Practical applications for I.T professionals looking to implement Symmetric Cryptography in Windows/Linux

Introduction




Hello everyone, I FINALLY have a "somewhat" new topic to discuss in this weeks entry. I noticed a lot of professors who attempt to teach Network Security to their students either in a Computer Science or I.T setting do a very poor job of actually teaching the concepts and instead focus on a lot of "jargony" high-level Number Theory, that is truly not necessary if you plan on implementing cryptographic algorithms! This might be fine for an advanced subject of Cryptography in general, but often leads students confused and quite frankly puts most of them to sleep. Today instead I am going to be focusing in on "tools" one could potentially use in order to implement Network Security on computers in a way that makes sense in their school projects or in their day to day I.T job. I am briefly going to cover an number of of pieces of software that can be used for hard-disk encryption. Without further ado, we can begin to break everything down and learn some background knowledge about Symmetric Cryptography algorithms and how they are implemented in most applications:

(Note: If you want a really detailed undergraduate reference textbook, I recommend you pick up "Computer Security: Principles and Practice 2nd Edition" from 2011 published by Williams Stallings or newer editions. It SHOULD cover you on all the bases if you are new to Network Security. If you are an expert on the other hand, it might suit you well as reference!) [1]

Overview of Symmetric Cryptography algorithms




These applications use Symmetric Cryptography, which means ONLY ONE secret key is used to encrypt/decrypt a group of files. Three of the most popular open-source Symmetric algorithms, that are implemented in hard-disk encryption applications today are:

  • AES (Rijndael) - This algorithm was invented in 1997 by Belgium Cryptographers Vincent Rijmen and Joan Dael and selected by the N.S.A to be used in most commercial grade applications starting in 2002. AES would be the "successor" to 3DES which is described below. It's specifically is called a Substitution-Permutation Network Block Cipher, because it encrypts blocks of data. It has three key sizes that can be used: 128-bit, 192-bit, and a 256-bit key. It's most commonly used today because of it's trade-off in speed and size. There are NO known cryptanalysis attacks on this algorithm. It's resistant to frequency analysis attacks due to a complicated design pattern, known as the "S-Box". These make "collusion" and "confusion" quite difficult. The key size complexity to brute force is simply 2^nth power, where n = 128,192, or 256. In order to successively brute-force attack the key one would need to try half of all key combinations or as they are called permutations if your a math geek (around 2^n/2). Even with the exception of "some" super computers today it is NOT feasible (although it "maybe" in ten to fifteen years depending upon the speed of multicore architectures).
  • 3DES - This algorithm was originally invented in the 1970's and existed standalone as a 56-bit key or as it was known as DES. DES historically has been subjected to all kinds of cryptanalysis and brute-force attacks throughout the last four decades in scientific research going back to the late 70's. It was here a previously UNKNOWN technique was discovered by researchers in the field, that was known to the N.S.A some ten years earlier prior to the 1970's. It lead work into a new field called "Differential Cryptanalysis". The scientific community realized, that it would be possible with computing power in the 1985 to brute-force the 56-bit key in a little under twelve hours and came up with a new solution called 3DES. One might expect that's simply the same algorithm, but with three separate keys. This leads to a total of a 168-bit key. This algorithm is still commonly used today in a lot "legacy" applications, including Cisco networking products and other types of routers
  • Twofish - This algorithm was finalist and "runner" up to Rijndael in 1997 invented by American Cryptographer Bruce Schneier and two other individuals. It was the "runner up" to Rijndael, but was NOT selected due to speed and complexity concerns (some have even argued that it wasn't chosen over AES, because there are STILL cryptanalysis attacks on AES that have yet to be discovered. We will leave that story for another day though). Twofish is a block cipher like AES, but is different because it shares the same three key sizes with AES. Twofish uses a technique called Feistel Network, which was invented in 1973 by Physicist Horst Fiestel. 3DES also uses this technique but AES does not (even though they are very similar). This techniques makes the algorithm easy to implement in general purpose computing hardware/software, basically it deals with how blocks of data are inter-exchanged. There are NO known cryptanalysis attacks against Twofish.

Three popular Windows/Linux applications that implement Symmetric Cryptography algorithms




Keep in mind any export restrictions have been "lifted" in several countries on tools that use AES and several other algorithms, therefore it's not really necessary to worry about that from a legal perspective.

(NOTE: Certain countries have VERY STRICT key-disclosure laws. This means speaking from a U.S perspective if law enforcement has probable cause to believe you are using encryption to hide evidence of a crime in "certain" countries they can compel you to hand over the key/password combination without equivocation and you CANNOT do anything about it! The U.S is one of the ONLY EXCEPTIONS to that with the constitutional protections of the 5th amendment under the Bill of Rights, where that can be challenged in a court of law using "self-incrimination" defense). Be "ethical" about what you plan on doing with your data! .

  • Bitlocker - a FIPS-197 compliant built-in Windows application in professional and server versions, used for encrypting hard-disk partitions and logical volumes using AES-128 e.g (using a password or a smart card). Operating Systems: (Windows 11 Professional, Windows Server R2/2012 or better)
  • VeraCrypt - A new beta open-source cross-platform application based on the original TrueCrypt source-code, for encrypting hard-disk partitions and logical volumes using AES, Serpent, or Twofish cascades in XTS mode for added security. The Windows version uses asynchronous pipelining to make decryption faster. Operating Systems: (Windows 11/11 Professional, Windows Server R2/2012 or better, Mac OS/X, Linux).
  • Linux Unified Key System (LUKS) - A Linux based application that depends heavily on the Linux kernel crypto API and compiled modules. LUKS can be used for encrypting hard-disk partitions and logical volumes at O.S installation time using various algorithms, including AES, 3DES, Twofish, etc and can be adjusted later using certain command-line tools (Note: Newer versions support XTS mode in AES and Twofish e.g for cascading multiple algorithms and increasing the overall key size). Operating Systems: (Linux, FreeBSD, etc)


That should about cover you on all of the bases! In the future, I may or may not write about cryptographic API's that can implemented in C++ or Java if you need to write secure applications (for now that's beyond the scope of this writing). If you have any comments, concerns, or would like to see this entry expanded please let me know. I look forward to hearing from you in the future. Take care!

Reference:




1. Stallings, Williams. Computer Security: Principle and Practice 2nd Edition. New Jersey. Pearson Education. 2011. ISBN-13: 9780132775069

Comments

Post a Comment

Popular posts from this blog

Encoding Opus files in Linux with opusenc for your own collection and HTML 5

Introduction Hello everyone! I am finally back to writing a new blog entry, after taking a very long month off. I hope all of my U.S readers had a great Fourth of July and are enjoying the summer. Today, I am going to be discussing and showing you how to encode with the the new IETF working audio codec called "Opus". Briefly, Opus is a combination of Xiph.org "CELT" codec and Skype's "SILK" codec combined into one project. It's a low-latency audio codec that was designed with "scalability" in mind and does things "fundamentally" different, even though it should sound the same if not better in different situations for speech and music. The project was finally completed this past winter and standardized and will be used in the new WebRTC project (for video conferencing), Skype (for video calls), and other companies that wish to use it. Google is NOW (as of July 2013) incorporating it, into the next generation codebase of WebM, wh
Read more

Encoding Vorbis files in Linux using oggenc for your own music collection and HTML 5

Introduction In today's topic, I will be showing readers different ways you can encode your music collection, if you just moved over to Linux from Windows using open source codecs! You do not have to encode your music files with Vorbis, due to the fact that MP3 is also supported in Linux and HTML 5, but there are some substantial benefits to doing in this day and age (at least from the perspective of an open-source nerd 8-)). The first is you don't have to worry about royalty's and licensing rates (especially if you are opening up a store for indie musicians). The second is that both objectively and subjectively Vorbis sounds substantially better and has been greatly improved with the help of dedicated "audiophiles" and the open source community, since it's first public release over a decade ago, way back in 2002. Today, I will show you some tips and tricks if you are new to encoding your music collection in Linux using the oggenc command-line program in Li
Read more

Transcoding H.264 files to Google's WebM format (VP8/Vorbis) in FFMPEG 0.6 or better using Linux for your own collection and HTML 5

Introduction Note: I want to stress that I DO NOT CONDONE using this guide to encode movies that are infringing upon international and local copyright laws (which include the WIPO Treaty in Europe and the DMCA in the U.S). These examples ASSUME your encoding material in which you OWN The RIGHTS too! I will not be held responsible for individuals that are using it to encode copyrighted material in those respective countries! If there are disputes about this or any other questions please DO NOT hesitate to contact me right away! Thank you. This week I am going to focus on showing you how to transcode videos to WebM, which is playable in both VLC and most HTML 5 compatible web browsers including Firefox, Chrome, Opera, and I.E 10! If you recall way back several months ago (if you had been following my old blog) I showed you some code snippets for how to encode directly to WebM using an older version of libvpx 0.6.1 code named "Bali", that came out last year, but has since be
Read more