What are encryption keys and how do we use them?
In response to this question, Hashed Out published an article titled "Cryptographic Keys 101: What They Are & How They Secure Data", which details the story of cryptographic keys.
The following is the original article, compiled by the Public Key Cryptography Open Community.
What is an encryption key?
An encryption key is a string of characters (usually randomly generated or mathematically calculated) that is paired with an encryption algorithm to secure data. An algorithm is a mathematical formula that performs several important cryptographic functions. The two most common functions involving encryption keys are data encryption and decryption:
Encryption uses a key to disrupt plaintext (readable) data into unreadable gibberish (called ciphertext). This protects the confidentiality of the data from prying eyes.
Decryption, on the other hand, uses the correct encryption key to recalculate the ciphertext into the original plaintext data, so that only someone with the correct encryption key can read the information.
When an encryption key is exposed or compromised, it means that any content used for protection is now at risk of being compromised.
Throughout nearly 4,000 years of human history, there have been many instances where keys have been used to convey secret messages. This includes everything from ancient Egyptian tombstone inscriptions to the activities of the UK's Government Communications Headquarters (GCHQ) after the First World War. One of the most famous (and simplest) examples of key application is the Caesar shift cipher. This basic substitution cipher "shifts" the alphabet by a certain number of spaces (e.g., A to D, N to P). In this case, the "key" is the knowledge of how many positions have to be shifted in order to decrypt the message.
A common example of encryption can be seen when you log into your favorite website. If you see the security padlock icon (shown below), it means that you are visiting a site that is protected with public key encryption (SSL/TLS). (We'll discuss this in more detail later in the article.)
Encryption keys fall into two broad categories: symmetric and asymmetric keys
Different encryption methods involve the use of either one or two cryptographic keys. Let's explore these two types of keys before delving into their uses.
Symmetric key = single private key used to encrypt and decrypt data
Symmetric encryption uses a single key, called a symmetric key. Both the sender and receiver need to have a copy of this key in order to encrypt and decrypt data. Therefore, this private key must be kept secret to prevent any accidental third party from using it to decrypt their secret messages.
Imagine that you have just completed a home renovation, and the project included replacing all of your interior and exterior doors with locks that you purchased at your local hardware store. As a result, each door you installed has its own separate lock that requires a separate key to open. (This is closer to asymmetric encryption, since each key fits only the corresponding lock, which we'll delve into later.)
However, using symmetric keys is like resetting the keys to all the locks in your home so that you can open them with a single key. This is very convenient because you only need one key, but it also means that you have to put a lot of effort into securing the key. Otherwise, if someone gets their hands on that key, everything in your home will be compromised.
One of the tricky things about symmetric keys is that they require two communicating parties to meet in a secure manner so that they each have a copy of the key. (Imagine one of those typical secret spy meeting scenes from a movie or book.) This isn't too bad if you're in the same geographic area as the other party. But what if you need to share sensitive information right now but don't have time to meet and exchange keys? Or what happens when you try to communicate securely with someone located on the other side of the state, country, or world? That would be a very bad situation.
In the last century, the rise of digital communications has changed the communications landscape. Now, you can use a phone in the United States to communicate almost instantly with someone in any geographic location. You can type information into a web form that will instantly send it to someone on the other side of the world via the Internet.
However, it has a downside: if you send that data in clear text, it is not secure and can be intercepted by nosy or malicious third parties.
To avoid this security risk, you and the other party need a secure, encrypted method of communication. But this requires exchanging your symmetric keys, right? It does. This is where public key cryptography comes into play ......
Asymmetric key = separate key for encrypting and decrypting data (and enabling authentication)
In modern cryptography, another type of encryption key is the asymmetric key - a pair of two different but related keys. The public key is public and does not have to be kept secret. It is associated with a secret private key.
(Asymmetric = not identical) are generated as mathematically related pairs containing a public key and a private key. In public key encryption:
The public key can be used by almost anyone to encrypt data. The private key must be protected and kept secret and is used to decrypt the ciphertext. You'll also see a common analogy online to describe the role of the split key in asymmetric encryption, which is a mailbox where you have a key to place items (the public key) and a different key to remove items (the private key).
Using these two cryptographic keys enables the two parties to establish a secure encrypted connection. Imagine when you connect to a website where the server and client securely exchange information using asymmetric keys that are used to establish symmetric session keys. These symmetric keys require fewer computational resources, making data exchange faster in large-scale situations.
But why bother switching to symmetric encryption? Can't you just use asymmetric keys all the time? Technically, yes, you can use asymmetric encryption alone to communicate securely over an open channel. However, the resources required to implement this for popular websites would be too costly when dealing with thousands or millions of connections. That's why we use asymmetric keys in exchange for symmetric-key encrypted sessions to improve scalability.
Researchers at the Institute of Electrical and Electronics Engineers (IEEE) previously conducted a comparative analysis of the costs for asymmetric and symmetric applications. Their study showed that by adopting a symmetric key system, "the global energy cost savings for public-key-based applications is 58 percent."
A quick comparison of symmetric and asymmetric keys-
Keys can also be identified by their use and application
Sometimes, encryption keys refer to the role they play in the encryption process. We won't discuss all of these because they vary depending on the type of encryption process you're performing, but here's a quick overview of a few examples:
-Session keys-These keys are used to encrypt data during individual sessions (for example, connecting to a website or web application).
-HMAC keys-These keys are used to create the digital signatures used in hash-based message authentication codes.
-Data Encryption Keys (DEK)-These keys enable you to encrypt numbers at rest on the server.The DEK can also be the master key.
-Key Encryption Keys (KEK)-These keys, also known as key-wrapping keys, are used to encrypt other encryption keys that perform data-at-rest and in-transit encryption. This means that they can be symmetric or asymmetric depending on the task.
-Traffic Encryption Keys (TEK) - These encryption keys are used to encrypt data in transit against man-in-the-middle attacks and other interception methods.
-Master Key - The meaning of "master key" varies depending on its use. It is also called a key derivation key because it is used in part to compute other keys using key derivation methods.
Large keys are more secure (but less scalable) than small keys
In general, the larger the key, the more secure it is. For example, a 256-bit AES symmetric key is stronger than a 128-bit symmetric key, and a 3078-bit RSA asymmetric key is more secure than a 2048-bit asymmetric key. Larger keys help deter brute-force attackers who try to guess your key, since it is nearly impossible to guess all possible combinations using modern computer resources.
If you compare symmetric keys to asymmetric keys, you may be surprised to learn that key sizes are not the same in terms of security strength. For example, a 256-bit AES symmetric key is more secure than a 3072-bit RSA asymmetric key. The National Institute of Standards and Technology (NIST) lists AES 256-bit keys in its "Key Management Recommendations: Part 1" as roughly equivalent to 15,360-bit RSA keys. In addition, because asymmetric encryption requires the use of two keys, it is slower than symmetric encryption, which requires only one key.
Encryption is only secure if your key is secure
The security of encryption keys depends on how you manage and protect them. If a key is lost or stolen, it doesn't do you any good because it's at risk of being threatened. Once a key is threatened, the security of whatever it is being used to protect is at risk. That's bad news for you, but good news for cybercriminals.
You can protect your cryptographic keys by using a key management system and following key management best practices.
The role of cryptographic keys
Cryptographic keys are a key element of public key infrastructure and play an important role in several key cryptographic functions:
Encryption and Decryption
We've already discussed this, but recall that encryption is a method of obfuscating plaintext data into ciphertext. Depending on the type of encryption used (asymmetric vs. symmetric), encryption keys are used to encrypt, decrypt, or encrypt and decrypt data.
Verifying that an entity (e.g., an individual, client, or device) is authentic through the use of public key cryptography. Basically, it's a way to ensure that someone's identity is authentic and that there are no imposters, since only authorized users should have access to the private key. (This is different from a symmetric key that is shared between two parties.)
A digital signature is a value that certifies that something (e.g., software, code, document) has not been modified or tampered with since it was digitally signed. A cryptographic function (hash) and cryptographic key are applied to the data to generate the signature. As such, it also helps to provide non-repudiation, which means that someone who sends you certain content later on cannot deny having sent it. This is similar to signing a document in the presence of a notary public: you can't later refute signing the document because they witnessed you signing it.
Application Scenarios for Encryption Keys
Not sure if you currently use any encryption keys in your IT environment? Here are a few top scenarios of how your organization or others may already be using them:
Protecting data in transit from interception attacks
By enabling HTTPS on your website, you can use transport layer security to protect data in transit. You can do this by installing an SSL/TLS certificate on your web server. Using SSL/TLS certificates on your website ensures that your website users' data is transmitted over a secure, encrypted connection.
These connections protect the data in transit, stopping man-in-the-middle attackers from attempting to eavesdrop, read, modify, or steal your clients' sensitive data as it travels between their clients and your server.
For added security, you can support TLS 1.2 as a minimum on your servers.In addition, you can use HTTP Strict Transport Security (HSTS) as another layer of security to prevent degradation attacks (i.e., to prevent cybercriminals from degrading websites from HTTPS to HTTP).
Protecting Data at Rest on Hard Drives and Servers
Encryption is not only used to secure data in transit (i.e., using public key encryption). Instead, encryption is also commonly used to secure data at rest. This includes virtually all types of data stored digitally on a computer system. For example, this includes computers, database servers, and cloud-stored messages.
To encrypt data at rest, a symmetric cryptographic key is often used because it is fast and requires fewer resources, unlike asymmetric keys which need to be used in pairs.
However, data encryption and decryption are not the only uses of cryptographic keys. There are other uses for these digital keys...
Authentication of clients, users and devices over secure and open networks
Digital authentication in digital communications is key to data security. It verifies that you are who you say you are because a trusted authority has vetted your digital identity.
But what if you want to verify the legitimacy of a user trying to access a resource you are protecting? Traditionally, this would involve the user entering their username and password. However, login credentials can be easily compromised through phishing and malware, which means this is no longer a viable way to know if someone is authentic.
An alternative is to use digital certificates to verify your digital identity through public key cryptography:
A client-side authentication certificate verifies your identity when accessing a secure web application, virtual private network (VPN), or other protected resource. This can be a certificate that you install on your computer or mobile device.
Device certificates (also known as PKI device certificates) enable covered autonomous devices to authenticate and securely transmit data over your network. For example, this type of certificate is often used to authenticate IoT devices in places like healthcare organizations, airports, and manufacturing plants.
In each case, the cryptographic key associated with the certificate proves your digital identity because only you should be able to access it. Thus, once authenticated, you can access the resources you are authorized to view and use.
Digitally sign code, software and updates before release
By digitally signing your software, you can prove to your customers and software users that your product is not only authentic, but has not been tampered with since it was signed. This is important for software developers, publishers, and service providers who maintain customer systems.
You can attach a digital signature to your code using a code signing certificate. This involves applying a cryptographic hash function to the code and digitally signing the resulting hash using your private cryptographic key. When someone downloads your software, their browser or operating system checks to see if the hashes match. When it matches, it displays your verified organization information.
Below is a side-by-side comparison of two User Access Control (UAC) screens showing information about an unknown publisher (left) and an authenticated publisher (right):
If you decide to further enhance the security of your identity, you can use the Extended Validation Code Signing Certificate. Signing software with this digital certificate ensures that the Windows operating system and Edge browser automatically trust your software. As a result, it will not display warnings similar to the following when a user tries to install unsigned software on a Windows computer:
Write at the end
Securely storing encryption keys is not a matter of choice. In fact, it is required by many industry and regional regulations. Unless you're willing to pay thousands or millions of dollars in compliance fines, legal fees, and litigation settlement costs for a data breach, we recommend you take it seriously enough.
Historically, only Extended Validation (EV) code signing certificates were pre-installed on hardware security tokens. Now, all Organization Validation (OV) code signing certificates will also be delivered via security token by default.
You can also use hardware security modules (HSMs) to protect other cryptographic keys. These local devices and cloud-based storage mechanisms provide a way for your authorized users to use cryptographic keys without direct access.
There are still a lot of questions related to cryptographic keys, such as taking a step back - what exactly is cryptography? Or take it a step further - what are the application differences between symmetric and asymmetric encryption in cryptographic keys? These are questions that we will explore in subsequent articles.