Cryptograpic algorithms are being used to encrypt and decrypt messages. This enables two parties to communicate safely, without someone reading along.
What is an algorithm?
In essence, an algorithm consists of instructions on executing a calculation. Input on which the algorithm has been used, will after all instructions have been followed, result in a certain output. An often used metaphor is that of a recipe, where different ingredients are used to create a dish. The preparation instructions of the recipe are like the algorithm in this metaphor. Algorithms are mostly used to solve mathematical problems. A wide range of different encryption methods exist and within each method different encryption algorithms. This article provides a short description of the algorithms most relevant to PKI.
Symmetric encryption uses the same cryptographic key for encrypting and decrypting information.
3DES was developed in 1998 as a more complex version of the Data Encryption Standard method (DES), which by that time was considered hackable. DES had been an often used algorithm up until then. Use of a limited key length and therefore of a limited number of combinations made DES sensitive to brute force attacks. To expand the number of combinations, 3DES uses 3 separate DES calculations in succession on data input for encryption. These calculations can be executed either by using two 56-bits keys, where the first and third calculation are performed by the same key, or by using three independent 56-bits keys. The total key length of these two different calculations are 112-bits and 168-bits, where the latter, of course, is the safest method.
Advanced Encryption Standard (AES) was developed in the late 90s as an alternative to DES. This algorithm, which uses a 128-bits key, was created from the Rijndael algorithm, developed by two Flemish researchers. Programs such as WinRAR, WinZip and PowerArchiver offer AES as an encryption method.
Asymmetric encryption uses two separate keys; one to encrypt or sign, and another to decrypt or verify the sender's identity.
A year after the invention of asymmetric cryptography by Whitfeld Diffie and Martin Hellman, it was put into practice for the first time in 1977 in the form of the RSA algorithm. RSA was created by Ron Rivest, Adi Shamir and Len Adleman. RSA encryption is based on the notion that, when multiplying very large prime numbers, tracing back the original prime numbers becomes virtually impossible. Complexity in tracing back increases as the number increases. Most SSL certificates make use of RSA.
Browser manufacturers and Certificate Authorities have agreed to no longer trust RSA keys with a length of 1024 bits from 2014. As of the first of January 2014, the required minimum of RSA keys will be 2048 bit. This decision was made in order to keep up with increasingly powerful cryptographic attacks.
Digital Signature Algorithm (DSA) was developed by the NSA (National Security Agency) as an alternative for the current standard RSA encryption method. This method uses a different algorithm for encrypting and signing, but is comparable to RSA in terms of speed and safety. DSA is used most within the U.S. government. When having to meet government standards it can therefore be useful to invest in a certificate using both RSA and DSA.
The Elliptic Curve Cryptography (ECC) Algorithm was developed in 1985 by (among others) IBM as an alternative to RSA. ECC uses elliptical curves to create keys for encrypting data, which results in cryptographically strong keys which are relatively short. ECC is faster and more efficient than, for example, RSA. Mostly because of problems concerning patents, ECC is not widely used. Short keys are becoming more and more interesting due to an increased use of SSL (on, for example, mobile devices), which is why there is a renewed interest in ECC. Despite this, a switch to exclusively using ECC is not possible at the moment for two reasons. Firstly, older browsers do not support the technique, and secondly ECC root certificates are not trusted by all browsers yet.
All Certification Service Providers (CSP's) supply certificates using RSA as a standard. Recently, Symantec also supplies orders for an RSA certificate with a free DSA certificate, and orders for 'Premium' certificates are supplied with a free ECC certificate. The following Symantec certificates are considered Premium:
- Secure Site Pro
- Secure Site Pro EV
It is expected that other CSP's will also start supplying ECC certificates.
The Elliptic Curve Digital Signature Algorithm (ECDSA) is a different version of the above mentioned Elliptic Curve Cryptography, but shares the advantageous characteristic of short keys with it. The algorithm is used by (for example) Sony on their Playstation 3, and by the virtual monetary value Bitcoin.
Hashing is similar to encryption through a cryptographic function, but unlike encryption, hashing is not done in a two- but a one-way direction. A hash-function uses a hash-code that cannot be calculated back to its origins. Characteristically, only a small risk of clashes exists in a good hash function. A small risk of clashes means that the possibility is very small that two different data inputs generate the same hash code. Hashing is used, for example, when securely storing (hashed) passwords and when signing documents digitally.
MD5 (Message Digest Algorithm 5) is an often used cryptographic hash function. MD5 is used as an internet standard in many security applications, and as a means of checking the integrity of files. MD5 was designed by Ronald Rivest in 1991 to replace the previously used hash function MD4. In 1996 a design flaw was discovered in MD5. While the flaw was not serious, it was recommended from then on to use other algorithms such as SHA-1.
SHA-1 is a cryptographic hash function, designed by the National Security Agency (NSA), and published in 1995 by the National Institute of Standards and Technology (NIST) as a standard for processing federal information. SHA is short for Secure Hash Algorithm. Four different SHA algorithms exist in total, each with a different structure. The four different SHA algorithms are known as: SHA-0, SHA-1, SHA-2 and SHA-3. The original SHA-0 algorithm is very vulnerable, something which was fixed in the SHA-1 algorithm. SHA-1 is the most used of the four different SHA algorithms. In theory, it is possible to hack SHA-1 with enough computing power. Because of growing computing powers, it is estimated that SHA-1 will not be sufficiently safe within the foreseeable future.
Several security flaws were discovered in SHA-1 in 2005, which created a need for a stronger hash function. SHA-2 incorporates a significant set of improvements to its predecessor. SHA-2 is in some respects similar to SHA-1, but to date no similar vulnerabilities have been detected. SHA-2 will probably replace SHA-1 by the end of 2014.
Originally known as Keccak, SHA-3 was created in October 2012 by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak was named winner of the NIST hash function competition. SHA-3 is not meant to replace SHA-2, since the hash function has not to date been successfully attacked. NIST felt the need for an alternative hash function because there have been successful attacks on MD5 and SHA-0, and because theoretical attacks have been performed on SHA-1. This alternative hash function became SHA-3 (Keccak).