Hybrid Cryptography

By
We just love to mix things up. Well, yeah and why not? When we get the best of both the worlds, we can mix anything up. Even when it is so complex in itself like cryptography. In the last article, we learned about symmetric and asymmetric cryptography. It’s time to mix them both and explain you the hybrid concept.

We need to go back and recapitulate some points before we can move forward and appreciate the hybrid concept. In the symmetric cryptography, we understood that it is quite fast, however, the challenge was sharing the key between a large number of people. Everyone is required to keep the shared key as secret, and, if this gets compromised, the distribution of the key needs to be repeated again.  What if we could find a way to quickly transfer this key amongst multiple people without the dangers of compromising it? Asymmetric key offers secure key distribution but uses a lot of resources when multiple people are involved. It’s also quite slow and mathematically intensive.

Hybrid cryptography’s recipe is very simple – Take the swiftness of symmetric key cryptography for encrypting bulk data and take the time-proven trustworthy aspect of asymmetric key cryptography for key distribution. 

How does this work then? Alice and Bob as usual wish to communicate with each other. This type, however, Alice wants to ensure that only Bob to be able to read the message and no one else. Alice encrypts her message with a secret key, so he gets an encrypted message. She has two things now – encrypted message + secret key. This secret key needs to be protected and distributed. For this distribution, Alice uses the asymmetric key cryptography. This method has two keys – public and private one. Alice will not know what is Bob’s private key, so she finds out his public key and uses that. The public key of Bob is used to encrypt the secret key so that it can be sent across. The following diagram will help you understand this in a better manner.

When the complete package is received by Bob, he uses his private key to decipher the secret key. Once he gets the secret key, he uses it to decipher the message. Here, Alice has used the asymmetric cryptography to transfer the secret key. The secret key or the symmetric key is then used to decipher the message as it is quite fast.

At this point, we need to clear some questions which may have cropped up in your mind. Why are we using 3 keys here – secret, public and private?  The secret key is the one which is used in symmetric cryptography while the public and private ones are a part of the asymmetric cryptography. The next question is – Why did Alice use Bob’s public key to encrypt the secret key? She could have used her own public key or Bob’s private key. Hold your horses, let’s analyze, both these scenarios. If she would have used her own private key, anyone with Alice’s public key would be able to get the secret key. The purpose of maintaining a secret key would have defeated. If you have been paying close attention till now, Alice can never get hold of Bob’s private as it is the private key and no one can know about it except Bob.

I know this sounds too confusing the first time, but read it, again and again, to get a hold over it. How can I let you go without answering some of the questions? Write down your answers in the comment section below:

1. If I encrypt the symmetric key with your public key, what would that help me achieve?

2. The sender’s private key is used to encrypt the symmetric key. How would that help the receiver?

3. Akshay uses his public key to encrypt a message. Is that possible?

4. Bauaa Singh uses his symmetric key to encrypt a message containing a symmetric key. Will, that work?

In the next article, we will learn about digital signatures as it is based on the concept of hybrid cryptography. 

Comments

Post a Comment

You may also like to read...

Identification, Authentication, Authorization, and Accountability

By
Image
The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you
Continue Reading...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

By
Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization. These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, whi
Continue Reading...

How to Pass SSCP Exam in the First Attempt

By
Image
Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2 . When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.  Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP? You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are
Continue Reading...

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

By
Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels? Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready
Continue Reading...

Cloud Computing - The Logical Model

By
Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec
Continue Reading...