Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
General Cryptography Concepts We begin this lesson by looking at Symmetric Key Cryptography and demonstrate when, how it works and the importance of encryption key management. We then contrast with Asymmetric key Cryptography in explaining public/private key encryption and demonstrate how to ensure authenticity and confidentiality. So if you want a complete understanding of how Cryptography works or what the Asymmetric encryption life cycle is, you don't want to miss this lesson! [toggle_content title="Transcript"] We start off by looking at symmetric key cryptography. With symmetric key cryptography encryption we talk about only one key is used. The key that is used to encrypt the message is the same key used to decrypt the message. Some books will refer to symmetric key as "same key encryption" because only one key is used. You could have users encrypt a message, the most shared key with the recipient of the message otherwise the recipient cannot decrypt the message. Now key management is a very important issue. How do you share the keys such that it does not fall in the hands of the malicious persons? We have to be very careful to share the keys in an "out of band" method, meaning if you send a message via email, you don't send the key via email as well. You could walk over to the user's desk and provide them the key or you send the key via another method of communication. With symmetric key encryption, only one key is involved. We also call this a "Shared Key encryption" because we have to share the keys with the recipients of the message. Another type of encryption is Asymmetric key encryption. With Asymmetric key encryption, 2 keys are involved. We have 2 keys. One is your public key and the other is a private key. These 2 keys are completely different. However, they are mathematically related. If the public key is used to encrypt the message, the corresponding private key, only that corresponding private key can decrypt the message. There are some rules we need to know here. The public key could be advertised to anybody who cares to know. The public key could be advertised in a directory or given to anybody who cares to have it. However, the private key should only be known by the individual that owns the account or for which the public key belongs. Now, there are certain times we would encrypt messages with the public key and there are certain times we would encrypt messages with the private key. So if we need to ensure confidentiality, we would encrypt the messages with the public key of the recipient. That way, only the recipient has the corresponding private key for that. Only the recipients can open that message. Confidentiality is assured. If we need to ensure authenticity, the sender of the message could encrypt with their own private key. Anybody receiving it having access to their public key can decrypt the message. This is only to prove the message came from the sender. It guarantees authenticity but does not guarantee confidentiality because anybody could have the public key. The use of these two keys is what we call asymmetric keys. The keys are completely different but mathematically related. All right, let us consider this scenario: Dan needs to send Adam a message. To ensure confidentiality, how should Dan encrypt the message? Confidentiality dictates that unauthorized disclosures are not allowed. So we put the control in place. The control here is that encryption has been put in place. We want to ensure that only Adam can decrypt the message. So should we use Dan's public key? If we use Dan's public key, Adam does not have the corresponding private key so this is not an option. Using Dan's public key to encrypt the message is not an option, Adam does not have the corresponding private key. Should we use Adam's private key? Dan does not know Adam's private key. Only Adam knows his private key. This is not an option. Should we use Dan's private key? If we use Dan's private key, anybody with Dan's public key can decrypt the message. So that does not guarantee confidentiality. It only guarantees authenticity. If we use Dan's private key, anybody in possession of Dan's public key can decrypt the message. C only provides authenticity and not confidentiality. To assure confidentiality, we would encrypt the message using Adam's public key such that only Adam has the corresponding private key and only Adam can decrypt the message. This assures confidentiality and that would be the proper response to a question like this. Selecting C is only to guarantee authenticity. You use the sender's private key and if you use the receiver's public key, only the receiver has the corresponding private key to decrypt the message. [/toggle_content]
CISSP CISM CISA CHFI CSXF CEH, Cyber Security Specialist & Trainer
Subscribe to become an Insider Pro and get access to premium content such as: