BACKGROUNDCryptography. Cryptographic algorithms. Key establishment schemes.

CONTENTS

1. Cryphography
2. Classes Of Cryptographic Algorithms
3. Hash Functions
4. Symmetric-Key Algorithms
5. Asymmetric-Key Algorithms
6. Modes Of Operation For The Application
7. Message Authentication Codes (MACs)
8. Key Establishment Schemes

GRYPTOGRAPHY

Cryptography uses mathematical techniques to transform data and prevent it from being read or tampered with by unauthorized parties.

Cryptography is a continually evolving field that drives research and innovation.

As electronic networks grow increasingly open and interconnected, it is crucial to have strong, trusted cryptographic standards and guidelines, algorithms and encryption methods that provide a foundation for e-commerce transactions, mobile device conversations and other exchanges of data.

Today, cryptographic solutions are used in commercial applications from tablets and cellphones to ATMs, to secure global eCommcerce, to protect US federal information and even in securing top-secret federal data.

For example, NIST is now working on a process to develop new kinds of cryptography to protect digital data when quantum computing becomes a reality.

At the other end of the spectrum, is a so-called lightweight cryptography to balance security needs for circuits smaller than were dreamed of just a few years ago.

Note: FPM is based on NIST’s Special Publication 800-57 Part 1, Revision 4 – “Recommendation for Key Management, Part 1”.

CLASSES OF CRYPTOGRAPHIC ALGORITMS

According to NIST, cryptographic algorithms that are either FIPS-approved or NIST-recommended must be used if cryptographic services are needed.

There are three general classes cryptographic algorithms, which are defined by the number or types of cryptographic keys that are used with each.

The standard cryptographic functions are as follows:

• Hash functions;
• Symmetric-key algorithms;
• Asymmetric-key algorithms.

These algorithms have undergone extensive security analysis and are continually tested to ensure that they provide adequate security.

Specific security services can be achieved by using different cryptographic algorithms. Often, a single algorithm can be used for multiple services.

Note: There is a difference between a cryptographic function and a set of cryptographic primitives. Cryptographic primitives include other components used in the formation of data protection mechanisms.

HASH FUNCTIONS

A cryptographic hash function does not use keys for its basic operation.

This function creates a small digest or “hash value” from often large amounts of data through a one-way process. Hash functions are generally used to create the building blocks that are used in key management and provide security services such as:

• Providing source and integrity authentication services by generating message authentication codes;
• Compressing messages for generating and verifying digital signatures;
• Deriving keys in key-establishment algorithms;
• Generating deterministic random numbers.

SYMMETRIC-KEY ALGORITMS

Also referred to as a secret-key algorithm, a symmetric-key algorithm transforms data to make it extremely difficult to view without possessing a secret key.

The key is considered symmetric because it is used for both encrypting and decrypting. These keys are usually known by one or more authorized entities.

Symmetric key algorithms are used for:

• Providing data confidentiality by using the same key for encrypting and decrypting data;
• Providing Message Authentication Codes (MACs) for source and integrity authentication services. The key is used to create the MAC and then to validate it;
• Establishing keys during key-establishment processes;
• Generating deterministic random numbers.

ASYMMETRIC-KEY ALGORITMS

Also referred to as public-key algorithms, asymmetric-key algorithms use paired keys (a public and a private key) in performing their function.

The public key is known to all, but the private key is controlled solely by the owner of that key pair. The private key cannot be mathematically calculated through the use of the public key even though they are cryptographically related.

Asymmetric algorithms are used for:

• Computing digital signatures;
• Establishing cryptographic keying material;
• Identity Management.

MODES OF OPERATION FOR THE APPLICATION

Cryptographic modes of operation are algorithms which cryptographically transform data that features symmetric key block cipher algorithms.

The modes of operation solve the problems that occur with block-cipher encryption when multiple blocks are encrypted separately within a message, that could allow an adversary to substitute individual blocks, often without detection.

To alleviate this, NIST prescribes the combination of the applied algorithm with variable initialization vectors (special data blocks used in an initial step of the encryption and in the subsequent and corresponding decryption of the message) and/or feedback of the information that has been derived from the cryptographic operation.

MESSAGE AUTHENTICATION CODES (MACs)

MACs can be used in providing authentication for the origin/source and integrity of messages.

This cryptographic mechanism resolves the problem of adversaries altering messages by creating a MAC key that is shared by both the message originator and the recipient.

The following types of MACs are used in practice:

• MACs Using Block Cipher Algorithms - This algorithm uses an approved block cipher algorithm, for example, AES or TDEA to further secure a MAC.


• MACs Using Hash Functions - An approved hash function may also be used for computing a MAC.

KEY ESTABLISHMENT SCHEMES

Key transport and key agreement are two types of automated key establishment schemes that are used to create keys that will be used between communicating entities.

The sending entity encrypts the keying material, which is then decrypted by the receiving entity.

• Discrete Logarithm based Key (Agreement Schemes) - Discrete logarithm based public-key algorithms rely on schemes that use finite field math or elliptic curve math. Ephemeral, static or both keys may be used in a single key-agreement transaction.


• Key Establishment Using Integer (Factorization Schemes) - Integer factorization based public-key algorithms are used for key establishment schemes where one party always has and uses a static key pair, while the other party may or may not use a key pair.


• Security Properties of the Key (Establishment Schemes) - It is not always practical for both parties to use both static and ephemeral keys with certain applications, even though using both types of keys in key-establishment schemes provides more security than schemes that use fewer keys.


• Key Encryption and Key Wrapping - Key encryption further enhances the confidentiality and protection of a key by encrypting the said key. The process of key unwrapping then decrypts the ciphertext key and provides integrity verification.


• Key Confirmation - Key confirmation provides assurance between two parties in a key-establishment process that common keying materials have been established.


• Key Establishment Protocols - Protocols for key establishment specify the processing that is needed to establish a key along with its message flow and format.


• RNGs (Random Number Generators) - RNGs are needed to generate keying material and are classified into two categories: deterministic and non-deterministic.

For all systems using the BS 1488 technology (file packages encryption systems), using symmetric encryption, hybrid mechanisms are used for generating session secret keys, which are subject to separate consideration. In case of exchange, only highly protected electronic notebooks are used.

  Contents