What I learnt at Work: What is Encryption and data signing ?

Malware News
1

What I learnt at Work: What is Encryption and data signing ?

What is Encryption?

Encryption is the method by which information is converted into secret code that hides the information’s true meaning. In technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also known as cipher-text so that only authorised parties can read the data.

Encryption requires the use of a cryptographic key: a set of mathematical values that both the sender and the recipient of an encrypted message agree on. Data encryption works by securing transmitted digital data on the cloud and computer systems. There are two kinds of digital data, transmitted data or in-flight data and stored digital data or data at rest.

Why is data encryption necessary?

Phone calls, emails, online purchases, social media, and general browsing are online activities we can no longer live without. While we’re constantly looking or sharing information online, our data is fundamentally stored somewhere. Most people aren’t sure where that “somewhere” is, but that data should only be available to the service provider brokering your conversation. It could, however, be visible to the telecom companies carrying your Internet packets, and your supposedly private and secure communications could be intercepted. As many cases have proven, user and company data is increasingly being targeted by hackers and cybercriminals resulting in data breaches and targeted attacks. This reason alone should serve as enough warning to those who haven’t considered protecting their communications via encryption.

The main purpose for encrypting the data stored in your computer and devices — even if you have secure passwords — is to ensure your privacy, protect your data, and secure intellectual property. This is also known as endpoint encryption, which basically adds an extra layer of protection for the confidential information residing on your PC and devices.

Encryption works best if it is ubiquitous and automatic. It should be enabled for everything by default, not a feature you only turn on when you’re doing something you consider worth protecting. — “Bruce Schneier

Why we need Encryption ?

Privacy: Encryption ensures that no one can read communications or data at rest except the intended recipient.

Security: Encryption helps prevent data breaches, whether the data is in transit or at rest.

Data integrity: When data is transmitted across the Internet, encryption (along with other integrity protections) ensures that what the recipient receives has not been tampered with on the way.

What are the different types of encryption?

There are two types of encryption :-

  1. Symmetric Key Encryption
  2. Asymmetric Key Encryption (also known as Public key encryption)

Symmetric encryption :

Symmetric encryption is a type of encryption where only one secret symmetric key is used to encrypt the plaintext and decrypt the cipher-text.

  • Data Encryption Standards (DES): DES is a low-level encryption block cipher algorithm that converts plain text in blocks of 64 bits and converts them to cipher-text using keys of 48 bits.
  • Triple DES: Triple DES runs DES encryption three different times by encrypting, decrypting, and then encrypting data again.
  • Advanced Encryption Standard (AES)
  • Two-fish

Asymmetric encryption methods:

Asymmetric encryption, also known as Public-Key Cryptography, encrypts and decrypts the data using two separate cryptographic asymmetric keys. These two keys are known as a “public key” and a “private key”.

  • RSA
  • Public key infrastructure (PKI)

Going more into the details for Asymmetric Encryption:-

In public key cryptography, every public key matches to only one private key. Together, they are used to encrypt and decrypt messages. If you encode a message using a person’s public key, they can only decode it using their matching private key.

Here, the public and private keys are totally independent and cannot be derived from each other. If someone get to know the public key with which the message was encrypted, he cannot guess the private key to decrypt the message from the guessed public key.

As everyone in the network hold a unique public-private key pair, there can be two ways in which we can perform the key exchange :-

  1. Sharing the public key
  2. Sharing the private key

If we share our private key over the network, any third party access to the data will expose the private key and they will easily decrypt the message using the private key.

The solution to this is sharing your public key over the network which anyone can use to encrypt the message they want to send you. Then you can use your private key to decrypt that message. If any third party gets to know the public key during the transit of the message, they wont be able to decrypt the message as it can be done only using the private key. As the private key cannot be derived using the public key, this method ensures the security of the exchanged data.

Public and private keys: an example

Bob wants to send Alice an encrypted email. To do this, Bob takes Alice’s public key and encrypts his message to her. Then, when Alice receives the message, she takes the private key that is known only to her in order to decrypt the message from Bob.

Although attackers might try to compromise the server and read the message, they will be unable to, because they lack the private key to decrypt the message. Only Alice will be able to decrypt the message as she is the only one with the private key. And, when Alice wants to reply, she simply repeats the process, encrypting her message to Bob using Bob’s public key.

But there is loophole in this process. What if Mike gets a hold of Alice’s public key (since it’s public) and pretend that Bob is the person sending a message to Alice. For this, the solution is Digital signature.

Signing of data works to authenticate the sender of the data and ensures the data has not been altered in transit.

For creating a digital signature, the user first creates a one-way hash of the message/document to be signed and this representation of the message in the form of a hash is called message digest. Now, the user uses his private key for encrypting the hash. The encrypted hash and other information like hashing algorithm used is the digital signature.

Steps to create digital signatures

These are the steps one should follow to create digital signatures:

  1. As described above, a message digest needs to be computed first. A message digest is computed by applying a hash function on the message/document to be sent. Popular hashing algorithms used for generating message digest are Secure Hash Algorithm-1 (SHA-1), Secure Hashing Algorithm-2 family (SHA-2, SHA-256) and Message Digest 5 (MD5).
  2. This message digest is encrypted using the private key of the sender for creating a digital signature.
  3. This digital signature is then transmitted with the original message to the receiver.
  4. When the recipient receives the message, they decrypt the digital signature using the public key of the sender.
  5. After decrypting the digital signature, the receiver now retrieves the message digest.
  6. Also, the receiver can easily tally the message digest from the received message.
  7. The message digest tallied by the receiver and the message digest received must be the same for ensuring message authentication, data integrity and non-repudiation.

Generating Digital Signature in Node.js

<a href="https://medium.com/media/8c45e4e34b209cccfa074cf6d9f8c5dc/href">https://medium.com/media/8c45e4e34b209cccfa074cf6d9f8c5dc/href</a>

However, signing alone does not ensure the data has not been intercepted and read.

Confidentiality and integrity are reached when data is encrypted asymmetrically, as only the intended recipient can decrypt the message. Non-repudiation and authenticity occur due to digital signing. Non-repudiation means that using the technique of digital signing, the sender of any information cannot, in the future, say they did not send the data, as the use of their private key confirms that they sent the data.

Sources:-

https://www.ibm.com/in-en/topics/encryption

https://www.encryptionconsulting.com/education-center/encryption-and-signing/

https://www.preveil.com/blog/public-and-private-key/

https://www.cloudflare.com/en-in/learning/ssl/what-is-encryption/

https://resources.infosecinstitute.com/topic/role-of-digital-signatures-in-asymmetric-cryptography/

What I learnt at Work: What is Encryption and data signing ? was originally published in Walmart Global Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: What I learnt at Work: What is Encryption and data signing ? | by Eishta Mittal | Walmart Global Tech Blog | Jul, 2022 | Medium