Written by Asim Mehmood (guest) | 27. October 2017

Cryptographic algorithms can be categorized into three classes: Hash functions, Symmetric and Asymmetric algorithms. This article sheds light on their differences, purpose and main fields of application.

A lot of security services such as confidentiality, integrity, authentication, and non-repudiation can be provided by using cryptographic algorithms.

Confidentiality serves the purpose that information is not revealed to unauthorized entities. Confidentiality is accomplished by transforming the understandable information to a state that is unintelligible except by authorized entities. This transformation mechanism is called encryption. Decryption of unintelligible data is performed to restore it to its original state. Both symmetric and asymmetric algorithms can provide encryption. Confidentiality is not only important for data at rest but also for the network communication data.

Integrity is a mechanism that assures that the data has not been altered in an unapproved way. The integrity of data is maintained at the creation, transmission and storage phases. Alteration of data includes insertion, deletion and substitution breaches. Digital signatures and message authentication codes (MAC) are the cryptographic mechanisms which can be used to notice both intentional & accidental alterations.

There are 2 types of authentication services which can be achieved using cryptography i.e. Source and Integrity authentication. Source authentication assures identity of the entity that originally generated/crafted the information. Integrity authentication validates that data has not been modified and the integrity of data is protected.

Non-repudiation is the guarantee that no one can deny a transaction. The terminology of non-repudiation is frequently used for digital signatures and email messages. When a data hashing algorithm is combined with public/private keys, data origination authentication can be achieved. The well-known technique of data origin authentication is using digital certificates.

The proper approach to incorporate security services for applications and protocols dealing with data security is the use of cryptographic methods. A lot of public/open source and proprietary algorithms are available. Users and developers are presented with many new choices in their use of cryptographic mechanisms. Adoptions of obsolete or less known/indigenous algorithms may result in a security breach of data and information. Public and NIST approved algorithms have undergone rigorous security testing and cryptanalysis prior to their approval, to assure that the algorithms provide satisfactory security. The document “NIST Special Publication 800-57 Part 1 Revision 4” provides background information and establishes frameworks to support appropriate decisions when selecting and using cryptographic mechanisms.

Keys in the field of cryptography are analogous to the pattern/PIN/password or physical key applied to a security locker. Appropriate management of cryptographic keys is essential for the operative use of cryptography. If an attacker is able to find out the combination of security locker, whatever state-of-the-art and however strong technology, the locker will fail. A security locker is analogous to an encryption algorithm. If the keys are not managed properly, encryption algorithms will be compromised.

The 1st and last phases in the life of a key are generation and destruction respectively. The other phases in the life of a key are securing storage, distribution, modification, renewal, backup/archival, revocation/suspension etc. Keys require protection in all phases of life. The protection may include compromise, modification and unauthorized disclosure. NIST publishes Federal Information Processing Standards (FIPS) and NIST Recommendations that stipulate cryptographic procedures for protecting unclassified and sensitive information.

Cryptographic algorithms can be categorized into three classes. This categorization is defined on basis of the number of cryptographic keys that are required for the algorithm.

- Hash Functions
- Symmetric-Key Algorithms
- Asymmetric-Key Algorithms

Hash functions are the building blocks for modern cryptography. A hash function is a cryptographic algorithm which is used to transform large random size data to small fixed size data. The data output of the hash algorithm is called hash value or digest. The basic operation of hash functions does not need any key and operate in a one-way manner. The one-way operation means that it is impossible to compute the input from a particular output. The basic uses of hash functions are:

- Generation and verification of digital signatures
- Checksum/Message integrity checks
- Source integrity services via MAC
- Derivation of sub-keys in key-establishment protocols & algorithms
- Generation of pseudorandom numbers

Symmetric-key algorithms also referred as secret-key algorithms use a single cryptographic key for encryption and decryption purposes. They convert data in a way that is problematic for an opponent to decrypt the data without the key. Symmetric keys are securely generated and distributed to the sender and receiver and are unknown to any other entity. But if a symmetric-key algorithm is being used by more than one receiver then the key has to be shared with all entities. If the key is compromised from one entity, communication of all the entities will be compromised. Symmetric Algorithms are further divided into Block & Stream algorithms. A block algorithm breaks the input into fixed-size blocks and then progresses the crypto operations. Stream algorithms perform “bit-by-bit” crypto operations. Primary purposes of symmetric key algorithms are:

- Confidentiality is achieved as encryption and decryption is performed using single key.
- Integrity and source authentication is achieved by using Message Authentication Codes because the MAC is generated and validated by the same key.
- Generation of pseudorandom random numbers

Asymmetric-key algorithms are commonly referred to as “public-key algorithms”. They use two mathematically associated keys knows as public and private keys. One key is used for data encryption, and the other is used for decryption of data. The combination of a public and private key is called a key pair. The private key is always kept secret by the owner. The public key is distributed to the public and everyone can access it. The private key cannot be deduced from the public key. The public key is mostly bound to an identity by a Certificate Authority. Asymmetric-key algorithms are mostly based on mathematical problems like integer factorization and discrete logarithm problem. Main uses of asymmetric algorithms are:

- Creation of digital signatures
- To establish/distribute session keys such as in case of TLS protocol

A tabular chart is listed based on some characteristics of the algorithms.

Due to the above characteristics, symmetric and asymmetric algorithms are sometimes used in a hybrid approach. Asymmetric ciphers are characteristically used for identity authentication performed via digital signatures & certificates, for the distribution of symmetric bulk encryption key, non-repudiation services and for key agreement. Symmetric ciphers are used for bulk encryption of data due to their fast speed.

- Selected articles on Key Management (2012-16), by Ashiq JA, Chuck Easttom, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Matt Landrock, Peter Landrock, Steve Marshall, Torben Pedersen, Maria Stokes, John Trankenschuh and more
- NIST Special Publication 800-57 Part 1 Revision 4 Recommendation for Key Management Part 1: General (2016), by Elaine Barker, Computer Security Division Information Technology Laboratory, National Institute of Standards and Technology
- 2017 Global Encryptions Trends Study (April 2017)
- Predictions 2017: Customer-Obsessed Enterprises Launch Cloud’s Second Decade (November 2016)
- “Cybersecurity Incidents What Happened.” (2016), the United States Office of Personnel Management.

Image: "Hash Tag", courtesy of Michael Coghlan, (CC BY-SA 2.0)