The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
23 WWW.ILTANET.ORG Codes and Keys: What, How and Why To Encrypt FEATURES Symmetric encryption relies on a key-sharing process, in which parties exchange a key. The same key is used to encrypt and decrypt the data. This process is far more efficient and is used to transmit large amounts of data. Security of a wireless network (WPA2, for example) is a good example of symmetric encryption. The WPA2 pre-shared key is the "symmetric key" that is shared and used as part of the process to encrypt and decrypt the data. There are also many algorithms and key strengths available. Current recommended asymmetric algorithms, explained by the National Institute of Standards and Technology (NIST) "Digital Signature Standard," are: » Digital Signature Algorithm (DSA) » Rivest, Shamir and Adleman (RSA) » Elliptic Curve Digital Signature Algorithm (ECDSA) Recommended symmetric algorithms are the Advanced Encryption Standard (AES) and Triple DES (3DES), according to the NIST's "Block Cipher Techniques." It's also important to use a minimum key size that provides the appropriate level of security. The larger the key size, the more security (and the greater the impact on performance). In addition to encryption, cryptography also includes the concept of hashing. Hashing uses a mathematical function to transform any length of data into a fixed-length value, which can then be used to validate integrity. Hashing is commonly used when verifying the integrity of a file (such as one that has been downloaded) and when validating credentials. The benefit of a hash is that it is one-way; it is very difficult, if not impossible, to reverse and obtain the Encryption is a fundamental component of any security strategy. Converting readable information into unreadable code, or ciphertext, is still the best method of protecting the confidentiality and integrity of information. A Brief History Cryptography has been around for centuries. According to the Cypher Research Laboratories, the oldest known example is from about 4,000 years ago in ancient Egypt. Some historic, well-known examples of cryptography include Caesar's cipher, a simple substitution cipher thought to have been used by Julius Caesar to protect military messages, and the Enigma machine, which was used by Germans before and during World War II to protect communications. Today, cryptography is mostly used to protect electronic information for transmission, processing and storage — commonly referred to as encryption of data in transit, data in use and data at rest. Utilizing the well-known CIA model for security (or CIA triad) of confidentiality, integrity and availability, cryptography is used to address two of these three pillars — confidentiality and integrity — by protecting the information and making it unreadable to unauthorized persons or by generating and comparing two signatures or hashes (oen used when a file is downloaded or copied) to verify that data has not been modified. How Does Encryption Work? There are two types of encryption: asymmetric and symmetric. Asymmetric is also known as "public key cryptography" and is commonly used for digital signatures, for encrypting email messages and for Secure Shell (SSH). Asymmetric encryption uses public and private keys. The public key is available publicly to whoever needs it. The private key is private to only you. A message (or data) is encrypted using the public key and can then be decrypted by the private key holder. At no point does either party agree on a key. Instead, a complex mathematical process is involved. Asymmetric encryption is slower than symmetric encryption. GEORG THOMAS Georg Thomas, CISM, CISSP is the National Security & Risk Manager at Corrs Chambers Westgarth and is based in Melbourne. He has over 17 years' experience in information security, technology and risk management in Australia, the United States, Europe, and Asia. He has worked with law firms of all sizes from 15 attorney firms to AMLAW100 firms. Contact Georg at georg.thomas@corrs.com.au H OW A R E W E B S I T E S P R O T E C T E D W I T H H T T PS ? An interesting concept is how websites are protected with https. Asymmetric encryption is used to share a symmetric key. Once the keys have been exchanged, the symmetric key is used to send and receive data. If a website were to only using asymmetric encryption, it would cause poor performance and frustrate users! When you see "http" in the address bar, the website is not encrypted.