Asymmetric cryptography

August 26th, 2014

Asymmetric cryptography or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority. Any other user who wants to send an encrypted message can get the intended recipient’s public key from a public directory. They use this key to encrypt the message, and they send it to the recipient. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to.

Witfield Diffie & Martin Hellman, researchers at Stanford University, first publicly proposed asymmetric encryption in their 1977 paper, New Directions In Cryptography. (The concept had been independently and covertly proposed by James Ellis several years before when he was working for the British Government Communications Headquarters.) An asymmetric algorithm, as outlined in the Diffie-Hellman paper, is a trap door or one-way function. Such a function is easy to perform in one direction, but difficult or impossible to reverse. For example, it is easy to compute the product of two given numbers, but it is computationally much harder to find the two factors given only their product. Given both the product and one of the factors, it is easy to compute the second factor, which demonstrates the fact that the hard direction of the computation can be made easy when access to some secret key is given. The function used, the algorithm, is known universally. This knowledge does not enable the decryption of the message. The only added information that is necessary and sufficient for decryption is the recipient’s secret key.

In cases where the same algorithm is used to encrypt and decrypt, such as in RSA, a message can be securely signed by a specific sender: if the sender encrypts the message using their private key, then the message can be decrypted only using that sender’s public key, authenticating the sender.

This also allows for the exchanging of securely signed and one-to-one messages, as follows. The sender encrypts the message using the common algorithm and his own secret key. They then sign the result, encrypt it again (with their signature in cleartext) using the recipient’s public key, and send it. The recipient decrypts the received message using their own secret key, identifies the sender from their now-cleartext signature, and then decrypt the result using the sender’s public key. This ensures the recipient that whoever composed the message had access to the sender’s private key, and that nobody tampered with the message or read it along the way.

In symmetric cryptography, the same key is used for both encryption and decryption. This approach is simpler in dealing with each message, but less secure since the key must be communicated to and known at both sender and receiver locations.

Original article: http://searchsecurity.techtarget.com/definition/asymmetric-cryptography

Remember My Passwords

July 29th, 2009

 

Over the years I must have downloaded and installed/uninstalled quite a few (I cannot remember anymore!) password programs that can help me manage my usernames/passwords combinations.  With so many websites out there that requires you to login first before you can use their services it is quite daunting to remember what username/password to use.  I don’t particularly relish the idea of writing my username/passwords on pieces of paper because it’s inherently insecure besides being foolish.  I am also wary of ‘password managers’  that claims they don’t have access to all the juicy information I entrusted to it. Then again my memory can only hold so much.

So, this morning, I downloaded the LastPass application from http://www.lastpass.com.  According to their website it is “an online password manager and form filler that makes web browsing easier and more secure.”  Good. Exactly what I need. So, I went ahead and installed it. It was easy and straightforward. No hassles at all. Then the application prompted me if I want to search for insecure information on my computer. I sure got the shock of my life when it easily retrieved all of my passwords that I use for Twitter, Facebook, GMail, etc.  It dawned on me, duh! that any malicious application can easily do the same had I inadvertently downloaded one.  Whew! That sure would be big trouble.

Right now I’m testing LassPass but it looks very promising.

We are under cyber-attack!

April 14th, 2008

posted by: Concerned cyber-citizen

The NSCA Consumer Research Study has just been released and I cannot believe what I read. Apparently there’s still a lot of people out there who’s totally in the dark as to what cyber-attackers can do to an unprotected device, and you know what I’m talking about. It’s your computer!It’s just mind-boggling that some people would buy a wireless device (a router, for instance) and skip the part in the installation where they are supposed to secure it. That’s just criminally idiotic and totally irresponsible. It’s like buying a brand new car and leaving the doors unlocked in a public parking lot. Anyway, enough of my ranting and here it is… 

Overview of NSCA Consumer Research Study

Key Findings

  • 49% of consumers have changed their password within the past year (19% of those within the past month)
  • 71% have never heard the phrase “botnet” (29% are aware of botnets)
  • Only 22% think it is at least somewhat likely that your computer’s security could affect homeland security (59% think it is not likely at all)
  • 53% believe it is possible for a hacker to use your computer to launch cyber attacks or crimes against other people, businesses and our nation
  • 46% of consumers are not at all sure of what to do if they became a victim of a cyber crime
  • 48% do not know how to protect themselves from cyber criminals

The New Espionage Threat

April 10th, 2008

I was just reading Businessweek’s April 10, 2008 cover  “The New Espionage Threat” and I am not surprised.  If hackers can hack into banks and grocery / clothing stores they can surely hack themselves into every computer network out there.  It’s no longer a matter of what these “cyber-attackers” can do but when they can do it.  We can not anymore pretend that our network systems are secure just because they’re behind concrete walls or high fences.  Cyber-attackers don’t even need to be in close proximity to their target to get in.And now, I learned, these cyber-attackers have foreign government sponsorship.  It could even be that it is the foreign government who is orchestrating these attacks and hiding behind inconspicuous companies.  It’s the new spy-game.  And they don’t even have to send a warm body over.They are targeting our defense contractors and doing it in a large scale.