Practical implementation of cryptography and security

The practical implementation of cryptography and security involves applying cryptographic techniques and security measures to protect sensitive information, secure communication channels, and mitigate security threats. Here are some key aspects of practical implementation:

Encryption: Implement encryption algorithms and protocols to protect sensitive data at rest and in transit. Use symmetric encryption for bulk data encryption and asymmetric encryption for secure key exchange and digital signatures. Encryption can be applied at the file level, disk level, or network level, depending on the specific security requirements.
Secure Communication: Utilize secure communication protocols, such as SSL/TLS, IPsec, or VPNs, to establish encrypted and authenticated communication channels. Secure communication protocols ensure the confidentiality, integrity, and authenticity of data exchanged between systems or parties.
Public Key Infrastructure (PKI): Deploy a PKI infrastructure to manage digital certificates, public and private key pairs, and certificate authorities. PKI enables secure authentication, digital signatures, and secure key exchange. It is commonly used for secure web browsing, email encryption, and authentication in various systems.
Access Control: Implement access control mechanisms to restrict access to sensitive resources based on user identities, roles, or permissions. This includes user authentication methods, such as passwords, biometrics, or multi-factor authentication (MFA), as well as authorization mechanisms to enforce least privilege and segregation of duties.
Intrusion Detection and Prevention Systems (IDS/IPS): Deploy IDS/IPS systems to monitor network and system activities for signs of unauthorized access or malicious behavior. IDS/IPS systems can detect and respond to security incidents, block suspicious traffic, and provide real-time alerts for further investigation.
Security Updates and Patch Management: Regularly apply security updates and patches to operating systems, software applications, and network devices. This helps address known vulnerabilities and protects against exploits that can be used by attackers to gain unauthorized access or compromise systems.
Security Auditing and Logging: Enable logging mechanisms to capture and analyze system logs, network traffic, and security events. Implement security information and event management (SIEM) solutions to centralize and correlate log data for real-time monitoring, threat detection, and incident response.
Security Awareness Training: Conduct regular security awareness training for employees to educate them about security best practices, social engineering threats, and safe computing habits. Promote a security-conscious culture within the organization and empower employees to recognize and report potential security incidents.
Incident Response Plan: Develop an incident response plan that outlines the steps to be taken in the event of a security incident. The plan should define roles and responsibilities, communication procedures, and containment, eradication, and recovery strategies. Regularly test and update the plan to ensure its effectiveness.
Security Testing and Vulnerability Assessments: Perform regular security testing, vulnerability scanning, and penetration testing to identify weaknesses in systems and applications. Conduct security assessments to evaluate the effectiveness of implemented security controls and validate compliance with security standards and regulations.

It’s important to note that practical implementation of cryptography and security is an ongoing process. Organizations should continuously monitor, assess, and enhance their security measures to adapt to evolving threats and ensure the protection of sensitive information and systems.

Top of Form

Cryptography originated about 4000 years ago, and the world of cryptography has evolved a lot since then. Today ‘Cryptography’ is omnipresent in our lives without most of us realizing it. The fundamental aspect of ‘Cryptography’ has remained the same through time which is to hide information in transit and make it available only for the intended recipients. We will see the basic types of cryptography followed by the application and use of cryptography in real life.

Cryptographic principles

Cryptography involves the use of terms like plain text, cipher text, algorithm, key, encryption, and decryption. ‘Plain text’ is the text or message that needs to be transmitted to the intended recipients and which needs to be hidden. ‘Cipher text’ on the other hand, is the text that has been transformed by algorithms and which is gibberish.

The process of converting the information from ‘plain text’ to ‘cipher text’ is known as ‘encryption.’ On similar lines, the process of converting ‘cipher text’ to ‘plain text’ is decryption.

The complex mathematical formula that is used to convert ‘plain text’ to ‘cipher text’ is known as ‘algorithm.’ Further, both the sender and the receiver have similar or different “keys” to encrypt and decrypt the message. A “key” is a “value that comprises a large sequence of random bits” (Harris 2008). The larger the key size, the more difficult will it be to crack the algorithm. The “algorithm” and the “key” are the two important components of a cryptosystem.

Kerckhoff’s principle:

Auguste Kerckhoff in 1883 stated that encryption algorithms should be made public and the “keys” be kept secret. While the academic sector is in favor of the idea, the other sectors are not in perfect synchronization with this idea. The encryption algorithms in the academic sector are made public to enable one to find new vulnerabilities and improve their algorithm. The government sector prefers to keep encryption algorithms private as an additional step to security.

There are two types of encryption – symmetric encryption and asymmetric encryption.

In symmetric encryption, the sender and receiver use a separate instance of the same “key” to encrypt and decrypt messages. Symmetric encryption heavily relies on the fact that the keys “must” be kept secret. Distributing the key in a secure way is one of the primary challenges of symmetric encryption. This is also known as the “key distribution problem.” Further, as per Kerckhoff’s principle, since the algorithm in symmetric encryption is public, anyone can have access to it. It is the “key” that is the vital link in symmetric cryptography and which must be kept secret. It cannot be lost or misplaced. If the individual keys are misplaced, the message can be decrypted by scrupulous elements. Further, symmetric cryptography upholds only the ‘confidentiality’ tenet of the CIA triad. Confidentiality is making sure that the information that is sent is received only by the intended recipients.

One of the main advantages of symmetric cryptography is that it is much faster than asymmetric cryptography. Two important disadvantages of symmetric encryption include key distribution problem and. “key management problem.” When the number of keys needed grows in number with growth in users, it becomes the “Key management problem.” This happens because each set of users needs a pair of instance keys.

Some examples of symmetric encryption are DES (Data encryption standard), Triple DES (3DES) and Blowfish.

Asymmetric encryption is when the sender and the receiver use different “keys” to encrypt and decrypt messages. Here a public key is used to encrypt the message, and a private key is used to decrypt the message. In asymmetric cryptography, the public keys are widely known – whereas the private key is kept protected. The two keys are mathematically related. In spite of being mathematically related, one will not be able to calculate the private key even if the public key is known.

Asymmetric cryptography upholds the security tenets of authenticity and non-repudiation. When one encrypts a message with a private key and sends it, authenticity (proof of identity) is established. Similarly, non-repudiation (cannot deny sending it) is established when a message is encrypted with a private key. It should be noted that any key (public or private) can be used to encrypt and any key (public or private) can be used to be decrypt as well.

One of the main disadvantages of asymmetric encryption is that it is slow when compared with symmetric encryption. The main advantage of asymmetric encryption is the lack of “key distribution problem” and “key management problem.”

Some examples of asymmetric encryption algorithms are, RSA (Rivest, Shamir, Adleman), AES (Advanced Encryption Standard) and El Gamal.

Having seen the two basic types of encryption, let us next see the practical applications of cryptography. We will see cryptography being implemented in mobile messaging tool, “Whatsapp,” “Digital signatures” and HTTP (HTTP over SSL or ‘Secure Sockets Layer’)

Encryption in Whatsapp:

‘Whatsapp’ is currently one of the most popular mobile messaging software. It is available for different platforms such as Android, Windows Phone, and iPhone. ‘Whatsapp’ also enables users to make free calls with other users. In the latest version of ‘Whatsapp,’ the conversations and calls are “end-to-end” encrypted.

What does end-to-end encryption mean?

In end-to-end encryption, only the data is encrypted. The headers, trailers, and routing information are not encrypted. End-to-to end encryption in Whatsapp has been developed in collaboration with ‘Open Whisper Systems.’

End-to-end encryption makes sure that a message that is sent is received only by the intended recipient and none other. Whatsapp has ensured, that even “it” cannot read the messages bolstering a very strong messaging platform. It also means that outsiders or third party individuals cannot snoop on conversations between intended recipients as well.

How is end-to-end encryption in Whatsapp implemented?

Whatsapp end-to-end encryption is implemented using asymmetric cryptography or public key systems. Recall, that in asymmetric encryption, when one key is used to encrypt (here, the public key), the other key is used to decrypt (here, the private key) the message.

Once ‘Whatsapp’ is installed on a user’s smartphone, the public keys of ‘Whatsapp’ clients are registered with the Whatsapp server. It is important to note here that the private key is not stored on Whatsapp servers.

Encrypted session between Whatsapp clients

Once the client is registered, an encrypted session is created between two clients willing to take part in a conversation. A session needs to be re-created only when the device is changed or when the Whatsapp software is re-installed.

If for example, client1 wants to send a message to client 2, the public keys of the client2 are retrieved from the Whatsapp server, and this used to encrypt the message and send it to the client2. Client2 then decrypts the message with his own private key. “Once a session has been established, clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication” (WhatsApp Encryption Overview 2016)

Books on Encryption

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.