Beyond the Lock and Key: Insights into Cryptology
The Wikipedia defines Cryptography, or cryptology as the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages.Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others.
The prefix “crypt” means “hidden” and suffix “graphy” means “writing”.
Core concepts related to information security are also central to cryptography.
- Confidentiality
- Integrity
- Authentication
- Non-repudiation
For a comprehensive understanding, I’ve tackled Confidentiality and Integrity in the article below. You’re welcome to give it a read.
Let’s discuss authentication and non-repudiation in this article.
Authentication
The process of confirming the identity of a user, system, or organization trying to access a resource or system is known as authentication, and it is a key idea in security. It is crucial to ensuring that only authorized users or organizations can access sensitive data, systems, or services and that unauthorized access is avoided.
Binding a certain ID to a particular computer connection is the process of authentication.
The three categories to authenticate identity of user are:
What users know (such as passwords, pins)
What users have (such as tokens)
What users are (biometrics such as fingerprints)
The Framework
Who: The user or entity making the attempt to get access is identified in this aspect. During authentication, the system asks for credentials that specifically identify the user in order to confirm “who” they are. These login information may consist of a username, email address, or some other specific identification for the user.
What: The specific resource or service that the user wishes to access is included in this aspect. The amount of authorisation required is determined as well as “what” the user is attempting to access. Authentication makes guarantee that only authorized users can access particular resources, even though various resources may have varied access needs.
Where: The location or context of the authentication request is the emphasis of this feature. The location can be taken into account in contemporary authentication systems, particularly in network security, to determine whether an access request is valid or possibly suspicious. For instance, if an access request comes from a strange place, it can make additional security precautions necessary.
When: This aspect considers the timing of the authentication attempt. The “when” of authentication is essential for security purposes because access rights may be time-bound. For instance, an employee might have access to sensitive data during work hours but not after business hours. Proper authentication ensures access is only granted during the appropriate time frames.
How: The technique or techniques used to confirm the user’s identification are covered under this aspect. It has to do with the technology and authentication methods used to verify the legitimacy of the user. As was already noted, different techniques can be employed as part of the authentication process, including passwords, biometrics, tokens, smart cards, and multi-factor authentication.
Non-repudiation
Non-repudiation is a concept in information security and cryptography that ensures the integrity of a message or transaction by preventing the sender of the message from later denying their involvement or the authenticity of the message. It is one of the fundamental security objectives, alongside confidentiality, integrity, and availability.
An item of some confusion, the concept of nonrepudiation is actually fairly simple. Nonrepudiation refers to the inability of the message sender to afterwards repent her actions. Because there are no face-to-face encounters involved in electronic data exchanges, this is crucial. Public key cryptography and the idea that only you know your private key form the foundation of nonrepudiation. Nonrepudiation can be demonstrated by the existence of a communication that was signed with your private key, which should only be known by you. Any claim that you did not send the communication is disproved when a third party can verify your signature using your public key. Symmetric algorithms are unable to accomplish nonrepudiation since it is dependent on asymmetric cryptography.
Non-repudiation is achieved with help of the follow elements
- Digital Signatures
2. Timestamping
3. Secure key management
4. Audit Trail
The Framework
Who: The parties involved in a communication or transaction are identified through non-repudiation. It makes sure that the person who sends a message or starts a certain action cannot afterwards deny their involvement. It also applies to the recipient, who must be able to demonstrate that they actually received the message from the alleged sender.
What: The message’s or the transaction’s type are referenced in the “what” part of non-repudiation. It makes sure that the message’s or data’s integrity is preserved and that no unauthorized changes were made while being transmitted. In order to achieve non-repudiation for the message’s content, digital signatures are frequently utilized.
Where: Non-repudiation is also influenced by the setting in which the communication or transaction takes place. This can apply to actual places as well as network settings or virtual environments. To guarantee that the security goals are upheld, non-repudiation systems should function in a variety of settings.
When: Non-repudiation is time sensitive. It requires that the timestamp of a message or transaction be recorded accurately to provide evidence of the event’s occurrence. Timestamping services play a crucial role in ensuring that the time of the message or action can be reliably verified.
Who: Digital signatures, secure key management, and cryptographic methods are used to achieve non-repudiation. A sender establishes a digital signature for a message using their private key. The communication is then guaranteed to have not been tampered with and to have truly come from the sender when the recipient uses the sender’s public key to validate the signature.
Let's see an example to understand non-repudiation more.
Online Banking Transaction Scenario
Scenario: Steve wants to make an online banking transaction to transfer funds to Tony’s account. Both parties need assurance that the transaction is genuine, and Steve cannot later deny initiating the transfer.
Key Generation:
- Steve and Tony generate a pair of cryptographic keys: a private key (known only to only them) and a corresponding public key (shared with others).
Transaction Initiation:
- Steve initiates the fund transfer through his online banking portal. The transaction details, including the recipient (Tony’s account) and the amount, are recorded.
Digital Signature Creation:
- Before submitting the transaction, Steve creates a digital signature for the transaction data using his private key.
Transaction Submission:
- Steve’s bank receives the transaction request, along with the attached digital signature.
Signature Verification:
- Steve’s bank uses Steve’s public key to verify the digital signature.
- If the signature is valid and matches Steve’s public key, the bank can be confident that Steve authorized the transaction.
Non-Repudiation:
- Non-repudiation is achieved because Steve cannot later deny initiating the transfer. His digital signature provides undeniable evidence of his involvement in the transaction. If Steve disputes the transfer, the bank can use the verified signature to refute his denial.
The Basics
Cryptography is the science of secret writing with the goal of hiding the meaning of a message.
Cryptanalysis which is the study of the cryptographic algorithm and the breaking of those secret codes. The person practicing Cryptanalysis is called a Cryptanalyst. By discovering any weak points in the system, it helps us better understand cryptosystems and also enhance them. This allows us to work on the algorithm and produce secret codes that are more secure. An instance of this would be a Cryptanalyst attempting to extract the plaintext from a ciphertext. The plaintext or the encryption key can be deduced with its assistance.
Encryption is the process of converting plaintext (readable and understandable data) into ciphertext (unreadable and scrambled data) using an encryption algorithm and a secret key. The goal of encryption is to ensure confidentiality, preventing unauthorized access to the information. The ciphertext can only be decrypted back to plaintext using the corresponding decryption algorithm and the secret key.
Encryption
Using an encryption algorithm and a secret key, encryption transforms plaintext (data that can be read and understood) into ciphertext (data that cannot be read and is scrambled). Encryption works to protect information’s confidentiality by limiting access by unauthorized parties. Only the appropriate decryption algorithm and secret key can convert the ciphertext back to plaintext. Sensitive data is frequently protected via encryption when it is sent over networks or stored on hardware. It guards against unauthorized persons intercepting or accessing the data.
Symmetric Encryption
Prior to the invention of public key encryption in the 1970s, the only form of encryption in use was symmetric encryption, often known as conventional encryption or single-key encryption. It uses a single key for both encryption and decryption. The same key is shared between the sender and the recipient.
Asymmetric Encryption
A pair of mathematically related keys — a public key and a private key — are used in asymmetric encryption, often known as public-key encryption.
For encryption and decryption, two keys are created: one key is the public key, which is known to all users, and the other key is the private key, which is kept hidden and provided to the user to keep private. With this system, the sender encrypts a message or file using the public key of the recipient who is intended. The recipient uses a private key that she alone has in order to decrypt this message. The private key cannot be inferred from the public key because of the way the keys are generated. Without this private key, no one else will be able to decrypt the message. Users can share public keys directly or look them up in public key directories.
Hashing
Using the one-way encryption method of hashing, data is converted into a fixed-length character string known as a hash value or digest. It is frequently used to check the accuracy of data and safely store passwords.
In encryption systems, a message’s “fingerprint” is created using a hashing value. As a result, the message cannot be wrongly altered during transit to its destination. Hashing protects the integrity of a message in the overall information assurance model and is most frequently used in conjunction with digital signatures.
The one-way hashing function, which converts a variable-sized message into a fixed-length result known as a hash value or a message digest, is the most often used hashing algorithm. Because it’s challenging to reverse the process and the results are never decrypted — only compared to one another when performing the same function again on the same message — this function is referred to as “one-way”.
Reference:
Cryptography and Network Security Principles and Practice (6th Edition) by William Stallings
Jonathan Katz, Yehuda Lindell — Introduction to Modern Cryptography
Let’s connect?
LinkedIn: www.linkedin.com/in/ravitejmbandlekar
