8.3 Encryption-based Solutions

A text message in its original unencrypted form is called a plaintext or cleartext message. A message that has its real meaning encoded such that even if it becomes available to an unintended receiver the receiving node could not extract the hidden meaning is called encrypted message. If the encrypted message is in the text format, it is often called ciphertext (Banerjee 2004).
The real challenge here is in carrying out the entire process of encryption and decryption in a secure manner (often over interconnected topologies like networks and internetworks of all types and sizes). Cryptography is the name given to the area of knowledge that deals with the study and practice of such secure encryption processes (Banerjee 2004).
A cryptographic system consists of four essential components (Kizza 2009):

1. Plaintext: the original message to be sent.
2. Cryptographic system (cryptosystem) or a cipher: consisting of mathematical encryption and decryption algorithms.
3. Ciphertext: the result of applying an encryption algorithm to the original message before it is sent to the recipient.
4. Key: a string of bits used by the two mathematical algorithms in encrypting and decrypting processes.

A cipher or a cryptosystem is a pair of invertible functions, one for encrypting or enciphering and the other for decryption or deciphering. The encryption process uses the cryptographic algorithm, known as the encryption algorithm, and a selected key to transform the plaintext data into an encrypted form called ciphertext, usually unintelligible form. The ciphertext can then be transmitted across the communication channels to the intended destination. Modern cryptographic security services are listed in Table 1 (Kizza 2009).

8.3 Encryption-based Solutions

Table 1: Modern cryptographic security services

Security Services	Cryptographic Mechanism to Achieve the Service
Confidentiality	Symmetric encryption
Authentication	Digital signatures and digital certificates
Integrity	Decryption of digital signature with a public key to obtain the message digest. The message is hashed to create a second digest. If the digests are identical, the message is authentic and the signer's identity is proven.
Nonrepudiation	Digital signatures of a hashed message then encrypting the result with the private key of the sender, thus binding the digital signature to the message being sent.
Nonreplay	Encryption, hashing, and digital signature

a. Symmetric Encryption
Symmetric encryption or secret key encryption, as it is usually called, uses a common key and the same cryptographic algorithm to scramble and unscramble the message as shown in Figure 1. The transmitted final ciphertext stream is usually a chained combination of blocks of the plaintext, the secret key, and the ciphertext. (Kizza 2009).

8.3 Encryption-based Solutions

Figure 1: Symmetric Encryption
The most widely used symmetric encryption method is the block ciphers Triple Data Encryption Standard (3DES). Triple DES developed from the original and now cracked DES uses a 64-bit key consisting of 56 effective key bits and 8 parity bits. Triple DES encrypts the data in 8-byte chunks, passing it through 16 different iterations consisting of complex shifting, exclusive ORing, substitution, and expansion of the key along with the 64-bit data blocks.
Although 3DES is complicated and complex, and therefore secure, it suffers from several drawbacks including the length of its key fixed at 56 bits plus 8 bits of parity. The limited key length is making it possible for the ever-increasing speed of newer computers to render it useless as it possible to compute all possible combinations in the range 0 ~ 256 - 1.
Because of this, the National Institute of Standards and Technology (NIST) has presented the Advanced Encryption Standard (AES), which is expected to replace DES. Several other symmetric encryption algorithms in use today include International Data Encryption Algorithm (IDEA), Blowfish, Rivest Cipher 4 (RC4), RC5, and CAST-128 (Kizza 2009).

8.3 Encryption-based Solutions

Problems with Symmetric Encryption (Kizza 2009):

The integrity of data can be compromised because the receiver cannot verify that the message has not been

altered before receipt.

It is possible for the sender to repudiate the message because there are no mechanisms for the receiver to

make sure that the message has been sent by the claimed sender.

The method does not give a way to ensure secrecy even if the encryption process is compromised.

The secret key may not be changed frequently enough to ensure confidentiality.

b. Public Key Encryption
The public key encryption (PKE) scheme was developed to solve most of symmetric encryption problems described in previous subsection by guaranteeing secure communication without the need for a secret key.
Public key encryption, commonly known asymmetric encryption, uses two different keys, a public key known to all and a private key known only to the sender and the receiver. Both the sender and the receiver own a pair of keys, one public and the other a closely guarded private one. As example: to encrypt a message from sender A to receiver B, both A and B must create their own pairs of keys. Then A and B publicize their public keys - anybody can acquire them. When A has to send a message M to B, A uses B's public key to encrypt M. On receipt of M, B then uses his or her private key to decrypt the message M. As long as only B, the recipient, has access to the private key, then A, the sender, is assured that only B, the recipient, can decrypt the message. This ensures data confidentiality.

8.3 Encryption-based Solutions

Data integrity is also ensured because for data to be modified by an attacker, it requires the attacker to have B's, the recipient's, private key (Kizza 2009). Various algorithms exist for public key encryption including RSA, DSA, and PGP.
RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described it in 1978. DSA stands for Digital Signature Algorithm. The security of the RSA algorithm is based on factorization of large integers, whereas DSA security is based on the discrete logarithm problem.
PGP stands for Pretty Good Privacy. PGP is regarded as hard encryption, that which is impossible to crack in the foreseeable future. Its strength is based on algorithms that have survived extensive public review and are already considered by many to be secure. Among these algorithms are RSA which PGP uses for encryption, DSS, and Diffie-Hellman for public key encryption; CAST-128, IDEA, and 3DES for conventional encryption; and SHA-1 for hashing. The actual operation of PGP is based on five services: authentication, confidentiality, compression, e-mail compatibility, and segmentation (Kizza 2009).

Problems with Public Key Encryption (Kizza 2009):

The biggest problem for public key cryptographic scheme is speed. Public key algorithms are extremely slow

compared to symmetric algorithms. This is because public key calculations take longer than symmetric key calculations since they involve the use of exponentiation of very large numbers which in turn take longer to compute.

It suffers from the man-in-the-middle attack. The man-in-the-middle where an attacker sniffs packets off a

communication channel, modifies them, and inserts them back on to the channel. In case of an encryption channel attack, the intruder convinces one of the correspondents that the intruder is the legitimate...

8.3 Encryption-based Solutions

...communication partner.

c. Hash Function
Another way to provide data integrity and authenticity is to use hash functions. A hash function is a mathematical function that takes an input message M of a given length and creates a unique fixed length output code. The code, usually a 128-bit or 160-bit stream, is commonly referred to as a hash or a message digest. A one-way hash function, a variant of the hash function, is used to create a signature or fingerprint of the message - just like a human fingerprint. On input of a message, the hash function compresses the bits of a message to a fixed-size hash value in a way that distributes the possible messages evenly among the possible hash values. Using the same hash function on the same message always results in the same message digest. Different messages always hash to different message digests.
In ensuring data integrity and authenticity, both the sender and the recipient perform the same hash computation using the same hash function on the message before the message is sent and after it has been received. If the two computations of the same hash function on the same message produce the same value, then the message has not been tampered with during transmission (Kizza 2009).
There are various standard hash functions of message digest length including the 160-bit (SHA-1 and MD5) and 128-bit streams (RSA, MD2, and MD4). Message Digest (MD) hash algorithms MD2, MD4, and MD5 are credited to Ron Rivest, while Secure Hash Algorithm (SHA) was developed by the NIST. The most popular of these hash algorithms are SHA and MD5.