Cryptography Terminology Overview | |
---|---|
Term | Meaning |
AES (Advanced Encryption Standard) | AES is a symmetric 128-bit, 192-bit or 256-bit block data encryption technique developed by Belgian cryptographers Joan Daemen and Vincent Rijmen. It is the state of the art in secret key ciphers. |
CA (Certificate Authority) | CA. A company such as Thawte or Verisign that issues certificates. They check up your credentials and once they are convinced you are who you claim to be, they digitally sign a certificate attesting to your identity. There are dozens of different kinds of certificates, presumably so they can charge you extra for each kind after the identification process is complete — the only thing in issuing a certificate that takes work. |
cipher | A scheme for scrambling and unsrambling messages to make them unintelligible. |
digest | such as MD5 (Message Digest algorithm 5) or SHA-1 (Secure Hash Algorithm 1). It is a high quality checksum with almost no possibility any two documents would generate the same number. It becomes like an id for a document. If even one comma changes, the digest will be totally different. |
encrypt | to scramble a message to make it unintelligible for transport. |
key | A large number used in cryptography calculations, something like a password or passphrase, but deliberately random gibberish. They can be quite long, up to 4096 bits, which is equivalent to about 100 words or 1200 digits. You never even bother to look at them. They are selected for you my random processes. Sometime the number has to have some special property, e.g. be prime or relatively prime to some other number. |
keystore | A file containing your collection of public and private keys, both your own and other people’s. Your own will be certificates with a public/private key pair. Other people’s will be certificates with just a public key. |
MAC (Message Authentication Code) | MAC is a digest encrypted with a private key. It acts like a digital signature for the document. To verify the signature you, decrypt with the corresponding public key and recompute the digest. If they digests match, you know both the originator signed it and that the document was unchanged since it was signed. |
MD5 | A 128-bit digest. It faster to compute than a SHA-1, but is not as high quality. |
One time pad | A theoretically uncrackable cipher where you XOR your message with a one time binary key as long as the message made of purely random noise. Looking at the final result, you can presume the original message said absolutely anything given the matching random key. The encrypted message is pure random with no leverage for decryption. See my Pascal Implementation. To decrypt, you XOR (exclusive OR) again with the same key. In practice, you break the code by stealing or intercepting and copying the keys, or by peeking at the message before or after it is decrypted, or by distributing bogus software that spies. |
plain text | Not encrypted. In a form that can be read. |
principal | anything with a name, a person, company, etc. |
private key | A large secret number known only by one party. He uses this both to sign outgoing messages and to decrypt incoming ones. |
public key | A large number known by everyone, even enemies. People use it to encrypt messages to its owner and to validate signatures of messages coming from him. |
JCE (Java Cryptography Extension) | JCE. A set of classes designed to be easily replaced by better ones from other vendors to do a variety of cryptographic functions. The documentation is abysmal. Try reading Java Cryptography (see below) to understand what each class is for. It is much simpler than it looks. |
secret key | A large secret number known by both sender and receiver used to scramble and unscramble messages. Diffie-Hellman allow two parties who have never met to agree on a secret number between them, even while people are eavesdropping. |
SHA-1 | A digest. SHAs come in various strengths from 128 bits to 512 bits. |
SPI (Service Provider Interface) | A vendor who wants to provide cryptographic algorithms that plug into Oracle’s framework has to write to a set of interfaces. This way he can write either replacements or additions to Oracle’s implementations that all work with the familiar JCE interface. BouncyCastle provides PGP (Pretty Good Privacy) via the interface this way. |
subject | the person who buys a digital id certificate |
token | A fob you hold in your hand. An electronic key. It contains a small computer and a secret key and a program to do security calculations. |
Cryptography Overview | |
---|---|
Problem | Solution |
Secure conversations over the Internet | Diffie-Hellman, SSL (Secure Sockets Layer), allows to parties who have never met to decide on secret key to use for encryption. |
Proving you are who you claim to be. | Digital Id certificate, containing a private key, digitally signed by a Certificate Authority. |
Proving you are the author of some computer program. | Code signing certificate, containing a private key, digitally signed by a Certificate Authority. |
Proving nobody has tampered with some computer program. | Code signing certificate, containing a private key, digitally signed by a Certificate Authority and digitally signed digest of the program. |
Proving email truly came from whom it purports to. | S/MIME (Secure Multipurpose Internet Mail Exchange) or PGP certificate. |
Proving email was not tampered with. | S/MIME or PGP certificate. |
Sending email so that others cannot eaves drop. | S/MIME or PGP certificate. |
Sending communications over the Internet even the government can’t spy on. | One time xor pad with true random keys. Nothing else is secure. |
Logging into a computer in a way that other spying or spoofing can’t learn to do it to. | Public/private key system. |
High security door lock access where everyone has different areas of permission. | Hardware token (password fob) with embedded private key it does not directly reveal. |
distributing public keys in a way that people can be sure they truly are what they purport to be, e.g. public key to verify code signing, email signing, website identification etc. | Public key certificates digitally signed by Certificate Signing authorities. |
Doing a very accurate checksum to detect changes in a file. | Digest such as MD5 or SHA-1 |
A digest that other people cannot compute | A MAC, which is an ordinary digest salted with a private key to get it started. |
Doing a very fast checksum to detect changes in a file. | Adler 32-bit checksum, or a CRC-32. |
FTP (File Transfer Protocol), only that people can’t snoop on. | FTP piggybacked on SSH (Secure Shell) protocol. Private/Public key RSA/DSA encryption is thousands of time slower. That is why it is not used for bulk encryption. |
Protecting your files from being snooped on when you are not at your desk. | Encryption using the OS (Operating System) or PKZIP. |
Average Time To Crack a Secret Key Using 1997 Technology | |||||
---|---|---|---|---|---|
Key Length (bits) | Individual Attacker | Small Group | Academic Network | Large Company | Military Intelligence Agency |
40 | Weeks | Days | Hours | Milliseconds | Microseconds |
56 | Centuries | Decades | Years | Hours | Seconds |
64 | Millennia | Centuries | Decades | Days | Minutes |
80 | Infeasible | Infeasible | Infeasible | Centuries | Centuries |
128 | Infeasible | Infeasible | Infeasible | Infeasible | Millennia |
Code Cracking Capability with 1997 technology | |||||
---|---|---|---|---|---|
Attacker | Computer Resources | Keys/Second | |||
Individual attacker | one high-end desktop machine and software | 217.. 224 | |||
Small group | 16 high-end machines and software | 221.. 224 | |||
Academic network | 256 high-end machines and software | 225.. 228 | |||
Large company | $1,000,000 hardware budget | 243 | |||
Military intelligence agency | $1,000,000 hardware budget and advanced technology | 255 |
The only encryption that is in theory uncrackable is the one time pad, which uses a key of true random numbers equally long as the message. The key is never reused.
The USA has complex laws on cryptography. The basic idea is the US government demands the right to snoop on all electronic messages. Other laws prevent US companies from exporting serious cryptographic software, even when the algorithms are public knowledge. This has closed the door to US software companies and opened them to Australian ones.
recommend book⇒Digital Certificates: Applied Internet Security | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
by | Jalal Feghhi, Jalil Feghhi, Peter Williams | 978-0-201-30980-5 | paperback | |||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
publisher | Addison-Wesley | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
published | 1998-10-09 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
The main thing wrong with this book is its age. It is a surprisingly easy to follow book. The JCE itself is daunting, but this book tames it with lots of code examples and an informal style. Consider this book an introduction to the JCE, not the final authority on high security. The end of the book degenerates into a bit of sales pitch for the author’s employer, Verisign, showing you the Verisign way of doing business. The book, is inconsistent in its intended audience. For example, the S/MIME section seems aimed at the JCE for dummies crowd. Yet near the end of the book, the authors throw an alphabet soup of undefined terminology at you as if you were a roomful of Verisign techies. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder. |
recommend book⇒Java Cryptography | ||||
by | Jonathan Knudsen | 978-1-56592-402-4 | paperback | |
---|---|---|---|---|
publisher | O’Reilly | 978-1-4493-9061-7 | eBook | |
published | 1998-05-01 | B0043M4ZC0 | kindle | |
JCE has evolved considerably since this book was published. It teaches you how to write secure programs using Java’s cryptographic tools. It includes the java.security package and the Java Cryptography Extensions (JCE). It discusses authentication, key management, public and private key encryption. How to implement ciphers, keys and other data-obscuring techniques in Java. Includes source for a provider of the ElGamal algorithm. | ||||
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder. |
This page is posted |
http://mindprod.com/jgloss/cryptography.html | |
Optional Replicator mirror
|
J:\mindprod\jgloss\cryptography.html | |
Please read the feedback from other visitors,
or send your own feedback about the site. Contact Roedy. Please feel free to link to this page without explicit permission. | ||
Canadian
Mind
Products
IP:[65.110.21.43] Your face IP:[44.220.181.180] |
| |
Feedback |
You are visitor number | |