As the internet, and technology connected, grows, so does the need for security tools. Cryptography, a highly-used tool for security enhancement, is the technique of storing and transmitting data in a unique fashion so only the intended reader, can read it. Cryptography is achieved through the process of encryption and decryption. One can encrypt something, transfer it to the intended receiver, and once it has arrived they can decrypt it to see its contents. Without decrypting, the average person would not be able to understand what a message says or a packets contents.
Two forms of encryption are Asymmetric encryption and Symmetric encryption. “Asymmetric encryption, also known as public-key encryption, utilizes a pair of keys – a public key and a private key” (CipherCloud, 2017). With asymmetric encryption, if the originator is to encrypt data with a public key, only corresponding private key holdercan decrypt the data and read the message. Public key is used for encryption and the private key is used for decryption. With Symmetric encryption, encryption and decryption are both done with the same key. Symmetric keys are most commonly used as session keys for internet communications by security protocols and used to provide bulk encryption for persistent data such as e-mails and document files (Microsoft, 2017). Asymmetric keys are most commonly used by websites with SSL protocols and technologies that use digital signature functions. Both forms of encryption have their strengths and weaknesses, it is up to the intended use that will pick which is the better for the job.
Symmetric-key Encryption (Strengths)
Symmetric-key Encryption (Weaknesses)
- Proven more efficient and can handle high rates of data throughput
- Keys are shorter
- Key ciphers can be composed together
- Resistant to Brute-Force attacks
- Overall harder to crack than Asymmetric-keys
Asymmetric-key Encryption (Strengths)
- Deploying a symmetric-key algorithm is a very strict and needy process (process must be carried out in secure manner with person face-to-face. Further the distance, less secure of process)
- Private keys are easily compromised due to participants having identical keys. More participants = more chances to be compromised
- Cannot provide digital signatures that cannot be repudiated
Asymmetric-key Encryption (Weaknesses)
- More efficient system for key management in large networks
- Better of the two for Digital Signatures – can provide digital signatures that can be repudiated
- Public and Private keys can remain intact for an extended period of the time, many years, without compromising system security
- Key swapping isn’t required, making it a less comprisable form of encryption
- Much slower than Symmetric-key encryption
- More expensive
- More vulnerable to Brute-Force attacks
- Vulnerable to Man-in-the-Middle attacks
Cryptanalysis refers to the study of ciphers, ciphertext, or cryptosystems with a view to finding weaknesses in them that will permit retrieval of the plaintext from the ciphertext, without knowing the key in the algorithm (Rouse, 2005). Essentially, cryptanalysis is just like any other hacking attack. A person finds a vulnerability in something and exploits it. Unfortunately, there is vulnerabilities in just about everything security related. In this case, cryptanalysis looks into the design of the cipher to find characteristics that are clues to narrowing down key possibilities when trying a brute force attack.
To better explain this, it would be best to use an example. For this example, we have a symmetric cipher implementation that uses a key length of 2^128 bits. A brute force attack would discover this information and figure out it needs to attempt all possible combinations up to 2^128. This would take forever. By using cryptanalysis, things just became more possible. This would reveal a technique that would allow the plaintext to be found in 4^20 rounds. This is a huge step in cutting down time and possibilities. The cipher just became much weaker and less computing resources are now required (Rouse, 2005).
Cryptanalysis techniques include:
- Known-Plaintext Analysis (KPA): Attacker decrypt ciphertexts with known partial plaintext.
- Chosen-Plaintext Analysis (CPA): Attacker uses ciphertext that matches arbitrarily selected plaintext via the same algorithm technique.
- Ciphertext-Only Analysis (COA): Attacker uses known ciphertext collections.
- Man-in-the-Middle (MITM) Attack: Attack occurs when two parties use message or key sharing for communication via a channel that appears secure but is actually compromised. Attacker employs this attack for the interception of messages that pass through the communications channel. Hash functions prevent MITM attacks.
- Adaptive Chosen-Plaintext Attack (ACPA): Similar to a CPA, this attack uses chosen plaintext and ciphertext based on data learned from past encryptions. (Techopedia, 2017)
The abbreviation “CPTED” means Crime Prevention Through Environmental Design. CPTED is a disciplined approach at enhancing an environment to mitigate criminal behavior. This is achieved with one of three strategies; Natural Surveillance, Natural Access Control, and Territorial Reinforcement. Natural surveillance takes to approach of creating an environment where people “See and be Seen”. It is a proven fact that a person is less likely to commit a crime if they know they are being watched. With properly set up lighting and surveillance, a secure environment is created where individuals are deterred from committing crimes because they know they have a very high chance of being seen and getting caught.
Natural Access Control, is more of a brute force/secure area design. This method takes the route of using properly placed fences, lighting, landscape, and walkways, to keep people on paths throughout an area and keep them from wondering off. This method is different from the Natural Surveillance approach because it is not designed to keep intruders away, but to simply create less opportunities for crime to take place.
Lastly, there is Territorial Reinforcement. This approach uses the method of area segregation to deter trespassers/intruders. By separating areas and clearly marking where people are allowed and not allowed, this discourages criminal acts due to easily spotting activity out of the norm.
Creating an environment to deter criminal activity is a much better approach than target hardening. Studying people’s activity and learning how to deter their actions is better than just making something harder to get into. When there is a will, there is a way, so remove the will. When trying to make, a car go faster, you cannot simply throw on a turbo and expect the car to still run the same and perform better. The driver will need to also upgrade other areas to work with the turbo to achieve the desired outcome, much like a CPTED. The environment is designed to work together rather than relying on a simple target hardening tool.
CipherCloud. (2017). Symmetric vs. Asymmetric Encryption | CipherCloud. Retrieved from https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/
Microsoft. (2017). Encryption. Retrieved from https://technet.microsoft.com/en-us/library/cc962028.aspx
Rouse, M. (2005, November). What is cryptanalysis? Retrieved from http://searchsecurity.techtarget.com/definition/cryptanalysis
Techopedia. (2017). What is Cryptanalysis? Retrieved from https://www.techopedia.com/definition/1769/cryptanalysis