Two-way encryption

From Citizendium
Revision as of 08:32, 28 September 2023 by Pat Palmer (talk | contribs)
Jump to navigation Jump to search
This article is a stub and thus not approved.
Main Article
Discussion
Definition [?]
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Two-way encryption is used to obscure the contents of messages being sent back and forth between two end points on the internet. It is two-way because text messages are encrypted before sending and then decrypted at the other end of the transmission channel. Two-way encryption differs from one-way encryption (hashing) in which an encrypted string such as a password cannot be decrypted again.

Encryption for a two-way transmission channel is said to be symmetric or asymmetric, depending on whether a single key is used to encrypt and decrypt (symmetric), or whether two different keys are used, one to encrypt and the other to decrypt (asymmetric). When two keys are available, each end point always keeps its decrypt key secret, but openly sends its encrypt key to strangers so that strangers can send private (encrypted) messages back.

Asymmetric (2-key) encryption is slower than symmetric (1-key) encryption; it is used only to set up a symmetric (1-key) transmission channel between two different end points on the internet.

Private-key encryption

Symmetric two-way encryption is called private key encryption when both the sender and the receiver use the same key to encrypt and decrypt, and no one else is given the key. It was the only kind of two-way encryption publicly known until 1976[1], and it has a variety of other names, including traditional, shared-secret, secret-key, or conventional encryption. In symmetric two-way encryption, both the sender and receiver must have the key, and potential intruders must not be allowed to obtain the key. With this kind of encryption alone, it would not be possible to open up a new secure connection on the internet, because there would be no safe way initially to transmit the shared key to the other end of the connection without intruders being able to intercept it.

One example of a private-key algorithm is DES (Data Encryption Standard). DES uses a 24-character string for a key. The DES key is treated as a passphrase to derive a 192-bit byte array, which is the actual key. To implement the Triple-DES algorithm, for example, encryption occurs three times: first, the plain text is encrypted; then, the encrypted result is encrypted; and then, the intermediate encryption is encrypted. The output is a 192-bit encrypted string (known as 192-bit encryption). The more bits in the key, the longer it takes a brute-force search to find the key. A 192-bit key has 6.3 x 10 raised to the 57th degree possible keys. A brute-force search of all possible keys would likely take a long time.

One practical consideration for using private key encryption is where, and how, to safely store the key on the computer so that intruders will not be able to obtain it, if they should gain access to the machine. Simply storing the key unencrypted in a file or database is a poor strategy. Hard coding it inside a program is also risky because it could be fished out using a decompiler or debugger. A preferable strategy would be to encrypt the private key and store it in a file that is protected by the file system; this way, only authorized users of the system should be able to read the file. But then, where should one store the key used to encrypt the private key? It becomes a recursive problem.

Public-key encryption

Two-way encryption is called public key when one key is used for encrypting and a different key is used for decrypting. This allows users on a computer network to send their encrypt key to strangers, who can then use it to send messages back to them. In public key encryption, a user has their computer produce two different keys: one key is the “public” key used only for encryption, and the other key is the "private" key used only for decryption. The public key can only be used to encrypt, and the user sends this public key to a stranger. The stranger uses the public key to encrypt messages and send them back to the user, who then uses the private key to decrypt the received message. Public key encrypion is also sometimes called asymmetric encryption.

Unlike private key encryption which assumes both sender and receiver already know the private key, public-key exchange allows you to securely issue a key to anyone so that person can then send you encrypted information. Only you can decrypt the information; an intruder with the public key cannot read the encrypted message.

The keys used in "public key" systems are quite different from the string keys used for "private key" systems. In "public key" systems, each key is a structure with eight fields. The private key has all the fields populated (six are used for decrypting, and two for encrypting). The public version is derived from the private key by copying only the two encrypt fields into a new key version and blanking out the six decrypt fields.

An example of a public-key encryption algorithm is RSA (which stands for Rivest, Shamir, and Adleman, its developers' last names). RSA can encrypt a message of only 116 bytes (58 unicode chars). The primary usage of public-key encryption is to securely pass a private key when first opening a channel across a network. The private key is then installed (hidden), and after this initial setup, all further communication is done by private key encryption, which does not have the same message size limitation as public key encryption (and is also faster).

Notes

  1. Whitfield Diffie and Martin Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, vol. IT-22, Nov. 1976, pp: 644-654. (pdf)