One fact I found interesting from the reading is that in the 1970s a strong symmetric key was 56 bits and today, NIST recommends symmetric keys need to be at least 112 bits long to be considered strong. In not that much time, the recommend length to be considered strong has doubled. Additionally, it’s mentioned that by 2030, NIST estimates that strong keys will need to be at least 128 bits long.
Good Point Jill!
Interestingly I read a brief article online about other regulatory bodies having dissenting opinions. “While NIST recommends or requires a security level of 128 bits for federal systems, the US Bureau of Industry and Security considers key lengths above 64 bits too strong for uncontrolled export from the US (or a program residing on a server residing in the US)”.
I’d say that the fact that the key length took that long to double is more of a surprise to me. Moore’s Law has computing power doubling every two years. In the 50 years since the 70s, computing power is 25x more while encryption strength only had to double once! It shows how strong good encryption is.
Since AES-128 bit is commonly used encryption algorithm these days, I would like to highlight the details around it here in this forum.
-> AES was launched in response to the weak key length of DES and the processing burden of 3DES.
-> AES is efficient in terms of processing power and RAM requirements
-> AES offers three alternative key lengths: 128 bits, 192 bits, and 256 bits
-> A brute-force code-breaking system would take over 100 trillion years to crack 128-bit AES
What I found interesting was the fact about the key lengths. The session keys of 100 bits are considered strong for symmetric encryption but public keys need to be far longer. For RSA public key encryption, a recommended minimum key length for a strong key is 1,024 bits. For the more efficient ECC cipher, 512-bit keys give equivalent strength. Longer key length requires more processing time during encipherment, and long key length is one of the reasons why public key encryption is so slow and expensive to implement. On the other hand, symmetric encryption can be up to 1000 times faster.
the inherent slowness in asymmetric encryption/decryption is why we still have valuable symmetric key methods at all. When early asymmetric algorithms were invented and solved the key exchange problem, people assumed that symmetric key algorithms would be relegated to niche uses. After all, no key storage and exchange problems solved two of the biggest weak points in an encryption scheme. However, as you said, asymmetric encryption and decryption remain more computationally intense than can be feasibly overcome with faster processors. So today we have hybrid systems like TLS where a certificate provides asymmetric keys to establish a connection and trade a symmetric key, then that symmetric key is used for the majority of the data decryption / decryption.
My thoughtful read on this chapter is the usage of symmetric and asymmetric keys as principles that can be used in conjunction to provide a secure interchange of information rather than opposing ideas. Symmetric encryption uses the same key to encrypt and decrypt data, while asymmetric encryption uses a pair of keys : A public key to encrypt data; and a private key to decrypt information. The problem is that a symmetric key cannot support the transmission of the key between the parties. Instead, the sender would use an asymmetric key to encrypt the symmetric key before communicating it. Asymmetric keys utilize the public key infrastructure (PKI), in which the recipient holds a private key and makes their public key accessible to everybody. Encryption and decryption are accomplished using the public and private keys, respectively. The sender would encrypt the message with the symmetric key using the recipient’s public key before sending the message, which the recipient would then decrypt using their own private key. By using this technique, the key exchange can take place while the receiver’s identity is still verified. By using this strategy, the sender obtains the receiver’s consent and confidentiality.
good point Marylyn also Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating
one thing i learnt from this reading is although encryption can assist safeguard an organization’s communications and protect its assets, there are other considerations. What ciphers are employed, what system standards they intend to apply, and what cipher suite will be utilized for their applications are all factors that organizations must consider in order to use cryptography to their advantage.
I like your point about what ciphers are used as a consideration for securing information. cryptography itself will not give automatic protection it will be effective if companies have and enforce organizational processes that do not compromise the technical strength of cryptography.
Hi Frank,
I completely agree, Organizations should take into account all facets of cryptography, not simply the encryption itself. The application of standards, the selection of cipher suites, and the choice of ciphers all have a significant impact on how well cryptography protects the resources and communications of an organization. Organizations can optimize the advantages of cryptography and guarantee the security of their data by properly comprehending and employing these factors.
The steps involved in selecting and implementing cryptographic algorithms and protocols are:
• Security Requirements Assessment: Determine the specific security needs and the level of protection required.
• Algorithm Selection: Based on the security requirements, choose an appropriate cryptographic algorithm, such as symmetric, asymmetric, or hash functions.
• Algorithm Verification: Evaluate the security and implementation details of the algorithm, including its key length and mathematical basis.
• Algorithm Coding: Write code to implement the selected algorithm while ensuring proper key management and adherence to industry standards.
• Implementation Testing: Thoroughly test the implementation to detect any potential security vulnerabilities or weaknesses.
• Solution Deployment: Deploy the cryptographic solution in a secure environment and monitor it for security incidents.
It’s important to note that cryptographic algorithms and protocols may become less secure over time, so regular security evaluations and updates are necessary to maintain the system’s security.
Hi Sunam,
Thank you for your summary. Organizations need to first identify the appropriate cryptographic algorithm, as AEC has 128-bit, 192-bit, and 256-bit keys, but the most secure AEC-256 does not suitable for organizations. It is usually used by the military or the government. ACE-128 is sufficient to meet the security needs of most organizations.
I agree with you that the steps that you have mentioned are pertinent to selecting and implementing cryptographic algorithms. I think one of the most important steps is implementation testing. This is because if you don’t test the environment, sometimes it might lead to vulnerabilities that could have been prevented.
An interesting concept in this section is Boyle and Panko’s introduction to the difference between transport and tunnel mode operations in IPsec. In tunnel mode, IPsec encrypts and authenticates the entire IP packet. In transport mode, IPsec encrypts and authenticates the payload of the IP packet. IPsec tunnel mode establishes a secure connection, while IPsec transport mode encrypts only the data sent. The tradeoff between IPsec tunnel mode and transport mode is that tunnel mode provides greater security but is less efficient because it requires more processing power to encrypt and decrypt the entire IP packet. The transport mode provides less security but is more efficient because it requires less processing power to encrypt and decrypt the IP packet payload. In addition, they also mentioned the trade-offs between SSL/TLS and IPsec. In contrast, SSL/TLS provides a more efficient solution for securing communications between two endpoints, but IPsec provides higher security.
This week’s reading from the text is about Cryptography. According to the text, “Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer.” What I found interesting about this reading is Encryption for Confidentiality. Confidentiality is one of the three security objectives and in encryption vocabulary it means people who intercept messages cannot read them. Encryption turns the plaintext into a seemingly random stream of bits called the cyphertext and only the receiver will be able to decrypt the ciphertext, turning it back into the original plaintext. Key point to note is that previously plaintext was only referring to text messages, however in today’s world, plaintext can also be referred to sounds, videos, images, or a combination of several data formats.
Good point about how Cryptography helps to make information and communication confidential. However, something interesting from the passage that caught my eye was the fact that poor communication is one of the human issues that affects cryptography hence eavesdroppers can usurp information is it is not properly encrypted.
Great point Shepherd. Its very important for us to keep our focus on CIA triad while understanding different concepts. Adding on, cryptography plays a very major role in ensuring data integrity. Commonly used methods to protect data integrity includes hashing the received data and comparing it with the hash of the original message.
What i found interesting is that the fact using cryptography help to keep information confidential but human issues such as poor communication can defeat the strongest cipher and longest key. If the sender or receiver fails to keep the key secret eavesdropper can learn the key and read the message. In addition to that cryptography will not give automatic protection it will be effective if companies have and enforce organizational processes that do not compromise the technical strength of cryptography.
You raised a great point Abayomi. Where there is poor communication, expect bad things to happen. I think organizations must put more emphasis on this particular skill to limit unnecessary confusion.
This chapter discusses cryptographic concepts. The public key for encryption is a key point that I took away from this chapter. Public key encryption for confidentiality and public key encryption for authentication are the two main encrypt goals. The keys are sent in different ways in these two methods.
The specifics are as follows:
To ensure confidentiality- the sender will encrypt with the receiver’s public key and decrypt with the receiver’s private key.
To ensure authentication- the sender encrypts using the sender’s private key, while the receiver decrypts using the true party’s public key.
It is critical to understand the differences between these two types of public encryption because they serve different purposes. If used incorrectly, it may jeopardize data confidentiality or integrity.
A key point from the reading I found useful was section 3.9 “Cryptographic Systems” Specifically, describing the 3 different types of VPN’s for transmitting data. These were Host-to-Host, Remote Access, and Site-to-Site. Host-to-Host is a single client to a single server. Remote Access is a single PC to a single network. Lastly Site-to-Site allows for a sites traffic to be sent to a separate site. Understanding how data can be securely communicated over the internet is just as important as understanding the various forms of how data is encrypted/decrypted.
Site-to-site is the secure transfer of data between two separate networks connected by the Internet. It provides a secure connection over the Internet and allows remote workers to access resources and data stored on the other network. This type of VPN is often used by businesses with multiple locations to connect networks and share resources (internal management systems or grids), such as servers and applications.
One of the key things I learned from this chapter is about VPNS. the virtual private network is a network that uses an encrypted system to communicate securely on an untrusted network. Because of the size of the Internet, and also because the per-bit transmission cost of Internet transmission is much lower than that of commercial wide area networks, people who working remotely prefer to work through VPNs connected to corporate intranets. VPN provides a relatively secure and reliable channel for users to access Intranet data without data leakage. For international students, VPNS also ensure that students can access the university website smoothly and safely.
Something that was interesting from this chapter are the three handshaking stages which are used when two parities being to communicate via a cryptographic system standard. The three stages are initial negotiation of security parameters, then comes initial authentication, and the last stage is keying. This processes is extremely important in two parties communicating and makes sure that the message is sent while keeping the confidentiality, authentication, and message integrity.
It is very fascinating how this process works. However, it provides much needed protection focusing on security objectives and in this particular process, we can see confidentiality as the most crucial one.
Quantum key distribution provides one-time keys that are as long as the message that is being encrypted. Quantum encryption supersedes cryptanalysis. The brute-force attacks using quantum key cracking test many keys simultaneously which exponentially speeds up the attack. Quantum computing has the potential of changing the rules of cryptography as we know it.
However, quantum key distribution do not provide authentication and are vulnerable to Man-in-the-middle attacks, in which an attacker can agree to individual secret keys being shared with two parties who believe they are communicating with each other. Moreover, quantum key distribution requires extremely expensive hardware.
It was shocking for me to discover that a brute-force code-breaking system that could defeat a 56-bit Data Encryption Standard (DES) in a second would take over 100 trillion years to crack 128-bit Advanced Encryption Standard (AES). My take from this reading is the longer key lengths are sufficiently strong even for material that must be kept secret for many years. It is not surprising that many cryptographic systems now support AES, and the author recommends that AES should dominate encryption for confidentiality soon.
I also found this fascinating. To put it into further context. The Earth is estimated to be 5.5 billion years old. What an incredible amount of time to even fathom. It just goes to show the level of processing power needed to make AES as dated as DES.
Cryptography is a method of using mathematical operations to protect messages in transit or storage. Public key encryption is a type of encryption that uses two keys, one to encrypt and one to decrypt, and is more complex and slower than symmetric key encryption. The RSA public key encryption requires a minimum of 1,024-bit keys, while ECC cipher uses 512-bit keys for strong encryption. Due to its long key length and processing time, public key encryption is slow and expensive to implement and is only used to encrypt short messages for confidentiality.
I find discussions and applications of cryptography fascinating. The uses of strong crypto beyond the obvious message transport are varied and impressive. One of the most interesting to me is shared password managers. They use layers of encrypted containers to store passwords to the point where the password manager providers cannot decrypt your vault without your key and if an attacker was to steal your vault, they would have to break the encryption on every single entry individually because no two are encrypted the same. But somehow, through the magic of asymmetric encryption, I can have an enterprise password manager with 1000s of users where I can share an entry with a single person, everyone, or any sub-set in between and it allows them to access it but no one outside the approved list. You can add and remove people seamlessly and the access controls keep the unapproved out and the approved keep access. It is amazingly complex on the backend, but seamless for the user.
One fact I found interesting from the reading is that in the 1970s a strong symmetric key was 56 bits and today, NIST recommends symmetric keys need to be at least 112 bits long to be considered strong. In not that much time, the recommend length to be considered strong has doubled. Additionally, it’s mentioned that by 2030, NIST estimates that strong keys will need to be at least 128 bits long.
Good Point Jill!
Interestingly I read a brief article online about other regulatory bodies having dissenting opinions. “While NIST recommends or requires a security level of 128 bits for federal systems, the US Bureau of Industry and Security considers key lengths above 64 bits too strong for uncontrolled export from the US (or a program residing on a server residing in the US)”.
I’d say that the fact that the key length took that long to double is more of a surprise to me. Moore’s Law has computing power doubling every two years. In the 50 years since the 70s, computing power is 25x more while encryption strength only had to double once! It shows how strong good encryption is.
Since AES-128 bit is commonly used encryption algorithm these days, I would like to highlight the details around it here in this forum.
-> AES was launched in response to the weak key length of DES and the processing burden of 3DES.
-> AES is efficient in terms of processing power and RAM requirements
-> AES offers three alternative key lengths: 128 bits, 192 bits, and 256 bits
-> A brute-force code-breaking system would take over 100 trillion years to crack 128-bit AES
What I found interesting was the fact about the key lengths. The session keys of 100 bits are considered strong for symmetric encryption but public keys need to be far longer. For RSA public key encryption, a recommended minimum key length for a strong key is 1,024 bits. For the more efficient ECC cipher, 512-bit keys give equivalent strength. Longer key length requires more processing time during encipherment, and long key length is one of the reasons why public key encryption is so slow and expensive to implement. On the other hand, symmetric encryption can be up to 1000 times faster.
the inherent slowness in asymmetric encryption/decryption is why we still have valuable symmetric key methods at all. When early asymmetric algorithms were invented and solved the key exchange problem, people assumed that symmetric key algorithms would be relegated to niche uses. After all, no key storage and exchange problems solved two of the biggest weak points in an encryption scheme. However, as you said, asymmetric encryption and decryption remain more computationally intense than can be feasibly overcome with faster processors. So today we have hybrid systems like TLS where a certificate provides asymmetric keys to establish a connection and trade a symmetric key, then that symmetric key is used for the majority of the data decryption / decryption.
My thoughtful read on this chapter is the usage of symmetric and asymmetric keys as principles that can be used in conjunction to provide a secure interchange of information rather than opposing ideas. Symmetric encryption uses the same key to encrypt and decrypt data, while asymmetric encryption uses a pair of keys : A public key to encrypt data; and a private key to decrypt information. The problem is that a symmetric key cannot support the transmission of the key between the parties. Instead, the sender would use an asymmetric key to encrypt the symmetric key before communicating it. Asymmetric keys utilize the public key infrastructure (PKI), in which the recipient holds a private key and makes their public key accessible to everybody. Encryption and decryption are accomplished using the public and private keys, respectively. The sender would encrypt the message with the symmetric key using the recipient’s public key before sending the message, which the recipient would then decrypt using their own private key. By using this technique, the key exchange can take place while the receiver’s identity is still verified. By using this strategy, the sender obtains the receiver’s consent and confidentiality.
good point Marylyn also Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating
one thing i learnt from this reading is although encryption can assist safeguard an organization’s communications and protect its assets, there are other considerations. What ciphers are employed, what system standards they intend to apply, and what cipher suite will be utilized for their applications are all factors that organizations must consider in order to use cryptography to their advantage.
Hi Frank,
I like your point about what ciphers are used as a consideration for securing information. cryptography itself will not give automatic protection it will be effective if companies have and enforce organizational processes that do not compromise the technical strength of cryptography.
Hi Frank,
I completely agree, Organizations should take into account all facets of cryptography, not simply the encryption itself. The application of standards, the selection of cipher suites, and the choice of ciphers all have a significant impact on how well cryptography protects the resources and communications of an organization. Organizations can optimize the advantages of cryptography and guarantee the security of their data by properly comprehending and employing these factors.
The steps involved in selecting and implementing cryptographic algorithms and protocols are:
• Security Requirements Assessment: Determine the specific security needs and the level of protection required.
• Algorithm Selection: Based on the security requirements, choose an appropriate cryptographic algorithm, such as symmetric, asymmetric, or hash functions.
• Algorithm Verification: Evaluate the security and implementation details of the algorithm, including its key length and mathematical basis.
• Algorithm Coding: Write code to implement the selected algorithm while ensuring proper key management and adherence to industry standards.
• Implementation Testing: Thoroughly test the implementation to detect any potential security vulnerabilities or weaknesses.
• Solution Deployment: Deploy the cryptographic solution in a secure environment and monitor it for security incidents.
It’s important to note that cryptographic algorithms and protocols may become less secure over time, so regular security evaluations and updates are necessary to maintain the system’s security.
Hi Sunam,
Thank you for your summary. Organizations need to first identify the appropriate cryptographic algorithm, as AEC has 128-bit, 192-bit, and 256-bit keys, but the most secure AEC-256 does not suitable for organizations. It is usually used by the military or the government. ACE-128 is sufficient to meet the security needs of most organizations.
Hi Sunam,
I agree with you that the steps that you have mentioned are pertinent to selecting and implementing cryptographic algorithms. I think one of the most important steps is implementation testing. This is because if you don’t test the environment, sometimes it might lead to vulnerabilities that could have been prevented.
An interesting concept in this section is Boyle and Panko’s introduction to the difference between transport and tunnel mode operations in IPsec. In tunnel mode, IPsec encrypts and authenticates the entire IP packet. In transport mode, IPsec encrypts and authenticates the payload of the IP packet. IPsec tunnel mode establishes a secure connection, while IPsec transport mode encrypts only the data sent. The tradeoff between IPsec tunnel mode and transport mode is that tunnel mode provides greater security but is less efficient because it requires more processing power to encrypt and decrypt the entire IP packet. The transport mode provides less security but is more efficient because it requires less processing power to encrypt and decrypt the IP packet payload. In addition, they also mentioned the trade-offs between SSL/TLS and IPsec. In contrast, SSL/TLS provides a more efficient solution for securing communications between two endpoints, but IPsec provides higher security.
This week’s reading from the text is about Cryptography. According to the text, “Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer.” What I found interesting about this reading is Encryption for Confidentiality. Confidentiality is one of the three security objectives and in encryption vocabulary it means people who intercept messages cannot read them. Encryption turns the plaintext into a seemingly random stream of bits called the cyphertext and only the receiver will be able to decrypt the ciphertext, turning it back into the original plaintext. Key point to note is that previously plaintext was only referring to text messages, however in today’s world, plaintext can also be referred to sounds, videos, images, or a combination of several data formats.
Hi Shepherd,
Good point about how Cryptography helps to make information and communication confidential. However, something interesting from the passage that caught my eye was the fact that poor communication is one of the human issues that affects cryptography hence eavesdroppers can usurp information is it is not properly encrypted.
Great point Shepherd. Its very important for us to keep our focus on CIA triad while understanding different concepts. Adding on, cryptography plays a very major role in ensuring data integrity. Commonly used methods to protect data integrity includes hashing the received data and comparing it with the hash of the original message.
What i found interesting is that the fact using cryptography help to keep information confidential but human issues such as poor communication can defeat the strongest cipher and longest key. If the sender or receiver fails to keep the key secret eavesdropper can learn the key and read the message. In addition to that cryptography will not give automatic protection it will be effective if companies have and enforce organizational processes that do not compromise the technical strength of cryptography.
Hi Abayomi,
You raised a great point Abayomi. Where there is poor communication, expect bad things to happen. I think organizations must put more emphasis on this particular skill to limit unnecessary confusion.
This chapter discusses cryptographic concepts. The public key for encryption is a key point that I took away from this chapter. Public key encryption for confidentiality and public key encryption for authentication are the two main encrypt goals. The keys are sent in different ways in these two methods.
The specifics are as follows:
To ensure confidentiality- the sender will encrypt with the receiver’s public key and decrypt with the receiver’s private key.
To ensure authentication- the sender encrypts using the sender’s private key, while the receiver decrypts using the true party’s public key.
It is critical to understand the differences between these two types of public encryption because they serve different purposes. If used incorrectly, it may jeopardize data confidentiality or integrity.
A key point from the reading I found useful was section 3.9 “Cryptographic Systems” Specifically, describing the 3 different types of VPN’s for transmitting data. These were Host-to-Host, Remote Access, and Site-to-Site. Host-to-Host is a single client to a single server. Remote Access is a single PC to a single network. Lastly Site-to-Site allows for a sites traffic to be sent to a separate site. Understanding how data can be securely communicated over the internet is just as important as understanding the various forms of how data is encrypted/decrypted.
Hi Nick,
Site-to-site is the secure transfer of data between two separate networks connected by the Internet. It provides a secure connection over the Internet and allows remote workers to access resources and data stored on the other network. This type of VPN is often used by businesses with multiple locations to connect networks and share resources (internal management systems or grids), such as servers and applications.
One of the key things I learned from this chapter is about VPNS. the virtual private network is a network that uses an encrypted system to communicate securely on an untrusted network. Because of the size of the Internet, and also because the per-bit transmission cost of Internet transmission is much lower than that of commercial wide area networks, people who working remotely prefer to work through VPNs connected to corporate intranets. VPN provides a relatively secure and reliable channel for users to access Intranet data without data leakage. For international students, VPNS also ensure that students can access the university website smoothly and safely.
Something that was interesting from this chapter are the three handshaking stages which are used when two parities being to communicate via a cryptographic system standard. The three stages are initial negotiation of security parameters, then comes initial authentication, and the last stage is keying. This processes is extremely important in two parties communicating and makes sure that the message is sent while keeping the confidentiality, authentication, and message integrity.
Hello Asha,
It is very fascinating how this process works. However, it provides much needed protection focusing on security objectives and in this particular process, we can see confidentiality as the most crucial one.
Quantum key distribution provides one-time keys that are as long as the message that is being encrypted. Quantum encryption supersedes cryptanalysis. The brute-force attacks using quantum key cracking test many keys simultaneously which exponentially speeds up the attack. Quantum computing has the potential of changing the rules of cryptography as we know it.
However, quantum key distribution do not provide authentication and are vulnerable to Man-in-the-middle attacks, in which an attacker can agree to individual secret keys being shared with two parties who believe they are communicating with each other. Moreover, quantum key distribution requires extremely expensive hardware.
It was shocking for me to discover that a brute-force code-breaking system that could defeat a 56-bit Data Encryption Standard (DES) in a second would take over 100 trillion years to crack 128-bit Advanced Encryption Standard (AES). My take from this reading is the longer key lengths are sufficiently strong even for material that must be kept secret for many years. It is not surprising that many cryptographic systems now support AES, and the author recommends that AES should dominate encryption for confidentiality soon.
Hi Shadrack,
I also found this fascinating. To put it into further context. The Earth is estimated to be 5.5 billion years old. What an incredible amount of time to even fathom. It just goes to show the level of processing power needed to make AES as dated as DES.
Cryptography is a method of using mathematical operations to protect messages in transit or storage. Public key encryption is a type of encryption that uses two keys, one to encrypt and one to decrypt, and is more complex and slower than symmetric key encryption. The RSA public key encryption requires a minimum of 1,024-bit keys, while ECC cipher uses 512-bit keys for strong encryption. Due to its long key length and processing time, public key encryption is slow and expensive to implement and is only used to encrypt short messages for confidentiality.
I find discussions and applications of cryptography fascinating. The uses of strong crypto beyond the obvious message transport are varied and impressive. One of the most interesting to me is shared password managers. They use layers of encrypted containers to store passwords to the point where the password manager providers cannot decrypt your vault without your key and if an attacker was to steal your vault, they would have to break the encryption on every single entry individually because no two are encrypted the same. But somehow, through the magic of asymmetric encryption, I can have an enterprise password manager with 1000s of users where I can share an entry with a single person, everyone, or any sub-set in between and it allows them to access it but no one outside the approved list. You can add and remove people seamlessly and the access controls keep the unapproved out and the approved keep access. It is amazingly complex on the backend, but seamless for the user.