Cryptographic algorithms are used to digitally encode messages and data, thus providing four security services that are foundational to network communications and e-commerce transactions: confidentiality, so that the content of a message can be viewed only by authorized parties; integrity, so the content can’t be altered by unauthorized parties without detection; nonrepudiation, ensuring that the originator of an action cannot later deny being the one who performed it; and authentication, or the process of verifying the identity of a person or system.
I found a WSJ article which explains in 5 steps to prepare Security for the Quantum Era:
1. Build awareness of quantum’s security risks
2. Take a fresh approach to cryptographic governance.
3. Assess the enterprise’s readiness to become crypto-agile.
4. Engage with the quantum security ecosystem
5. Practice good cyber hygiene
In the US there are laws that restrict the export of cryptography systems or applications used for military and/or homeland security purposes. Disclosures may need to be issued should such an export take place.
In addition, there are certain requirements for telecommunication providers to allow for governments to intercept communications when a warrant is obtained. The providers are not required to decrypt or ensure that the government agency can decrypt these communications.
Sometimes when I enter the website there is a message that the website is not secure. After I read this chapter I guess it’s a browser SSL/TLS issue, but how does this happen?
If you are receiving a “website is not secure or Not Secure warning message, it means incapable of providing a secure connection, you do not have a secure connection and it is missing an updating SSL certificate. You should update the new SSL version and verify certificate Authority. Please visit the Digicert website which provides the public key information and validation required for issuing digital certs or TLS/SSL. https://www.digicert.com/blog/not-secure-warning-what-to-do#:~:text=The%20reason%20you%20are%20seeing,)%20or%20HTTPS%20(secure
Often times this message is due to the certificate of the website not being from a trusted source. When using a web browser, the browser has a list of trusted certificate authorities that can hand out SSL/TLS certificates. If you visit a website and it has a certificate from one of these trusted sources then you proceed without issue and you will see the green lock in your address bar indicating that you have a secure connection. If the certificate comes from a authority outside of what the browser knows, then you will receive the error that the website is not secure. However, this does not always mean that the website is malicious. For example, most network devices like firewalls or routers will have “self-signed” certificates. This just means that the SSL/TLS certificate is issued from the device itself and not a proper certificate authority. Your web browser will still give you the message that the website is not secure in this case, but it is most likely that the webpage is normal and you browser just does not recognize the source of the certificate.
Because doesn’t have a Symmetric-key longer than 250 bits. The Advanced Encryption Standard (AES) keys are symmetric keys that can be three different key lengths (128, 192, or 256 bits). AES is the encryption standard that is recognized and recommended by the US government.
The 256-bit keys are the longest allowed by AES.
128-bit level of encryption has 2128 likely key combinations.
256 but AES encryption has 2256 likely key combinations a number 78 digit long. I hope you will understand the Symmetric keys concept.
Per Boyle and Panko’s Chapter 3 on Cryptography, symmetric key encryption involves encryption and decryption of the original text between two parties by using a single key, which is shared only among the parties involved. It offers a high level of security and confidentiality to the data. It is also very fast and involves very minimum processing capacity and system resources. The reasoning for why systems do not use longer symmetric keys is because it would take way more processing power and RAM to operate.
Hi Jason,
In general, I think there is a consensus that transposition cipher is more secure than substitution ciphers because it rearranges the position of the plain text’s characters whereas the substitution technique just replaces the character. However, while transposition ciphers are more difficult to decipher, they are not considered practical unless an algorithm for deciphering the encryption is given to both parties in advance. On the contrary, shorter messages are more easily deciphered if transposition is used simply because there are less possible combinations of the letters. At the end of the day, the best method for secure encryption is by combining both ciphers to create a powerful algorithm.
According to NIST, a key must be at least 112 bits to be considered “strong” today, but they estimate that it be up to 128 bits by 2030, and I’m sure the rate at which this number increases will only continue to grow.
There are two different types of symmetric algorithms: (1) block ciphers, (2)stream ciphers. The minimum cryptographic key is a minimum of 112 bits long to be secure today. Unfortunately, as also Alexander mentioned in his comment the requirement of minimum bits will be just keep increasing. There is also an interesting article on 128-bit processes expectation by 2030: https://believeinjha.medium.com/can-we-expect-a-128-bit-processor-before-2030-c04d6336cfd5
Great question. DES and RC4 have been considered obsolete and NIST plans to disallow 3DES after 2023. Therefore, I believe AES is the only true current option unless working with legacy systems stops you from being able to implement it.
I strongly disagree that AES-128 will become outdated anytime soon, because the same AES-128 is used in TLS/SSL encryption with 256-bit keys to ensure security.
Even using AES-128 is huge for computation power of 2 128 would take almost 34 million years with full bitcoin mining power. This isn’t a malfunctioning system. If quantum computers ever reach scale, it’s unclear how long they’ll take to perform 264 quantum calculations for AES-128 (but ECC-256 would be in bigger trouble).
Hi Michael,
From what I remember last semester about cryptography and with some additional research, the word comes from the Greek meaning “secret writing”. The concept of transmitting information in a secure manner dates back to at least 1900 B.C. when the Egyptians used hieroglyphics in an effort to hide the meaning of messages. In Greece, they wrapped a tape around a stick, and then wrote the message on the wound tape; this sounds like the ancient example of transposition – scytale. This brief history has led up to the advanced and sophisticated methods used for modern digital encryption.
A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.
To ensure high-level protection, you must use hashing and salting of passwords. Adding salt to the password can eliminate the strongest password attacks.
The additional random strings of characters can be applied to strengthen passwords, making the task unique and different. The uniqueness that salts increase definably affects the efficiency of hashing positively.
Is there any way to completely future proof against advances in computing power? Will we ever establish an encryption standard that is 100% uncrackable?
I think that the only way to future-proof encryption against advances in computing power is to continuously advance encryption. Cybersecurity and encryption have always been a “cat and mouse game” and I believe they will continue on that way.
Ornella ,
Both substitution cipher technique and transposition cipher technique are the types of early traditional cipher which are used to scramble or convert the plain text into cipher text and plain text characters are substituted with other letters, numerals, and the identity of the character is modified while its position stays unchanged. But what I like about transposition cipher technique is the rearrangement technique of the position of the plain text characters is changed but character’s identity is not changed.
The two things required are a cipher and a key. The cipher, which can operate differently depending on the method used, is a mathematical process used within the encryption/decryption process. The key is a random string of bits that are attached to the cipher in order to encrypt/decrypt a message.
Hashing is important in regards to Integrity. When a file on a computer is “hashed” there is a string of characters that is created. When other individuals receive the file they can perform the same hashing algorithm that the person at the files origin performed. This string can be checked against the original string to discern if there are any differences. If there are not differences the strings will be identical. If there was even a slight change to the file then the strings will be completely different. This ensures integrity because it puts in place a method to verify that the files have not been altered at all by an unauthorized individual.
Cryptography has three fundamental properties (1) confidentiality, (2) integrity, (3) authenticity, and overall data security methods are related to one or more of CIA objectives. One of the data security methods, hashing, is fingerprinting data as one-way, fixed length. Since the hash value is critical, any modification to data would affect everything, and hashing algorithms are irreversible. Therefore, they built to provide integrity to certify that data has not been modified.
IPSec Transport Mode gives end-to-end encryption while IPSec Tunnel Mode provides security over the internet but not within networks. While IPSec Transport Mode has its advantages, it maintains encryption through the firewall, blocking the firewall from doing part of its job (reviewing the body plaintext to filter and block attacks/data leakage). What can you use to combat this issue? Is Transport Mode necessary in certain situations?
If quantum computing becomes mainstream, then it will break traditional security overnight. Meaning that no encryption can be considered truly secure. However, it is important to note that these devices will be probably extremely expensive and won’t be utilized by traditional hackers. Unless somehow one day they are able to make a consumer-based quantum computer – then cryptography will have to be reimagined.
When quantum computing does become more mainstream I assume that what we know of cryptography currently will essentially become obsolete, as quantum computing is simply so much more complex and effective. With that being said, I don’t see this shift happening for a very long time.
With quantum computing threatening current encryption standards, what should organizations do now and in the future to prepare?
Great Question Matthew,
Cryptographic algorithms are used to digitally encode messages and data, thus providing four security services that are foundational to network communications and e-commerce transactions: confidentiality, so that the content of a message can be viewed only by authorized parties; integrity, so the content can’t be altered by unauthorized parties without detection; nonrepudiation, ensuring that the originator of an action cannot later deny being the one who performed it; and authentication, or the process of verifying the identity of a person or system.
I found a WSJ article which explains in 5 steps to prepare Security for the Quantum Era:
1. Build awareness of quantum’s security risks
2. Take a fresh approach to cryptographic governance.
3. Assess the enterprise’s readiness to become crypto-agile.
4. Engage with the quantum security ecosystem
5. Practice good cyber hygiene
Check it out: https://deloitte.wsj.com/articles/5-steps-to-prepare-security-for-the-quantum-era-01633982792
What are the legal restrictions on cryptography?
In the US there are laws that restrict the export of cryptography systems or applications used for military and/or homeland security purposes. Disclosures may need to be issued should such an export take place.
In addition, there are certain requirements for telecommunication providers to allow for governments to intercept communications when a warrant is obtained. The providers are not required to decrypt or ensure that the government agency can decrypt these communications.
I found the following site to be helpful with detailing encryption laws around the world: https://www.gp-digital.org/world-map-of-encryption/
Sometimes when I enter the website there is a message that the website is not secure. After I read this chapter I guess it’s a browser SSL/TLS issue, but how does this happen?
If you are receiving a “website is not secure or Not Secure warning message, it means incapable of providing a secure connection, you do not have a secure connection and it is missing an updating SSL certificate. You should update the new SSL version and verify certificate Authority. Please visit the Digicert website which provides the public key information and validation required for issuing digital certs or TLS/SSL.
https://www.digicert.com/blog/not-secure-warning-what-to-do#:~:text=The%20reason%20you%20are%20seeing,)%20or%20HTTPS%20(secure
https://support.securly.com/hc/en-us/articles/360026808753-How-do-I-manually-install-the-Securly-SSL-certificate-on-Windows
Often times this message is due to the certificate of the website not being from a trusted source. When using a web browser, the browser has a list of trusted certificate authorities that can hand out SSL/TLS certificates. If you visit a website and it has a certificate from one of these trusted sources then you proceed without issue and you will see the green lock in your address bar indicating that you have a secure connection. If the certificate comes from a authority outside of what the browser knows, then you will receive the error that the website is not secure. However, this does not always mean that the website is malicious. For example, most network devices like firewalls or routers will have “self-signed” certificates. This just means that the SSL/TLS certificate is issued from the device itself and not a proper certificate authority. Your web browser will still give you the message that the website is not secure in this case, but it is most likely that the webpage is normal and you browser just does not recognize the source of the certificate.
Why we don’t see symmetric keys longer than 300 bits?
Because doesn’t have a Symmetric-key longer than 250 bits. The Advanced Encryption Standard (AES) keys are symmetric keys that can be three different key lengths (128, 192, or 256 bits). AES is the encryption standard that is recognized and recommended by the US government.
The 256-bit keys are the longest allowed by AES.
128-bit level of encryption has 2128 likely key combinations.
256 but AES encryption has 2256 likely key combinations a number 78 digit long. I hope you will understand the Symmetric keys concept.
Hi Miray,
Per Boyle and Panko’s Chapter 3 on Cryptography, symmetric key encryption involves encryption and decryption of the original text between two parties by using a single key, which is shared only among the parties involved. It offers a high level of security and confidentiality to the data. It is also very fast and involves very minimum processing capacity and system resources. The reasoning for why systems do not use longer symmetric keys is because it would take way more processing power and RAM to operate.
When it comes to transitional and substitution ciphers, has one been proven better/more secure than the other?
Hi Jason,
In general, I think there is a consensus that transposition cipher is more secure than substitution ciphers because it rearranges the position of the plain text’s characters whereas the substitution technique just replaces the character. However, while transposition ciphers are more difficult to decipher, they are not considered practical unless an algorithm for deciphering the encryption is given to both parties in advance. On the contrary, shorter messages are more easily deciphered if transposition is used simply because there are less possible combinations of the letters. At the end of the day, the best method for secure encryption is by combining both ciphers to create a powerful algorithm.
How long must a symmetric encryption key be to be considered strong today?
Shubam,
According to NIST, a key must be at least 112 bits to be considered “strong” today, but they estimate that it be up to 128 bits by 2030, and I’m sure the rate at which this number increases will only continue to grow.
Shubham* typo correction
Hi Shubham,
There are two different types of symmetric algorithms: (1) block ciphers, (2)stream ciphers. The minimum cryptographic key is a minimum of 112 bits long to be secure today. Unfortunately, as also Alexander mentioned in his comment the requirement of minimum bits will be just keep increasing. There is also an interesting article on 128-bit processes expectation by 2030: https://believeinjha.medium.com/can-we-expect-a-128-bit-processor-before-2030-c04d6336cfd5
What pros and cons of RC4, DES, 3DES, and AES?
Hi Hang!
Great question. DES and RC4 have been considered obsolete and NIST plans to disallow 3DES after 2023. Therefore, I believe AES is the only true current option unless working with legacy systems stops you from being able to implement it.
What year will AES-128 be considered obsolete?
I strongly disagree that AES-128 will become outdated anytime soon, because the same AES-128 is used in TLS/SSL encryption with 256-bit keys to ensure security.
Even using AES-128 is huge for computation power of 2 128 would take almost 34 million years with full bitcoin mining power. This isn’t a malfunctioning system. If quantum computers ever reach scale, it’s unclear how long they’ll take to perform 264 quantum calculations for AES-128 (but ECC-256 would be in bigger trouble).
What are the origins of cryptography?
Hi Michael,
From what I remember last semester about cryptography and with some additional research, the word comes from the Greek meaning “secret writing”. The concept of transmitting information in a secure manner dates back to at least 1900 B.C. when the Egyptians used hieroglyphics in an effort to hide the meaning of messages. In Greece, they wrapped a tape around a stick, and then wrote the message on the wound tape; this sounds like the ancient example of transposition – scytale. This brief history has led up to the advanced and sophisticated methods used for modern digital encryption.
To learn more about the origins, I suggest looking into the following source: https://academy.binance.com/en/articles/history-of-cryptography
How does salting work with Cryptography?
Hi Mohammed,
A cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.
Here is the link, hope that will help you: https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
Hi Mohammed,
To ensure high-level protection, you must use hashing and salting of passwords. Adding salt to the password can eliminate the strongest password attacks.
The additional random strings of characters can be applied to strengthen passwords, making the task unique and different. The uniqueness that salts increase definably affects the efficiency of hashing positively.
Is there any way to completely future proof against advances in computing power? Will we ever establish an encryption standard that is 100% uncrackable?
Hi Ryan,
I think that the only way to future-proof encryption against advances in computing power is to continuously advance encryption. Cybersecurity and encryption have always been a “cat and mouse game” and I believe they will continue on that way.
Which ciphertext technique (substitution or transposition) an organization use the most for encryption?
Ornella ,
Both substitution cipher technique and transposition cipher technique are the types of early traditional cipher which are used to scramble or convert the plain text into cipher text and plain text characters are substituted with other letters, numerals, and the identity of the character is modified while its position stays unchanged. But what I like about transposition cipher technique is the rearrangement technique of the position of the plain text characters is changed but character’s identity is not changed.
Encryption and decryption requires two things, what are they?
The two things required are a cipher and a key. The cipher, which can operate differently depending on the method used, is a mathematical process used within the encryption/decryption process. The key is a random string of bits that are attached to the cipher in order to encrypt/decrypt a message.
Hashing is important in regards to which of the following in the CIA triad; Confidentiality, Integrity, or Availability?
Hashing is important in regards to Integrity. When a file on a computer is “hashed” there is a string of characters that is created. When other individuals receive the file they can perform the same hashing algorithm that the person at the files origin performed. This string can be checked against the original string to discern if there are any differences. If there are not differences the strings will be identical. If there was even a slight change to the file then the strings will be completely different. This ensures integrity because it puts in place a method to verify that the files have not been altered at all by an unauthorized individual.
Great point, Ryann. When hashing is used in digital signatures, it helps to achieve non-repudiation as well.
Hi Joshua,
Cryptography has three fundamental properties (1) confidentiality, (2) integrity, (3) authenticity, and overall data security methods are related to one or more of CIA objectives. One of the data security methods, hashing, is fingerprinting data as one-way, fixed length. Since the hash value is critical, any modification to data would affect everything, and hashing algorithms are irreversible. Therefore, they built to provide integrity to certify that data has not been modified.
IPSec Transport Mode gives end-to-end encryption while IPSec Tunnel Mode provides security over the internet but not within networks. While IPSec Transport Mode has its advantages, it maintains encryption through the firewall, blocking the firewall from doing part of its job (reviewing the body plaintext to filter and block attacks/data leakage). What can you use to combat this issue? Is Transport Mode necessary in certain situations?
How do you think the future of quantum key cracking will affect traditional cryptographic methods?
If quantum computing becomes mainstream, then it will break traditional security overnight. Meaning that no encryption can be considered truly secure. However, it is important to note that these devices will be probably extremely expensive and won’t be utilized by traditional hackers. Unless somehow one day they are able to make a consumer-based quantum computer – then cryptography will have to be reimagined.
What are the standards governing SSL/TLS gateways?
Is it necessary for cryptography to advance if quantum computing becomes more mainstream? Or will they keep the same security standards?
Wilmer,
When quantum computing does become more mainstream I assume that what we know of cryptography currently will essentially become obsolete, as quantum computing is simply so much more complex and effective. With that being said, I don’t see this shift happening for a very long time.
Don’t we say that an algorithm is theoretically broken if an attack requires less time then the brute-force?
What do you do if someone finds out your key?