Data encryption methods - web programmer blog. Modern encryption algorithms
- Encryption occurs on both sides. After all, if only one side is encrypted (for example, only the server), then traffic from the other side (from the client) will not be encrypted. It can be overheard or even changed.
- TLS_RSA_WITH_: B in this case the client itself creates a shared secret by generating 48 random bytes. It then encrypts them using the public RSA key found in the server's certificate. The server receives the encrypted data and decrypts it using a private RSA key. This scheme is rarely used.
- TLS_DHE_RSA_/TLS_ECDHE_RSA_/TLS_ECDHE_ECDSA_: This uses the Diffie-Hellman (DHE) cryptographic scheme or its elliptic curve version (ECDHE). The essence of the scheme is this: the server and client generate random big numbers(private keys), calculate other numbers (public keys) based on them, and send them to each other. Given their private key and the other party's public key, they calculate the shared secret. A third party listening to the channel only sees 2 public keys and cannot figure out the shared secret. After this, all data exchanged between the client and server to obtain this key is signed by the server certificate (RSA or ECDSA signature). If the client trusts the server's certificate, it checks this signature, and if it is correct, data exchange begins. This is the most commonly used scheme.
- There are several other schemes, but they are used very rarely or not at all.
Formally, no one gives the key to anyone. In the TLS protocol, the client and server must generate a shared secret, a set of 48 bytes. Then the client and server, based on the shared secret, calculate keys: the client’s encryption key and the server’s encryption key. The procedure for calculating keys from a shared secret is standard and is specified in the description TLS protocol. The server and client know 2 encryption keys, they encrypt with one, and decrypt with the second. Now comes the fun part - how the client and server calculate the shared secret. This depends on the chosen cipher suite:
About interception. As I described above, intercepting messages here is useless, since in the first case only the server can decrypt it, and in the second, a cunning cryptographic scheme is used.
Both the server and the client know the encryption algorithms. After all, if the client does not know what the encryption algorithm is, how will he encrypt the data to be sent? In modern cryptography, no one uses proprietary algorithms. Open Algorithms are constantly studied by the best cryptographers in the world, looking for vulnerabilities, and offering solutions to bypass them.
In TLS, we can conditionally say that the algorithms change, since different encryption keys are generated each time. And then, if you want to use a proprietary algorithm, for example to view a web page, how can this algorithm be proprietary if your computer/device does the encryption/decryption?
I have left out/simplified some details in order to describe only the main ideas.
Sergey Panasenko,
head of development department software company "Ankad"
[email protected]
Basic Concepts
The process of converting open data into encrypted data and vice versa is usually called encryption, and the two components of this process are called encryption and decryption, respectively. Mathematically, this transformation is represented by the following dependencies that describe actions with the original information:
C = Ek1(M)
M" = Dk2(C),
where M (message) - open information(in information security literature often referred to as “source text”);
C (cipher text) - the ciphertext (or cryptogram) obtained as a result of encryption;
E (encryption) - an encryption function that performs cryptographic transformations on the source text;
k1 (key) - parameter of function E, called the encryption key;
M" - information obtained as a result of decryption;
D (decryption) - decryption function that performs inverse cryptographic transformations on the ciphertext;
k2 is the key used to decrypt information.
The concept of “key” in the GOST 28147-89 standard (symmetric encryption algorithm) is defined as follows: “a specific secret state of some parameters of the cryptographic transformation algorithm, ensuring the selection of one transformation from a set of possible ones for of this algorithm transformations." In other words, the key is a unique element with which you can change the results of the encryption algorithm: the same source text will be encrypted differently when using different keys.
In order for the decryption result to match the original message (i.e., for M" = M), two conditions must be met simultaneously. First, the decryption function D must match the encryption function E. Second, the decryption key k2 must match encryption key k1.
If a cryptographically strong encryption algorithm was used for encryption, then in the absence of the correct key k2 it is impossible to obtain M" = M. Cryptographic strength is the main characteristic of encryption algorithms and primarily indicates the degree of complexity of obtaining the original text from an encrypted text without a key k2.
Encryption algorithms can be divided into two categories: symmetric and asymmetric encryption. For the former, the ratio of encryption and decryption keys is defined as k1 = k2 = k (i.e., functions E and D use the same encryption key). With asymmetric encryption, the encryption key k1 is calculated from the key k2 in such a way that the reverse transformation is impossible, for example, using the formula k1 = ak2 mod p (a and p are the parameters of the algorithm used).
Symmetric encryption
Symmetric encryption algorithms date back to ancient times: it was this method of hiding information that was used by the Roman emperor Gaius Julius Caesar in the 1st century BC. e., and the algorithm he invented is known as the “Caesar cryptosystem.”
Currently the best known algorithm is the symmetric DES encryption(Data Encryption Standard), developed in 1977. Until recently, it was a “US standard”, since the government of this country recommended its use for implementation various systems data encryption. Despite the fact that DES was originally planned to be used for no more than 10-15 years, attempts to replace it began only in 1997.
We will not cover DES in detail (almost all books on the list of additional materials have it detailed description), and let's turn to more modern encryption algorithms. It is only worth noting that the main reason for changing the encryption standard is its relatively weak cryptographic strength, the reason for which is that the DES key length is only 56 significant bits. It is known that any strong encryption algorithm can be cracked by trying all possible encryption keys (the so-called brute force attack). It is easy to calculate that a cluster of 1 million processors, each of which calculates 1 million keys per second, will check 256 variants of DES keys in almost 20 hours. And since, by today’s standards, such computing power are quite real, it is clear that the 56-bit key is too short and the DES algorithm needs to be replaced with a stronger one.
Today, two modern strong encryption algorithms are increasingly used: the domestic standard GOST 28147-89 and the new US crypto standard - AES (Advanced Encryption Standard).
Standard GOST 28147-89
The algorithm defined by GOST 28147-89 (Fig. 1) has an encryption key length of 256 bits. It encrypts information in blocks of 64 bits (such algorithms are called block algorithms), which are then divided into two subblocks of 32 bits (N1 and N2). Subblock N1 is processed in a certain way, after which its value is added to the value of subblock N2 (the addition is performed modulo 2, i.e. logical operation XOR - "exclusive or"), and then the subblocks are swapped. This transformation is performed a certain number of times (“rounds”): 16 or 32, depending on the operating mode of the algorithm. In each round, two operations are performed.
The first is keying. The contents of subblock N1 are added modulo 2 with the 32-bit part of the key Kx. Full key encryption is represented as a concatenation of 32-bit subkeys: K0, K1, K2, K3, K4, K5, K6, K7. During the encryption process, one of these subkeys is used, depending on the round number and the mode of operation of the algorithm.
The second operation is table replacement. After keying, subblock N1 is divided into 8 parts of 4 bits, the value of each of which is replaced in accordance with the replacement table for this part of the subblock. The subblock is then bit-rotated to the left by 11 bits.
Table substitutions(Substitution box - S-box) are often used in modern encryption algorithms, so it is worth explaining how such an operation is organized. The output values of the blocks are recorded in the table. A data block of a certain dimension (in our case, 4-bit) has its own numerical representation, which determines the number of the output value. For example, if the S-box looks like 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1 and the 4-bit block “0100” came to the input (value 4), then, according to the table, the output value will be 15, i.e. “1111” (0 a 4, 1 a 11, 2 a 2 ...).
The algorithm, defined by GOST 28147-89, provides four operating modes: simple replacement, gamming, gamming with feedback and generation of imitation prefixes. They use the same encryption transformation described above, but since the purpose of the modes is different, this transformation is carried out differently in each of them.
In mode easy replacement To encrypt each 64-bit block of information, the 32 rounds described above are performed. In this case, 32-bit subkeys are used in the following sequence:
K0, K1, K2, K3, K4, K5, K6, K7, K0, K1, etc. - in rounds 1 to 24;
K7, K6, K5, K4, K3, K2, K1, K0 - in rounds 25 to 32.
Decoding in this mode is carried out in exactly the same way, but with a slightly different sequence of using subkeys:
K0, K1, K2, K3, K4, K5, K6, K7 - in rounds 1 to 8;
K7, K6, K5, K4, K3, K2, K1, K0, K7, K6, etc. - in rounds 9 to 32.
All blocks are encrypted independently of each other, i.e., the encryption result of each block depends only on its contents (the corresponding block of the original text). If there are several identical blocks of original (plain) text, the corresponding ciphertext blocks will also be identical, which gives additional useful information for a cryptanalyst trying to break a cipher. Therefore, this mode is used mainly for encrypting the encryption keys themselves (multi-key schemes are very often implemented, in which, for a number of reasons, the keys are encrypted on each other). Two other operating modes are intended for encrypting the information itself - gamma and gamma with feedback.
IN gamma mode Each plaintext block is added bit by bit modulo 2 to a 64-bit cipher gamma block. The gamma cipher is a special sequence that is obtained as a result of certain operations with registers N1 and N2 (see Fig. 1).
1. Their initial filling is written to registers N1 and N2 - a 64-bit value called a synchronization message.
2. The contents of registers N1 and N2 (in this case, sync messages) are encrypted in simple replacement mode.
3. The contents of register N1 are added modulo (232 - 1) with the constant C1 = 224 + 216 + 28 + 24, and the result of the addition is written to register N1.
4. The contents of register N2 are added modulo 232 with the constant C2 = 224 + 216 + 28 + 1, and the result of the addition is written to register N2.
5. The contents of registers N1 and N2 are output as a 64-bit gamma block of the cipher (in this case, N1 and N2 form the first gamma block).
If the next gamma block is needed (i.e., encryption or decryption needs to continue), it returns to step 2.
For decryption, gamma is generated in a similar manner, and then the ciphertext and gamma bits are again XORed. Since this operation is reversible, in the case of a correctly developed scale, the original text (table) is obtained.
Encryption and decryption in gamma mode
To develop the cipher needed to decrypt the gamma, the user decrypting the cryptogram must have the same key and the same value of the synchronization message that were used when encrypting the information. Otherwise, it will not be possible to obtain the original text from the encrypted one.
In most implementations of the GOST 28147-89 algorithm, the synchronization message is not secret, however, there are systems where the synchronization message is the same secret element as the encryption key. For such systems, the effective key length of the algorithm (256 bits) is increased by another 64 bits of the secret synchronization message, which can also be considered as a key element.
In the feedback gamma mode, to fill the N1 and N2 registers, starting from the 2nd block, it is not the previous gamma block that is used, but the result of encrypting the previous plaintext block (Fig. 2). The first block in this mode is generated completely similarly to the previous one.
 |
Rice. 2. Development of a cipher gamma in the gamma mode with feedback. |
Considering the mode generation of imitation prefixes, the concept of the subject of generation should be defined. Imitation prefix is a cryptographic checksum, calculated using the encryption key and designed to verify the integrity of messages. When generating an imitation prefix, the following operations are performed: the first 64-bit block of the information array, for which the imitation prefix is calculated, is written to registers N1 and N2 and encrypted in the reduced simple replacement mode (the first 16 rounds out of 32 are performed). The resulting result is summed modulo 2 with the next block of information and the result is stored in N1 and N2.
The cycle repeats until the last block of information. The resulting 64-bit contents of the N1 and N2 registers or part of them as a result of these transformations is called the imitation prefix. The size of the imitation prefix is selected based on the required reliability of messages: with the length of the imitation prefix r bits, the probability that a change in the message will go unnoticed is 2-r. Most often, a 32-bit imitation prefix is used, i.e., half the contents of the registers. This is enough, since, like any checksum, the imitation attachment is intended primarily to protect against accidental distortion of information. To protect against intentional modification of data, other cryptographic methods- primarily an electronic digital signature.
When exchanging information, the imitation prefix serves as a kind of additional means control. It is calculated for the plaintext when any information is encrypted and is sent along with the ciphertext. After decryption, a new value of the imitation prefix is calculated and compared with the sent one. If the values do not match, it means that the ciphertext was corrupted during transmission or incorrect keys were used during decryption. The imitation prefix is especially useful for checking the correct decryption of key information when using multi-key schemes.
The GOST 28147-89 algorithm is considered a very strong algorithm - currently no more has been proposed for its disclosure effective methods than the "brute force" method mentioned above. Its high security is achieved primarily due to the large key length - 256 bits. When using a secret sync message, the effective key length increases to 320 bits, and encrypting the replacement table adds additional bits. In addition, cryptographic strength depends on the number of transformation rounds, which according to GOST 28147-89 should be 32 (the full effect of input data dispersion is achieved after 8 rounds).
AES standard
Unlike the GOST 28147-89 algorithm, which for a long time remained secret American standard AES encryption, intended to replace DES, was selected through an open competition where all interested organizations and individuals could study and comment on the candidate algorithms.
A competition to replace DES was announced in 1997 by the US National Institute of Standards and Technology (NIST - National Institute of Standards and Technology). 15 candidate algorithms were submitted to the competition, developed by both well-known organizations in the field of cryptography (RSA Security, Counterpane, etc.) and individuals. The results of the competition were announced in October 2000: the winner was the Rijndael algorithm, developed by two cryptographers from Belgium, Vincent Rijmen and Joan Daemen.
The Rijndael algorithm is not similar to most known symmetric encryption algorithms, the structure of which is called the “Feistel network” and is similar to the Russian GOST 28147-89. The peculiarity of the Feistel network is that the input value is divided into two or more subblocks, part of which in each round is processed according to a certain law, after which it is superimposed on unprocessed subblocks (see Fig. 1).
Unlike the domestic encryption standard, the Rijndael algorithm represents a data block in the form of a two-dimensional byte array of size 4X4, 4X6 or 4X8 (the use of several fixed sizes of the encrypted block of information is allowed). All operations are performed on individual bytes of the array, as well as on independent columns and lines.
The Rijndael algorithm performs four transformations: BS (ByteSub) - table replacement of each byte of the array (Fig. 3); SR (ShiftRow) - shift of array rows (Fig. 4). With this operation, the first line remains unchanged, and the rest are cyclically shifted byte-by-byte to the left by a fixed number of bytes, depending on the size of the array. For example, for a 4X4 array, lines 2, 3 and 4 are shifted by 1, 2 and 3 bytes respectively. Next comes MC (MixColumn) - an operation on independent array columns (Fig. 5), when each column is multiplied by a fixed matrix c(x) according to a certain rule. And finally, AK (AddRoundKey) - adding a key. Each bit of the array is added modulo 2 with the corresponding bit of the round key, which, in turn, is calculated in a certain way from the encryption key (Fig. 6).
 |
| Rice. 3. Operation BS. |
 |
| Rice. 4. Operation SR. |
 |
| Rice. 5. Operation MC. |
The number of encryption rounds (R) in the Rijndael algorithm is variable (10, 12 or 14 rounds) and depends on the block size and the encryption key (there are also several fixed sizes for the key).
Decryption is performed using the following reverse operations. The table is inverted and the table is replaced with an inverse table (relative to the one used for encryption). The inverse operation to SR is to rotate rows to the right rather than to the left. The inverse operation for MC is multiplication using the same rules by another matrix d(x) satisfying the condition: c(x) * d(x) = 1. Adding the key AK is the inverse of itself, since it only uses the XOR operation. These reverse operations are applied during decryption in the reverse sequence to that used during encryption.
Rijndael has become the new standard for data encryption due to a number of advantages over other algorithms. First of all, it provides high speed encryption on all platforms: both in software and hardware implementation. It is distinguished incomparably best opportunities parallelization of calculations in comparison with other algorithms submitted to the competition. In addition, the resource requirements for its operation are minimal, which is important when used in devices with limited computing capabilities.
The only disadvantage of the algorithm can be considered its inherent unconventional scheme. The fact is that the properties of algorithms based on the Feistel network have been well researched, and Rijndael, in contrast, may contain hidden vulnerabilities that can only be discovered after some time has passed since its widespread use.
Asymmetric encryption
Asymmetric encryption algorithms, as already noted, use two keys: k1 - the encryption key, or public, and k2 - the decryption key, or secret. Public key calculated from the secret: k1 = f(k2).
Asymmetric encryption algorithms are based on the use of one-way functions. According to the definition, a function y = f(x) is unidirectional if: it is easy to calculate for all possible options x and for most possible values of y, it is quite difficult to calculate a value of x such that y = f(x).
An example of a one-way function is the multiplication of two large numbers: N = P*Q. In itself, such multiplication is a simple operation. However, the inverse function (decomposition of N into two large factors), called factorization, according to modern time estimates, is quite complex math problem. For example, factorization N with a dimension of 664 bits at P ? Q will require approximately 1023 operations, and to inversely calculate x for the modular exponent y = ax mod p with known a, p and y (with the same dimensions of a and p) you need to perform approximately 1026 operations. The last example given is called the Discrete Logarithm Problem (DLP), and this kind of function is often used in asymmetric encryption algorithms, as well as in algorithms used to create an electronic digital signature.
Another important class of functions used in asymmetric encryption are one-way backdoor functions. Their definition states that a function is unidirectional with a backdoor if it is unidirectional and it is possible to efficiently calculate the inverse function x = f-1(y), i.e., if the "backdoor" (some secret number, applied to for asymmetric encryption algorithms - the value of the secret key).
One-way backdoor functions are used in the widely used asymmetric encryption algorithm RSA.
RSA algorithm
Developed in 1978 by three authors (Rivest, Shamir, Adleman), it got its name from the first letters of the developers' last names. The reliability of the algorithm is based on the difficulty of factoring large numbers and calculating discrete logarithms. Main parameter RSA algorithm- module of the system N, according to which all calculations in the system are carried out, and N = P*Q (P and Q are secret random prime large numbers, usually of the same dimension).
The secret key k2 is chosen randomly and must meet the following conditions:
1 where GCD is the greatest common divisor, i.e. k1 must be coprime to the value of the Euler function F(N), the latter being equal to the number of positive integers in the range from 1 to N coprime to N, and is calculated as F(N) = (P - 1)*(Q - 1). The public key k1 is calculated from the relation (k2*k1) = 1 mod F(N), and for this purpose the generalized Euclidean algorithm (the algorithm for calculating the greatest common divisor) is used. Encryption of data block M using the RSA algorithm is performed as follows: C=M [to the power k1] mod N. Note that since in a real cryptosystem using RSA the number k1 is very large (currently its dimension can reach up to 2048 bits), direct calculation of M [to the power k1] unrealistic. To obtain it, a combination of repeated squaring of M and multiplication of the results is used. Inversion of this function for large dimensions is not feasible; in other words, it is impossible to find M given the known C, N and k1. However, having a secret key k2, using simple transformations one can calculate M = Ck2 mod N. Obviously, in addition to the secret key itself, it is necessary to ensure the secrecy of the parameters P and Q. If an attacker obtains their values, he will be able to calculate the secret key k2. The main disadvantage of symmetric encryption is the need to transfer keys “from hand to hand”. This drawback is very serious, since it makes it impossible to use symmetric encryption in systems with an unlimited number of participants. However, otherwise, symmetric encryption has some advantages that are clearly visible against the background of the serious disadvantages of asymmetric encryption. The first of them is the low speed of encryption and decryption operations, due to the presence of resource-intensive operations. Another “theoretical” disadvantage is that the cryptographic strength of asymmetric encryption algorithms has not been mathematically proven. This is primarily due to the problem of the discrete logarithm - it has not yet been proven that its solution in an acceptable time is impossible. Unnecessary difficulties are also created by the need to protect public keys from substitution - by replacing the public key of a legal user, an attacker will be able to encrypt an important message with his public key and subsequently easily decrypt it with his private key. However, these shortcomings do not prevent the widespread use of asymmetric encryption algorithms. Today there are cryptosystems that support certification of public keys, as well as combining symmetric and asymmetric encryption algorithms. But this is a topic for a separate article. For those readers who are seriously interested in encryption, the author recommends broadening their horizons with the help of the following books. A complete description of encryption algorithms can be found in the following documents: Information lifetime § When intercepting an encrypted message, for some types of encryption algorithms it is possible to calculate the frequency of occurrence of certain characters and compare them with the probabilities of the occurrence of certain characters or their combinations (bigrams, trigrams, etc.). This in turn can lead to unambiguous decryption (disclosure) of individual sections of the encrypted message. § Availability of probable words. These are words or expressions that can be expected to appear in an intercepted message (for example, for English text - “and”, “the”, “are”, etc.). § Techniques exist to make encrypted messages virtually unusable for statistical and probability analysis. These include the following. § Diffusion. The influence of one character in the clear message extends to many characters in the encrypted message. This method, although it leads to an increase in the number of errors during decryption, however, with its help it is possible to hide the statistical structure of the open message. § Entanglement. Development of the principle of dispersion. In it, the influence of one key symbol extends to many encrypted symbols. messages. § Mixing. It is based on the use of special transformations of the original message, as a result of which probable sequences seem to be scattered throughout the entire space of possible open messages. The development of this method was the use of composite encryption algorithms, consisting of a sequence of simple permutation and substitution operations. Examples of the methods described are the DES and GOST 28147-89 encryption standards. There are two main types of encryption algorithms: § symmetric encryption algorithms; § asymmetric encryption algorithms. Symmetric encryption.
Symmetric encryption algorithms are based on the fact that the same (shared) key is used to both encrypt a message and decrypt it (Fig. 1). One of the main advantages of symmetric methods is the speed of encryption and decryption, but the main disadvantage is the need to transfer the secret key value to the recipient. Inevitably, a problem arises: how to transfer the key without allowing attackers to intercept it. Benefits of Cryptography with symmetric keys: · High performance. · High durability. All other things being equal, the strength of a cryptographic algorithm is determined by the length of the key. With a key length of 256 bits, it is necessary to perform 10 77 searches to determine it. Disadvantages of Cryptography with symmetric keys. § Key distribution problem. Since the same key is used for encryption and decryption, very reliable mechanisms for their distribution (transmission) are required. § Scalability. Since both the sender and the recipient use a single key, the number of keys needed increases exponentially depending on the number of participants in the communication. To exchange messages between 10 users you need to have 45 keys, and for 1000 users - already 499,500. § Limited use. Secret key cryptography is used to encrypt data and restrict access to it; with its help it is impossible to ensure such information properties as authenticity and non-repudiation Asymmetric encryption Asymmetric encryption algorithms (public key cryptography) involve the use of two keys. First key - open. It is distributed completely freely, without any precautions. Second, closed the key is kept secret. Any message encrypted using one of these keys can only be decrypted using its matching key. Typically, the sender of a message uses the recipient's public key, and the recipient uses his or her own private key. In an asymmetric scheme for transmitting encrypted messages, both keys are derived from a single parent key master key. When two keys are formed from one, they are dependent in a mathematical sense, but due to computational complexity, neither can be calculated from the other. After both keys are generated (both public and personal, private), the master key is destroyed, and thus any attempt to restore the values of keys derived from it in the future is stopped. The asymmetric scheme is ideally combined with the use of public messaging networks (for example, the Internet). Any network subscriber can completely freely send the public key to his negotiating partner, and the latter, in the role of the sender of the message, will use this key when encrypting the sent message (Fig. 2). Only the recipient of the message who previously sent the corresponding public key can decrypt this message with his private key. An attacker who intercepts such a key will be able to use it only for the sole purpose of transmitting some encrypted messages to the rightful owner of the key. The disadvantage of the asymmetric scheme is the large amount of time spent on encryption and decryption, which does not allow their use for the rapid exchange of lengthy messages in dialogue mode. Implementing asymmetric encryption methods requires a lot of CPU time. Therefore, pure public key cryptography is not usually used in world practice. Rice. 2. Asymmetric encryption scheme It is impossible to compare which is better, symmetric or asymmetric encryption algorithms. It is noted that symmetric cryptographic algorithms have a shorter key length and work faster. Secret key cryptography and public key cryptography are intended to solve completely different problems. Symmetric algorithms are well suited for data encryption, while asymmetric algorithms are implemented in most network cryptographic protocols. The most widely used methods are those that combine the advantages of both schemes. The principle of operation of combined schemes is that a symmetric (session) key is generated for the next message exchange session. This key is then encrypted and sent using an asymmetric scheme. After the current negotiation session ends, the symmetric key is destroyed. Even in ancient times, people learned to protect information by transforming it so that unauthorized persons would not be able to read it. Cryptography arose around the time people first learned to talk. Moreover, at first, writing itself represented a cryptographic system, since it could only be owned by select people who could study cryptography. A cryptographic method of information protection is a number of special methods of encoding, encrypting or other transformations of information that make its content inaccessible to persons who do not have the cryptogram key. Cryptography and encryption are the most reliable methods of protection, since the encryptor directly protects the information itself, and not access to it. For example, reading an encrypted file will be impossible even if an attacker manages to steal the media. This protection method is implemented using programs or software packages. For many ordinary people, the term “cryptography” means something mysterious and mysterious. However, nowadays various types of encryption can be found literally everywhere - these are simple combination locks on diplomats, and multi-level systems for protecting secret files. People encounter it when they insert a card into an ATM, make money transfers, buy goods online, communicate via Skype, or send emails. Any business related to information is somehow related to cryptography. But despite all the variety of applications, there are currently only a few encryption methods. All these cryptography methods belong to two types of cryptographic systems: symmetric (with a secret key) and asymmetric (with a public key). The advantage of any modern cryptographic method is the ability to provide high guaranteed security strength, calculated and expressed in numerical form (the average number of operations or the time required to decrypt secret information or select keys). Currently, the following types of cryptography exist: Video about cryptography and encryption
Encryption During the encryption process, a cryptographic transformation is performed on each character in the encrypted message. Among all the known encryption methods, the following five main groups can be distinguished: Message Encoding This type of crypto transformation uses the replacement of some data elements with certain codes (for example, these can be combinations of numbers and/or letters). Information dissection In this method, the protected information is divided into separate data sets, if only one of them is decrypted, it will be impossible to disclose classified information. Message Compression The compression method involves replacing repeated sequences of characters in the protected data with smaller sequences. The effectiveness of such compression depends on the number of identical sequences in the protected text. Throughout the centuries-old history of cryptography and until now, this art has not been accessible to everyone. As a rule, these methods were used by people who did not go beyond the boundaries of the residences of heads of power, embassies, and intelligence agencies. And only a few decades ago, fundamental changes began to occur in this area - information became an independent commercial value and turned into a widespread, almost ordinary commodity. It is produced, stored, transferred, sold, bought, and, accordingly, stolen and counterfeited. That is why today there are a large number of tutorials and computer programs designed for ordinary users who are interested in cryptography. Even a schoolchild can master some simple types of encryption. Caesar Cipher program This encryption method is also called a shift cipher. In its software version, the Caesar cipher is a substitution cipher with a key whose symbols are replaced in the text by symbols located at some constant number of positions to the left or right of it in the alphabet. For example, a cipher with a shift to the right by three positions: the letter A is replaced by the letter G, B by D, etc. It should be taken into account that the letter E is not used in the encryption and is replaced by the letter E. Program: Explanation: Are you interested in cryptography? Do you understand it? Tell us about it in The number of people who actively use the Internet is growing by leaps and bounds: at work for corporate purposes and administration, at home, in public places. Wi-Fi networks and equipment that allow unhindered access to the Internet are becoming widespread. The Wi-Fi network is protected in the form of a password, without knowing which it will be almost impossible to connect to a specific network, except for public networks (cafes, restaurants, shopping centers, access points on the streets). “Practically” should not be taken in the literal sense: there are enough craftsmen who can “open” the network and gain access not only to the router’s resource, but also to the data transmitted within a particular network. But in this introductory note, we talked about connecting to wi-fi - authentication user (client) when the client device and the access point discover each other and confirm that they can communicate with each other. Authentication Options: Encryption is an algorithm for scrambling (scramble - encrypt, mix) transmitted data, changing and generating an encryption key Various types of encryption have been developed for wifi equipment, making it possible to protect the network from hacking and data from public access. Today, there are several encryption options. Let's look at each of them in more detail. The following types are distinguished and are the most common: The first type, called OPEN, contains all the information required for cognition in its name. This mode will not allow you to encrypt data or protect network equipment, because the access point will be, subject to choosing this type, constantly open and accessible to all devices that detect it. The disadvantages and vulnerabilities of this type of “encryption” are obvious. Just because a network is open doesn't mean anyone can use it. To use such a network and transmit data on it, the encryption method used must match. And one more condition for using such a network is the absence of a MAC filter that determines the MAC addresses of users in order to recognize which devices are prohibited or allowed to use this network The second type, also known as WEP, dates back to the 90s of the last century, being the ancestor of all subsequent types of encryption. Wep encryption today is the weakest of all existing security options. Most modern routers, created by specialists and taking into account the interests of user privacy, do not support wep encryption. Among the disadvantages, despite the fact that there is at least some kind of protection (in comparison with OPEN), unreliability stands out: it is due to short-term protection, which is activated at certain time intervals. After this period, the password to your network can be easily guessed, and the wep key will be hacked in up to 1 minute. This is due to the wep key bit depth, which varies from 40 to 100 bits depending on the characteristics of the network equipment. The vulnerability of the wep key lies in the fact that parts of the password are transmitted together with data packets. Packet interception is an easy task for a specialist - hacker or cracker. It is also important to understand the fact that modern software is capable of intercepting data packets and is created specifically for this. Thus, wep encryption is the most unreliable way to protect your network and network equipment. Such varieties are the most modern and perfect from the point of view of organization of protection at the moment. There are no analogues to them. The ability to set any user-friendly length and alphanumeric combination of the wpa key makes life quite difficult for those who want to unauthorizedly use a specific network or intercept data from this network. These standards support various encryption algorithms that can be transmitted after the interaction of the TKIP and AES protocols. The aes encryption type is a more advanced protocol than tkip, and is supported and actively used by most modern routers. WPA or wpa2 encryption is the preferred type for both home and corporate use. The latter makes it possible to use two authentication modes: checking passwords for access of certain users to the general network is carried out, depending on the specified settings, using PSK or Enterprise mode. PSK provides access to network equipment and Internet resources using a single password, which must be entered when connecting to the router. This is the preferred option for a home network, the connection of which is carried out within small areas by certain devices, for example: mobile, personal computer and laptop. For companies with large staffs, PSK is not a convenient authentication mode, which is why a second mode was developed - Enterprise. Its use makes it possible to use multiple keys, which will be stored on a special dedicated server. Truly modern and makes it possible to connect to a wireless network with one click of a button. There is no point in thinking about passwords or keys, but it is worth highlighting and considering a number of serious disadvantages regarding access to WPS networks. Connection using this technology is carried out using a key that includes 8 characters. The vulnerability of the encryption type is as follows: it has a serious error that allows crackers or hackers to gain access to the network if they have access to at least 4 digits from the eight-digit combination. The number of password guessing attempts is about several thousand, but for modern software this number is ridiculous. If you measure the process of forcing WPS over time, the process will take no more than a day. It is worth noting the fact that this vulnerability is at the stage of improvement and can be corrected, therefore, in subsequent models of equipment with WPS mode, restrictions on the number of login attempts began to be introduced, which significantly complicated the task of unauthorized access for those interested in this. Nevertheless, in order to increase the overall level of security, experienced users recommend fundamentally abandoning the technology considered. The most modern and truly reliable method for organizing the protection of a network and data transmitted within it is WPA or its analogue WPA2. The first option is preferable for home use by a certain number of devices and users. The second, which has a two-mode authentication function, is more suitable for large companies. Its use is justified by the fact that when employees leave, there is no need to change passwords and keys, because a certain number of dynamic passwords are stored on a specially dedicated server, to which only current employees of the company have access. It should be noted that most advanced users prefer WPA2 even for home use. From the point of view of organizing the protection of equipment and data, this encryption method is the most advanced that exists today. As for the increasingly popular WPS, abandoning it means to a certain extent protecting network equipment and information data transmitted with its help. Until the technology is sufficiently developed and does not have all the advantages, for example, WPA2, it is recommended to refrain from using it, despite its apparent ease of use and convenience. After all, the security of the network and the information arrays transmitted within it is a priority for most users.Which encryption is better?
Additional sources of information
Types of cryptography
Cryptography for Beginners
Encryption:
WEP
WPA, WPA2
WPS
Summing up