Which key encryption is the same key used to encrypt and decrypt message?
|
Show
In today’s cyber-world there is an ever-present risk of unauthorized access to all forms of data. Most at risk is financial and payment system data that can expose the personally identifiable information (PII) or payment card details of customers and clients. Encryption is crucial for protecting PII and mitigating the risks that businesses, which conduct payment transactions, face every minute of every day. This article talks about symmetric encryption in banking, its advantages and some challenges of managing the keys. What is Symmetric Encryption?Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic data. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. This encryption method differs from asymmetric encryption where a pair of keys - one public and one private - is used to encrypt and decrypt messages. By using symmetric encryption algorithms, data is "scrambled" so that it can't be understood by anyone who does not possess the secret key to decrypt it. Once the intended recipient who possesses the key has the message, the algorithm reverses its action so that the message is returned to its original readable form. The secret key that the sender and recipient both use could be a specific password/code or it can be random string of letters or numbers that have been generated by a secure random number generator (RNG). For banking-grade encryption, the symmetric keys must be created using an RNG that is certified according to industry standards, such as FIPS 140-2. There are two types of symmetric encryption algorithms:
Some examples of symmetric encryption algorithms include:
AES, DES, IDEA, Blowfish, RC5 and RC6 are block ciphers. RC4 is stream cipher. DESIn “modern” computing, DES was the first standardized cipher for securing electronic communications, and is used in variations (e.g. 2-key or 3-key 3DES). The original DES is not used anymore as it is considered too “weak”, due to the processing power of modern computers. Even 3DES is not recommended by NIST and PCI DSS 3.2, as well as all 64-bit ciphers. However, 3DES is still widely used in EMV chip cards because of legacy applications that do not have a crypto-agile infrastructure. AESThe most commonly used symmetric algorithm is the Advanced Encryption Standard (AES), which was originally known as Rijndael. This is the standard set by the U.S. National Institute of Standards and Technology in 2001 for the encryption of electronic data announced in U.S. FIPS PUB 197. This standard supersedes DES, which had been in use since 1977. Under NIST, the AES cipher has a block size of 128 bits, but can have three different key lengths as shown with AES-128, AES-192 and AES-256. What is Symmetric Encryption Used For?While symmetric encryption is an older method of encryption, it is faster and more efficient than asymmetric encryption, which takes a toll on networks due to performance issues with data size and heavy CPU use. Due to the better performance and faster speed of symmetric encryption (compared to asymmetric), symmetric cryptography is typically used for bulk encryption / encrypting large amounts of data, e.g. for database encryption. In the case of a database, the secret key might only be available to the database itself to encrypt or decrypt. Industry standard symmetric encryption is also less vulnerable to advances in quantum computing compared to the the current standards for asymmetric algorithms (at the time of writing). Some examples of where symmetric cryptography is used are:
Key management for symmetric encryption - what we need to considerUnfortunately, symmetric encryption does come with its own drawbacks. Its weakest point is its aspects of key management, including: Key Exhaustion Symmetric Encryption suffers from behavior where every use of a key ‘leaks’ some information that can potentially be used by an attacker to reconstruct the key. The defenses against this behavior include using a key hierarchy to ensure that master or key-encryption keys are not over-used and the appropriate rotation of keys that do encrypt volumes of data. To be tractable, both these solutions require competent key-management strategies as if (for example) a retired encryption key cannot be recovered the data is potentially lost. Attribution data Unlike asymmetric (public-key) Certificates, symmetric keys do not have embedded metadata to record information such as expiry date or an Access Control List to indicate the use the key may be put to - to Encrypt but not Decrypt for example. The latter issue is somewhat addressed by standards such as ANSI X9-31 where a key can be bound to information prescribing its usage. But for full control over what a key can be used for and when it can be used, a key-management system is required.  Key Management at large scale Where only a few keys are involved in a scheme (tens to low hundreds), the management overhead is modest and can be handled through manual, human activity. However, with a large estate, tracking the expiration and arranging rotation of keys quickly becomes impractical. Consider an EMV payment card deployment: millions of cards multiplied by several keys-per-card requires a dedicated provision and key-management system. ConclusionMaintaining large-scale symmetric encryption systems is a very challenging task. This is especially true when we want to achieve banking-grade security and auditability when the corporate and/or IT architecture is decentralized / geographically distributed. In order to do this properly, it is recommended to use special software to maintain the proper life-cycle for each key created. In instances of massive key enrollment, it is truly impossible to conduct key management manually. We need specialized key life-cycle management software for it. Quantum computing is expected to materialize within the next 5-10 years. Already today, NIST advises to replace the widely used 3DES algorithm with algorithms which we consider to be more save, based on today's knowledge. Not knowing what progress in technology and hence in the evolution malicious decryption-algorithms may be, we strongly advise banks to migrate to a crypto-agile setup. Such a setup will allow to rapidly replace algorithms, when weaknesses are detected, with algorithms which are considered to be more secure. Investment and architecture decisions need to be taken now, to avoid major damage in the forthcoming years. References and Further Reading
Which type of encryption uses the same key to encrypt and decrypt a message?What is symmetric encryption? In symmetric encryption the same key is used for encryption and decryption. It is therefore critical that a secure method is considered to transfer the key between sender and recipient.
Which key is used for encryption or decryption?Public key cryptography is a method of encrypting or signing data with two different keys and making one of the keys, the public key, available for anyone to use. The other key is known as the private key. Data encrypted with the public key can only be decrypted with the private key.
In which the same key is used for both encryption and decryption of a message in symmetric cryptography?Symmetric cryptography, known also as secret key cryptography, is the use of a single shared secret to share encrypted data between parties. Ciphers in this category are called symmetric because you use the same key to encrypt and to decrypt the data.
Is encryption key same as decryption key?Symmetric-key algorithms use the same keys for both encryption and decryption. The keys may be identical or there may be a simple transformation to switch between the two states. The Caesar and ROT13 ciphers above both use a symmetric-key.
|
