Asymmetric cryptography (public-key cryptography)

It contains a pair of Public key and Private key.

Public key

• The public key is openly shared and accessible to anyone.
• It can be used by anyone to encrypt data intended for the recipient who holds the corresponding private key.
• The public key can also be used to verify digital signatures created by the corresponding private key holder.

Private key

• The private key is kept secret by its owner and should never be shared with anyone.
• It is used to decrypt data that has been encrypted with the corresponding public key.
• The private key can be used to create digital signatures that can be verified by anyone with the corresponding public key.

In short, the data that is encrypted by public key can only be decrypted by private key. The signature that is encrypted by private key can be verified by public key.

Symmetric-key cryptography (secret-key or private-key cryptography)

The same key is used for encryption and decryption.

• Encryption
  • Plaintext (the original data) is transformed into ciphertext (the encrypted data) using an encryption algorithm and a secret key.
  • There are two main types of symmetric encryption algorithms
    • Block ciphers: These algorithms encrypt data in fixed-size blocks (e.g., 128 bits). Examples of block ciphers include AES (Advanced Encryption Standard), DES (Data Encryption Standard), and 3DES (Triple DES).
    • Stream ciphers: These algorithms encrypt data one bit or byte at a time, in a continuous stream. Examples of stream ciphers include RC4 (Rivest Cipher 4) and ChaCha20.
• Decryption
  • To decrypt the ciphertext and retrieve the original plaintext, the recipient uses the same secret key and the corresponding decryption algorithm.

Comparison between Asymmetric and Symmetric encryption

• Asymmetric encryption is typically used for key exchange. ( It allows secure communication between parties who have never met or shared keys before.)
• Asymmetric encryption is computationally more expensive and slower than symmetric encryption due to the complex mathematical operations involved.
• Asymmetric encryption offers a higher level of security because the private key is never shared or transmitted.
• Symmetric encryption is faster and more efficient than asymmetric encryption.
• Symmetric encryption is often used for bulk data encryption.

Use cases

• RSA is an asymmetric encryption
• AES is a symmetrical encryption
• SSH and SSL both are symmetrical encryption and asymmetrical encryption
• SSH
  • Symmetrical encryption is used to encrypt the entire communication during a SSH Session.
  • Asymmetrical encryption is not used to encrypt the entire SSH session. Instead, it is only used during the key exchange algorithm of symmetric encryption.
  • Before initiating a secured connection, both parties generate temporary public-private key pairs, and share their respective private keys to produce the shared secret key.

AES

AES replaced the older Data Encryption Standard (DES) as a more secure and efficient option.

• A block cipher: meaning it encrypts data in fixed-size blocks (128 bits).
• Use a secret key for both encryption and decryption, and it supports key lengths of 128, 192, or 256 bits.
• The decryption process in AES is essentially the reverse of the encryption process.

Electronic Codebook mode (ECB)

• Simple and straightforward
• Less secure
• The plaintext is divided into fixed-size blocks, and each block is encrypted independently using the same key
• Identical plaintext will produce identical ciphertext blocks
• ECB mode doesn’t use an initialization vector (IV)
• Not recommended for use in most cryptographic applications

Cipher Feedback (CFB)

• A mode of operation for block cipher.
• In contrast to the ECB (Electronic Codebook) mode, which encrypts each block of data independently, CFB mode uses feedback to make each block of ciphertext dependent on all the plaintext blocks before it, which makes it more secure.

Cipher Block Chaining mode (CBC)

• Each ciphertext block depends on all previous plaintext blocks, identical plaintext blocks will generally produce different ciphertext blocks
• Ensure that the same plaintext encrypted with the same key will result in different ciphertexts
• To hide patterns in the plaintext

Galois/Counter Mode (GCM)

• more modern mode
• provides both confidentiality (through encryption similar to CTR mode) and data integrity (through an authentication tag)
• GCM also provides authentication, which means it can verify that the data has not been tampered with
• more secure than the other modes

What’s Initialization Vector (IV)?

• IV is used as an additional input to the encryption process. Such as:
  • Cipher Block Chaining (CBC)
  • Cipher Feedback (CFB)
  • Counter (CTR)
• The IV should be random, unique, and unpredictable for each encryption
• To ensure that the ciphertext generated is different, even if the same plaintext is encrypted multiple times with the same key.
• IV doesn’t need to be kept secret like the encryption key. It can be transmitted along with the ciphertext (usually as a prefix)

What’s Counter (CTR)

CTR mode is that it turns a block cipher into a stream cipher, which means that it encrypts plaintext by combining it with a keystream.

ECB vs CFB vs CBC vs GCM (in terms of security)

• ECB is the least secure
• CFB and CBC are equally secure
• CBC is widely adopted and scrutinised, and used in many protocols such as SSL and TLS
• GCM is the most secure and the best choice because it provides both confidentiality and authentication.

Hash functions

• MD5 (Message Digest Algorithm 5)
  • 128-bit hash value, 32-character hexadecimal number
  • not recommended as it’s easy to be broken than others
• SHA-1 (Secure Hash Algorithm 1)
  • 160-bit hash value, 40-digit hexadecimal number
• SHA-2
  • SHA-256 (Secure Hash Algorithm 256)
    • a member of the SHA-2 set of cryptographic hashes
    • is widely used security applications and protocols
• SHA-3
  • the latest member of the Secure Hash Algorithm family and provides the same capabilities as SHA-2
  • digests 224, 256, 384, 512, and variable lengths
• Blake2
  • faster than MD5, SHA-1, SHA-2, and SHA-3, yet is at least as secure as the latest standard, SHA-3
• CRC32 (Cyclic Redundancy Check)
  • It is used to produce a checksum
  • CRCs are used to detect errors after transmission or storage
• HMAC (Hash-based Message Authentication Code)
  • can be used with symmetric encryption, but not asymmetric key)
  • can be used with MD5, SHA-1, SHA-256 in combination with a secret shared key
  • use a secret sahred key (the same key of symmetric encryption) for data integrity and authentication
  • The purpose of HMAC is not just to ensure data integrity, but also to authenticate that the data came from the original sender

ref:

• chatGPT