Cryptography concepts

All of the cryptographic services and tools that AWS supports provide methods for you to encrypt and decrypt your data. Other AWS services automatically and transparently encrypt the data that they store and manage for you.

Cryptography and its Types

Cryptography is technique of securing information and communications through use of codes so that only those person for whom the information is intended can understand it and process it. Thus preventing unauthorized access to information. The prefix “crypt” means “hidden” and suffix “graphy” means “writing”. In Cryptography the techniques which are use to protect information are obtained from mathematical concepts and a set of rule based calculations known as algorithms to convert messages in ways that make it hard to decode it. These algorithms are used for cryptographic key generation, digital signing, verification to protect data privacy, web browsing on internet and to protect confidential transactions such as credit card and debit card transactions.

Techniques used For Cryptography: In today’s age of computers cryptography is often associated with the process where an ordinary plain text is converted to cipher text which is the text made such that intended receiver of the text can only decode it and hence this process is known as encryption. The process of conversion of cipher text to plain text this is known as decryption.

Features Of Cryptography are as follows:

  1. Confidentiality: Information can only be accessed by the person for whom it is intended and no other person except him can access it.
  2. Integrity: Information cannot be modified in storage or transition between sender and intended receiver without any addition to information being detected.
  3. Non-repudiation: The creator/sender of information cannot deny his intention to send information at later stage.
  4. Authentication: The identities of sender and receiver are confirmed. As well as destination/origin of information is confirmed.

Types Of Cryptography: In general there are three types Of cryptography:

  1. Symmetric Key Cryptography: It is an encryption system where the sender and receiver of message use a single common key to encrypt and decrypt messages. Symmetric Key Systems are faster and simpler but the problem is that sender and receiver have to somehow exchange key in a secure manner. The most popular symmetric key cryptography system are Data Encryption System(DES) and Advanced Encryption System(AES).
  2. Hash Functions: There is no usage of any key in this algorithm. A hash value with fixed length is calculated as per the plain text which makes it impossible for contents of plain text to be recovered. Many operating systems use hash functions to encrypt passwords.
  3. Asymmetric Key Cryptography: Under this system a pair of keys is used to encrypt and decrypt information. A receiver’s public key is used for encryption and a receiver’s private key is used for decryption. Public key and Private Key are different. Even if the public key is known by everyone the intended receiver can only decode it because he alone know his private key. The most popular asymmetric key cryptography algorithm is RSA algorithm.

Applications Of Cryptography:

  1. Computer passwords: Cryptography is widely utilized in computer security, particularly when creating and maintaining passwords. When a user logs in, their password is hashed and compared to the hash that was previously stored. Passwords are hashed and encrypted before being stored. In this technique, the passwords are encrypted so that even if a hacker gains access to the password database, they cannot read the passwords.
  2. Digital Currencies: To safeguard transactions and prevent fraud, digital currencies like Bitcoin also use cryptography. Complex algorithms and cryptographic keys are used to safeguard transactions, making it nearly hard to tamper with or forge the transactions.
  3. Secure web browsing: Online browsing security is provided by the use of cryptography, which shields users from eavesdropping and man-in-the-middle assaults. Public key cryptography is used by the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to encrypt data sent between the web server and the client, establishing a secure channel for communication.
  4. Electronic signatures: Electronic signatures serve as the digital equivalent of a handwritten signature and are used to sign documents. Digital signatures are created using cryptography and can be validated using public key cryptography. In many nations, electronic signatures are enforceable by law, and their use is expanding quickly.
  5. Authentication: Cryptography is used for authentication in many different situations, such as when accessing a bank account, logging into a computer, or using a secure network. Cryptographic methods are employed by authentication protocols to confirm the user’s identity and confirm that they have the required access rights to the resource.
  6. Cryptocurrencies: Cryptography is heavily used by cryptocurrencies like Bitcoin and Ethereum to safeguard transactions, thwart fraud, and maintain the network’s integrity. Complex algorithms and cryptographic keys are used to safeguard transactions, making it nearly hard to tamper with or forge the transactions.
  7. End-to-End Encryption: End-to-end encryption is used to protect two-way communications like video conversations, instant messages, and email. Even if the message is encrypted, it assures that only the intended receivers can read the message. End-to-end encryption is widely used in communication apps like WhatsApp and Signal, and it provides a high level of security and privacy for users.

Advantages

  1. Access Control: Cryptography can be used for access control to ensure that only parties with the proper permissions have access to a resource. Only those with the correct decryption key can access the resource thanks to encryption.
  2. Secure Communication: For secure online communication, cryptography is crucial. It offers secure mechanisms for transmitting private information like passwords, bank account numbers, and other sensitive data over the internet.
  3. Protection against attacks: Cryptography aids in the defence against various types of assaults, including replay and man-in-the-middle attacks. It offers strategies for spotting and stopping these assaults.
  4. Compliance with legal requirements: Cryptography can assist firms in meeting a variety of legal requirements, including data protection and privacy legislation.

Last Updated : 22 Apr, 2023

Similar read thumbnail

Like Article

Cryptography concepts

As you work with cryptographic tools and services, you are likely to encounter a number of basic concepts.

  • additional authenticated data (AAD)
  • asymmetric and symmetric encryption
  • authenticated encryption
  • authentication
  • block cipher
  • ciphertext
  • client-side and server-side encryption
  • data key
  • decryption
  • encryption
  • encryption algorithm
  • encryption context
  • envelope encryption
  • hardware security module (HSM)
  • key encryption key
  • master key
  • plaintext
  • private key
  • public key
  • stream cipher

additional authenticated data (AAD)

Nonsecret data that is provided to encryption and decryption operations to add an additional integrity and authenticity check on the encrypted data. Typically, the decrypt operation fails if the AAD provided to the encrypt operation does not match the AAD provided to the decrypt operation.

authenticated encryption

Authenticated encryption uses additional authenticated data (AAD) to provide confidentiality, data integrity, and authenticity assurances on encrypted data.

For example, the AWS Key Management Service (AWS KMS) Encrypt API and the encryption methods in the AWS Encryption SDK take an encryption context that represents additional authenticated data (AAD). The encryption context is cryptographically bound to the encrypted data so that the same encryption context is required to decrypt the data. To learn how to use encryption context to protect the integrity of encrypted data, see How to Protect the Integrity of Your Encrypted Data by Using AWS Key Management Service and EncryptionContext in the AWS Security Blog.

asymmetric and symmetric encryption

Symmetric encryption uses the same secret key to perform both the encryption and decryption processes.

Asymmetric encryption, also known as public-key encryption, uses two keys, a public key for encryption and a corresponding private key for decryption. The public key and private key are mathematically related so that when the public key is used for encryption, the corresponding private key must be used for decryption. Encryption algorithms are either symmetric or asymmetric.

authentication

The process of verifying identity, that is, determining whether an entity is who it claims to be and that the authentication information has not been manipulated by unauthorized entities.

block cipher

An algorithm that operates on fixed-length blocks of data, one block at a time, rather than encrypting one bit at a time as in stream ciphers.

The encrypted data. Ciphertext is typically the output of an encryption algorithm operating on plaintext. Ciphertext is unreadable without knowledge of the algorithm and a secret key.

client-side and server-side encryption

Client-side encryption is encrypting data at or close to its source, such as encrypting data in the application or service that generates it.

Server-side encryption is encrypting data at its destination, that is, the application or service that receives it.

The method that you choose depends on the sensitivity of your data and the security requirements of your application. Client-side and server-side encryption differ in when, where, and who encrypts and decrypts the data. They do not necessarily define how the data is encrypted and might use the same process. In addition, they are not exclusive. You can often use client-side and server-side encryption on the same data.

AWS supports both client-side and server-side encryption. Most AWS services that store or manage customer data offer a server-side encryption option or perform server-side encryption of your data by default. These services transparently encrypt your data before writing it to disk and transparently decrypt it when you access it. Most AWS services that support server-side encryption are integrated with AWS Key Management Service (AWS KMS) to protect the encryption keys that protect your data. For a list of integrated services, see AWS Service Integration .

AWS also supports client-side encryption libraries, such as the AWS Encryption SDK, the DynamoDB Encryption Client, and Amazon S3 client-side encryption. For help choosing the library that best meets your needs, see How to choose a PKI service.

In envelope encryption, a data key or data encryption key is an encryption key that is used to protect data. Data keys differ from master keys and key encryption keys, which are typically used to encrypt other encryption keys.

The term data key usually refers to how the key is used, not how it is constructed. Like all encryption keys, a data key is typically implemented as a byte array that meets the requirements of the encryption algorithm that uses it. As such, data keys can be used to encrypt data or other data keys.

Often a tool or service generates unique data key for each data element, such as a database item, email message, or other resource. Then, it encrypts all of the data keys under the same master key.

Several AWS tools and services provide data keys.

  • The HSMs in a AWS CloudHSM cluster generate encryption keys that can be used as data keys, key encryption keys, or master keys.
  • You can ask AWS Key Management Service (AWS KMS) to generate a data key. It returns a plaintext key and a copy of that key that is encrypted under the customer master keys that you specify.

decryption

The process of turning ciphertext back into plaintext. Decryption algorithms typically require an encryption key and can require other inputs, such as initialization vectors (IVs) and additional authenticated data (AAD).

The process of converting plaintext readable data to an unreadable form, known as ciphertext, to protect it. The formula used to encrypt the data, known as an encryption algorithm, must be almost impossible (using current and anticipated technology) to reverse without knowledge of the inputs to the algorithm. These inputs can include an encryption key and other random and determined data.

All of the cryptographic services and tools that AWS supports provide methods for you to encrypt and decrypt your data. Other AWS services automatically and transparently encrypt the data that they store and manage for you.

encryption algorithm

A procedure or ordered set of instructions that specifies precisely how plaintext data is transformed into encrypted data or ciphertext. The input to an encryption algorithms includes the plaintext data and a encryption key. The output includes the ciphertext.

For example, AWS Key Management Service (AWS KMS) uses the Advanced Encryption Standard (AES) symmetric algorithm in Galois/Counter Mode (GCM) , known as AES-GCM. AWS CloudHSM supports keys for multiple encryption algorithms.

encryption context

A type of additional authenticated data (AAD). It typically consists of nonsecret, arbitrary, name–value pairs. In most cases, you can provide an encryption context when you encrypt data. The same encryption context must be provided to decrypt the data. The encryption context is usually optional but recommended.

The term encryption context has different meanings in various AWS services and tools. This can be confusing, so be sure to understand how your tool or service interprets this term.

The following tools and services support an encryption context.

  • In AWS Key Management Service (AWS KMS), an encryption context is a collection of nonsecret name–value pairs. When you provide an encryption context to an encryption operation, AWS KMS binds it cryptographically to the ciphertext. To decrypt the data, you must provide an exact, case-sensitive match for the encryption context. AWS KMS includes the encryption context in AWS CloudTrail logs of cryptographic operations. As such, you can use a well-designed encryption context to help you track and audit the use of your encryption keys for particular projects or types of data. AWS KMS also lets you use all or part of the encryption context as the condition for a permission in a policy or grant. For example, you can allow a user to use a master key to decrypt data only when the encryption context includes a particular value. For details, see Encryption Context in the AWS Key Management Service Developer Guide.
  • The AWS Encryption SDK also supports an optional encryption context in all cryptographic operations. However, you do not provide the encryption context to the decryption operation. Instead, when it encrypts data, the SDK saves the encryption context (in plaintext) along with the ciphertext in the encrypted message that it returns. When you ask the SDK to decrypt the encrypted message, the SDK uses the encryption context that it saved. You can still use the encryption context to provide an additional verification of your data. When you decrypt data, you can get and examine the encryption context and return the decrypted data only after verifying that the encryption context has the expected value.
  • The DynamoDB Encryption Client uses encryption context to mean something different from its use in AWS KMS or the AWS Encryption SDK. The DynamoDB encryption context is a collection of information about the table and table item that you pass to a cryptographic materials provider (CMP). It is not related to AAD.

envelope encryption

A strategy for protecting the encryption keys that you use to encrypt your data. First, you encrypt plaintext data with a data key. Then, to protect the data key, you encrypt it under another key, known as a key encryption key.

Encrypting the data key is more efficient than reencrypting the data under the new key because it is quicker and produces a much smaller ciphertext.

You can even encrypt the data encryption key under another encryption key and encrypt that encryption key under still another encryption key. But, eventually, one key must remain in plaintext so you can decrypt the keys and your data. This top-level plaintext key encryption key is known as the master key, as shown in the following diagram.

Envelope encryption

Several AWS cryptographic tools and services support envelope encryption. AWS Key Management Service (AWS KMS) protects the master key that must remain in plaintext. It supplies master keys that never leave the service unencrypted. AWS KMS supports operations that generate data keys that are encrypted under your master key. You can use the data keys to encrypt your data outside of AWS KMS.

The AWS Encryption SDK automatically encrypts your data with a data key that is encrypted by a master key that you specify. The DynamoDB Encryption Client supports many encryption strategies, including envelope encryption with an AWS KMS customer master key or with keys that you provide.

hardware security module (HSM)

A computing device that performs cryptographic operations and provides secure storage for cryptographic keys. Many HSMs have features that make them resistant to tampering or provide reliable tamper detection.

AWS CloudHSM lets you create, manage, and control your own HSMs in the cloud. AWS Key Management Service (AWS KMS) generates and protects the customer master keys (CMKs) that it provides in FIPS 140-2 validated HSMs that it manages for you. AWS KMS also lets you create your CMKs in a custom key store backed by an AWS CloudHSM cluster that you own and manage.

key encryption key

In envelope encryption, a key encryption key is an encryption key that is used to encrypt a data key or another key encryption key. To protect the key encryption key, it is encrypted by using a master key.

The term key encryption key refers to how the key is used, not how it is constructed. Like all encryption keys, a key encryption key is typically implemented as a byte array that meets the requirements of the encryption algorithm that uses it.

Several AWS services provide key encryption keys.

  • The HSMs in a AWS CloudHSM cluster generate encryption keys that can be used as data keys, key encryption keys, or master keys.
  • You can ask AWS Key Management Service (AWS KMS) to generate a data key, then use that key as a key encryption key outside of AWS KMS.

master key

In envelope encryption, a master key is an encryption key that is used to encrypt other encryption keys, such as data keys and key encryption keys. Unlike data keys and key encryption keys, master keys must be kept in plaintext so they can be used to decrypt the keys that they encrypted.

The term master key usually refers to how the key is used, not how it is constructed. Like all encryption keys, a master key is typically implemented as a byte array that meets the requirements of the encryption algorithm that uses it.

AWS Key Management Service (AWS KMS) generates and protect master keys. Its customer master keys (CMKs) are created, managed, used, and deleted entirely within AWS KMS.

Several AWS services provide master keys.

  • The HSMs in a AWS CloudHSM cluster generate encryption keys that can be used as data keys, key encryption keys, or master keys.
  • AWS Key Management Service (AWS KMS) generates and protects master keys. Its customer master keys (CMKs) are created, managed, used, and deleted entirely within AWS KMS.

plaintext

Information or data in an unencrypted, unprotected, or human-readable form.

private key

One of two keys, along with public keys, used to protect data in an asymmetric encryption scheme. Public and private keys are algorithmically generated in tandem: the public key is distributed to multiple trusted entities, and one of its paired private keys is distributed to a single entity. This way, a message can be authenticated because the public key signature proves that a trusted entity encrypted and sent it. The message contents can also be secured so that only a private key holder can decrypt it.

One of two keys, along with private keys, used to protect data in an asymmetric encryption scheme. Public and private keys are algorithmically generated in tandem: the public key is distributed to multiple trusted entities, and one of its paired private keys is distributed to a single entity. This way, a message can be authenticated because the public key signature proves that a trusted entity encrypted and sent it. The message contents can also be secured so that only a private key holder can decrypt it.

stream cipher

An algorithm that operates one bit of a data at a time rather than encrypting one block of data at a time as in block ciphers.

| | 0 Comments