and authentication keys like for SSL client authentication are separated. Take PGP as an example. If you would take the sentence. I have a PGP key literally. You believe that you have technically a single key, but this is not the case. In fact, if you generate a PGP key and look in your key file, you will see that you have created multiple keys. There is indeed one so called master key whose idea is visible for you and used for communication. But there are also other keys being used transparently for the user in the background. Now, why is this so important? Let's say you have on SSL blind authentication key and eight Signature Key. The SSL client Authentication Key is used to authenticate against a certain Web server. This is done using a challenge response so the server sends a challenge to the client, which is signed, and as the response sent from your browser to that server. The challenge can contain arbitrary data. Now, if you're authentication, key would be your signature key. That would mean that the server in the case it's a Roque server could let you sign any data the server wants to. This is why your signature key will never be your authentication key, because your signature key is never allowed to be controlled externally or automatically. So, depending on the application context. If you want to sign something or for authentication or encryption, you use different keys. I want to illustrate symmetric encryption again using a schematic. If you want to encrypt the file off size and so often arbitrary size, this file would be encrypted block wise. Technically, this is no problem at all. The data stream belonging to the file will be red block wise, and after the amount of data that fits into a block, the data gets encrypted and stored into the encrypted file. This is repeated until the plain text file has been fully read the inverse process. The decryption works the same. A little problem happens at the end off the file, or if the whole file is even smaller than one block because in most cases, the file size and will not be an exact multiple of the block size. However, technically, this is not a problem. This will be solved as follows. The last block contains data which does not belong to the original file. This data is created using a so called petting algorithm so it can be easily removed. Uring decryption, a popular petting algorithm, is, for instance, P. K. C is seven. Just think of the data in the last block as specially marked data. As a result, the encrypted file is one or two blocks larger than the original file here. One should not get confused by the behavior off actual encryption tools. These usually use an additional compression before the actual encryption because encrypted data cannot be compressed well since it looks like random data. Hence, if you would use a file encryption, for instance, on a file that can be compressed very well. The encrypted file appears to be much smaller than the original file. However, the schematic here is still valid, so the used petting algorithm can also be seen as a specific para meter off symmetric encryption. Depending on the block, cipher, moat or motor off operation, the individual blocks will not be encrypted directly. But as explained before mathematically combined with an initialization vector, that means besides the actual encryption, further mathematical or cryptographic operations applied to each block. Additionally. 9. Technical Parameters for Encryption II: a technically deeper look on password based encryption. As I said before, Purcell based encryption involves a secure hashing scheme, toe hash a password and receive a cryptographic key. This hashing is not only valid for encryption but also for Web applications in general Web shops or even operating systems. What are components off? Password based encryption. First of all, of course. A secure and complex password. Please note. Even the most secure key deterioration scheme is useless for weak passwords. Next, we want to receive a specific key for a certain algorithm, so we want to have a certain key length and a specific type off key. The hashing scheme also involves a random rector off data off a certain length, which is called the Salt, and this will be combined with the plane password. A practical note. Every stored password hash has to be provided a fresh sold. So what you don't want to do is use. Let's say, a single salt for a whole application or user base. Then we need a certain iteration counts, which defines how many rehashing loops we have to perform on the password. And it's salt for the key derivation. So salt and it oration count are the key components off a secure password hashing scheme. These are used to mitigate brute force attacks on short and weak passwords. Please be aware this is very, very important that in practice, many password based encryption programs are getting advertised by claiming to perform strong A S 256 encryption. However, hackers always attack the weakest link. In this case, the weakest link is the password to key derivation. A secure password to key declaration is essential for the overall security off this encryption scheme. So if you don't know anything about the key Terry aeration off this application, you can't say anything about the oral security. Such a software should not be used. Moreover, there are valid password to key derivation algorithms. But the standard perimeters, like sold or iteration count, are not up to date. Take A s for zip archives as an example, the key to a relation specified in the zip standard is not considered to be broken. However, the standard is very old and the defaults provided in the standard is used by most applications. To date, using these defaults for an adequate security, you would need a 20 digits long true random password to gain a proper overall security. In any case, neither for passport based encryption nor for any Web application, you should use your own algorithm with salt and iteration count and a hash function to create password hashes. There are existing schemes specifically created by cryptography experts for these cases. 10. Cryptographic Key Formats: Technically, what are cryptographic keys? Keith can exist as software tokens and hardware tokens. Software tokens are usually key files. For instance, P. Casey is 12 is a common key file. Standard or open PGP key rings. Hardware tokens are typically smart cards used. Be based devices or HS EMS hardware Security modules. If you don't know about HS EMS, these can be seen as giant smart carts. Then, as we have seen, there are password based keys passed with based keys cannot be created security solely from a password, as we've seen before. The cryptographic para meters discussed before have to be stored as well. This can be done along with the encrypted data or separate, like in a database or again in a key file. Without these perimeters, the decryption is impossible because you cannot derive the key again, which has been used for the encryption. Please note that keys in suffer tokens like key files, are again secured using password based encryption. So your private PGP key, for instance, is secured. Using a past phrase. That pass phrase is the basis to securely store your private key into a file 11. Encryption Programming Practice (Java example): Now I want to show you a little bit more from the basic technical side off encryption. This is just that you get on idea or a glimpse off what's happening when encryption is done on the technical part, and maybe you get a better feeling or understanding how encryption works in practice. What you see here is a program written in Java, which is a programming language. It doesn't matter if you are a developer yourself. If you can program, that's not important. Right now. I will quickly go through the script on Bond. Then we'll finally run it, execute it. And so you can see what's the difference between playing text on encryption text and how the transformation might work. So what you see here is a character string, which means it's just the plain input, and that's hello and welcome to my encryption course. That's the character string. So the text that we want to encrypt, um, the next parts that are happening on that important we we, um, create an encryption key, which is 16 by its long. Then we choose a cipher object. That's let's say, the encryption algorithm that shall be used for our encryption, which is a s with some perimeters that you might have heard off by now and in a initialization vector. And then we and this important part, we just do the encryption on the plain text and will then print out the plain text, its length, the encrypted text. And finally, I will print it out in an encoded form in which you have already seen many times in life when you're on the Internet, which is based 64 code it. So let's just run this. And as you can see here now, this is a plane takes the has been all plain text, and the encrypted text looks like this. This is a binary string, so you you don't see any plane characters anymore. It's just binary string. It's like a random number. And since I am printing it out as a character string, you see a lot off characters that can be displayed because thes air special characters and , um, as I said, finally, I will encoded Based 64 this is the base 64 representation off Theo encrypted string above here. So from the plain text using a simple A s advanced encryption standard encryption version. We get this into transported, we have thean coded Former. This is how encryption looks like on the very basic level. 12. File and System encryption: Let's take a short look at file encryption tools. There exist various formats and standards. For instance, there's PGP or Zip and, of course, several proprietary commercial and open source products. The purpose off file encryption is, for instance, to perform a secure fight exchange between entities or simply for file archiving and back up the target. Groups off this kind of tool are working groups on an enterprise level. They could also be the need for a fight exchange between enterprise users and customers. And, of course, these tools are widely used by home users. Then there is full system encryption or full disk encryption. There also exist various formats and standards, very famous, true crypt off course. And it's secure successors in the Lenox sector, it looks, and others. And again, there are lots off proprietary commercial and other open source products. The purpose here is a full encryption off all petitions and drives off computers, devices, external media, etcetera. So the purpose is to protect or secure a personal device. The target group here are individuals no matter if home uses or on an enterprise level. But if applicable, you want a administrator to have access as well, in case off emergencies, there is a common confusion that file encryption and system encryption are applications serving the same purpose. This is not the case, so you can say I won't use a fine encryption tool. I am better off with a system encryption. As you have seen these two different kinds off applications solved different purposes. A simple example. Let's say you use a full system. Encryption and personal data that is important to you is on that particular petition Because system encryption works transparently for the user. Every time you work on that system, you and every application running on your computer have access to this data. So, for instance, also a Trojan horse. If you don't need that data for work, you could also secure that data within a separate file archive. That file archive would be encrypted and hence not be usable until you would decrypt the data. So you should always be aware what the encryption system you chose for a certain purpose is really achieving. And if that is really that what you want to achieve some words on fire encryption practices , usually on an enterprise level, there will be a public key infrastructure, p K. I. A. Security policy and a specific technological solution in place. However, communication with customers and suppliers is sometimes tricky because off in comfortable, secure file exchange form it's or a lack off technology for instance, missing smart card readers or a specific encryption software, security researchers show. In practice, employees might apply quick, password based solutions even against company policies. These often involved the common and widespread zip form it and hands password based encryption. Although the encryption is not considered to be broken, most Zip freeware tools use week defaults for password to keep their relation, so an adequate security can only be accomplished by choosing a at least 20 digits long. True random password. Some characteristics off zip encryption. It can be called a classic. Form it because it's quite old. It's password based, only. It's suitable for multiple files and directories. However, there's no encryption off file headers, so date and time will use file sizes, Number of files and even file names are not encrypted. You have to be a wealth that if, for instance, fire names are based on customer names or custom ID's using the encryption, the privacy off this information would not be guaranteed to the security off the key deterioration. The kid evaluation is not broken. However, most implementations still use week defaults. In practice, this means is set before that you usually require and at least 20 digits long, pure end and password. Then there is open PGP. Broken PGP is the name off the standard, which is implemented by PGP and New PCI. Broken PGP offers different kinds off encryption password based but also, of course, key based encryption famously used for PGP e mails where the keys are stored in key files or even smart cards in case off file encryption. PGP only works on single files, so encrypting multiple files to an archive requires additional tools. First, you would archive the files you want to encrypt using zipped our or whatever. And second, he would encrypt the data on the Lennox with help off a programmable shell. You could also performed these two steps in one for the security off. The key deterioration for the password only moat. The same is true s for zip. It's a quite strong algorithm, but most implementations use week defaults, unfortunately, because of compatibility reasons as said before. There are various other file encryption tools. I just want to mention to open source examples. These are widely used in the home user sector. There is, for instance, X script, which is password based. The developers don't say much about the key derivation. Then there is Crack a crypt file that works password based but also key file based and token based. This implementation claims to use PP Katie of to. However, both examples do not provide a certification or a public order it. On the other hand, many proprietary commercial solutions are also widely used and not certified. 13. Conclusion: we are at the end of the course introduction to encryption terminology and technology. I think you've seen that encryption is just one component off I t security likewise for enterprises and consumers, but a very powerful one. If used correctly, the more data is used within cloud services, the more important it becomes that you use the right encryption strategy. Of course, a lot of times you use encryption automatically in practice, take online banking or online shopping as an example. Most banks use standard TLS https connections. However, if you use smaller Web shops or other Web services, you should have an eye on your https connection. There exists open and proprietary solutions for years, which are approved and accepted for numerous areas off application. As a company, you have to pay respect to loss and data privacy ex, especially in international projects. Compare, for instance, with the Safe Harbor Act with the European Union. In practice, choose an encryption technology carefully and wisely and always verify if it really fulfills your requirements