Security Precautions
Course Content Specification
Describe how encryption is used to secure transmission of data:
use of public and private keys
digital certificates
digital signatures
Encryption
Encryption is when data is encoded into another form. This means that even if data is intercepted then the data is meaningless until it is deciphered using a key. Some apps such as WhatsApp and Snapchat encrypt their traffic when sending to prevent interception were potentially going to be banned by British political parties in the 2015 election (Wright, 2015).
There are two main methods to encrypt data:
Symmetric Key (Secret Key)
Asymmetric Key (Private/Public key)
Symmetric Encryption
Symmetric Encryption is when a secret key is which can be a number, a shift pattern or random letters which is applied to the plaintext message to turn it into ciphertext. This process is applied in reverse by the recipient in order to convert it back into plaintext. The Caesar cipher is an example of this technique.
Example of a basic Caesar cypher
So "Dad" would become "Axa" using the above cypher. Some more asymmetric encryption methods are:
Data Encryption Standard (DES) which was created in 1977 it used a 56 bit key so has approx. 72,000,000,000,000,000 combinations (256 ).
This was then superseded by Advanced Encryption Standard (AES), this is used by the US Government and offers 128,192 or 256 bit encryption - 2 256 combinations (1.15e+77).
CSS (Content Scramble System) encryption was used as the original Digital Rights Management system on DVD’s in 1996 it used a 40 bit cipher and was compromised in 1999.
Basic Caesar Cypher Example
Asymetric (Private and Public Key Encryption)
Asymmetric Key or public key encryption is when there are two keys. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret.
Think of the public key as you do a physical lock with the private key being a physical key that will unlock the lock.
Ransomware (Rogue use of Encryption)
Some malware (christened ransomware) such as CryptoLocker and WannaCry will encrypt the contents of infected machines. It uses RSA encryption and will only decrypt the drive once payment has been made - the key is held on a private server.
WannaCry was an example of this whereby through a lack of Operating System updates for Windows, the backing storage of systems was encrypted using RSA encryption. The screenshot below demonstrates that there had to be a bitcoin payment for decryption of the files. There was a trial method where you could see some of the files ( as proof).
Sample WannaCry program.
Pros and Cons of Encryption
Asymmetric Encryption
Private Key never needs to be distributed.
Can be used to implement digital signatures
Is slower than symetric encryption
required more processing power to encrypt and decrypt
Symmetric Encryption
The key doesnt have to be sent with the message
Usually more straight forward to decypher
key has to be installed with the receiver before transmission
Digital Certificates
As mentioned above Asymmetric encryption relies on being able to get the key to the receiver and also to verify the authenticity of the sender. Digital certificates are a useful tool for this. A digital certificate is the digital version of a passport or driving license. They are issued by a central certification authority. Many digital certificates conform to the X.509 standard.
A digital certificate contains the following information
Public Key
Owners Name
Expiration and Issuer
Digital Signatures
A digital signature is a method of ensuring that a message is authentic (unaltered).
You obtain a message hash (A mathematical summary of the contents of the message).
You can encrypt this message hash (this time with the private key as this has to be private - hence the private key).
This ‘signature’ is attached to a message.
The recipient has to apply the same mathematical hash of the received message so when received the encrypted message hash is then decrypted using the public key. If both of the hashes match then the message is valid and authentic.
How long to crack a Digital Certificate
The youtube video below may help on hashing (although out of the scope of the course).