Cryptography and how it is used to secure today’s WIFI networks — part 01
Hi all, Hope this article will be beneficial and that you learn something from this. Through this article, I will describe what is cryptography and its different use cases. This will be vital in order to understand how we use these techniques in a wireless network.
So let’s begin. I am sure many of you have come across the term cryptography. In the beginning, it may sound a bit intimidating. But once you get to know what it actually is (at least not the mathematical complexity) you will appreciate the amount of efforts that have been made to secure our privacy and information when it comes to digital communication. So, what actually is cryptography?
What is Cryptography
The term crypto refers to something like hidden or secret and graphy may be interpreted as a way of representation of writing. So roughly “secret writing”!
In a more formal way, one of the definitions that I came across is, the use of mathematical algorithms to transform information into an encrypted form that is not readable by unauthorized individuals. So basically, this is a method of protecting information using encryption. We use an encryption key to encrypt or transfer our plain text into a so-called ciphertext to hide it from unauthorized individuals.
The level of security that we achieve through encryption is a trade-off between the number of resources that are being used. The stronger our encryption algorithms, the more processing power we’ll need to encrypt and decrypt the data.
So why do we use cryptography? There are some common requirements that people want in order to feel safe in a network and they are the goals of cryptography.
Goals of cryptography
1. Preserve Confidentiality
This ensures that when two parties communicate, unauthorized individuals will not be able to gain access or to read the information even if they intercept their communication. We don’t want anyone to read our private conversations, right? Thus, Confidentiality should be preserved at all stages. when data is stored on a storage device or when data is in transit or when data is being used.
Integrity protects information against unauthorized modifications. we want to know that the message that I am received claiming to be from one of my friends is actually the message that he/she sent, and no one has modified or tampered it.
This is something we all know. Every day we authenticate ourselves to gain access to our home wireless network or the eduroam wireless network. I will be covering this focusing on two major ways of authentication specifically focusing on wireless security that is currently being used.
Non-repudiation means that the recipient of a message can prove to an independent third party, that the message actually came from the alleged party. For example, if one of my friends sends a message to me using an encryption algorithm that supports non-repudiation, I can show the message to someone and prove that the message actually came from my friend and that I didn’t simply create it. we use digital signatures to achieve non-repudiation.
Types of cryptography
There are two major types of cryptography
1. Symmetric encryption
In symmetric encryption algorithms, also known as shared secret encryption algorithms, the encryption and decryption operation use the same key. If one user encrypts a message using the secret key, the other user would have to decrypt the message with that same secret key. It’s a shared secret. AES is the most secure standard available.
- Advanced Encryption Standard (AES)
Advanced Encryption Standard, is a block cipher symmetric algorithm that is widely used today in many different cryptographic applications, ranging from web security (TLS handshake) to WIFI data encryption. Three different key lengths of a 128-bit key, a 192-bit key, or 256-bit key can be used. The higher the key size higher the security but it increases the amount of resources need to process. Thus, the tradeoff. Anyhow all of these are considered secure.
2. Asymmetric encryption
Asymmetric cryptography is the concept of key pairs. Each user gets two keys, a public key that they can freely distribute to anyone they wish to communicate with and a private key that they keep secret. In asymmetric cryptography, anything that is encrypted with one key from the same pair can be decrypted with the other key. For normal communications, the sender of a message would encrypt it with the recipient’s public key, which is publicly known. The recipient would then use their private key to decrypt the message. This asymmetric cryptography solved a major issue of scalability but is much slower than the symmetric keys. Therefore, it is not normally used for exchanging long messages directly between communicating systems. Instead, they are being used to create an initial secure communication channel over which two systems exchange a symmetric key. The most popular cryptographic algorithm is the RSA key-pair.
- Rivest, Shamir, Adelman (RSA)
RSA algorithm was one of the earliest asymmetric cryptographic algorithms and it’s still widely used today. The RSA algorithm gains its name from the initials of the three creators of the algorithm. When a new user wants to use RSA cryptography to communicate with others, they create a new key pair. Now there’s a lot of complex math involved in creating the keys, but the underlying principle that you really need to understand is that you cannot derive one key from the other key. When a user wants to send an encrypted message to another user with the RSA algorithm, the sender encrypts the message with the recipient’s public key. When someone receives an RSA-encrypted message, they decrypt that message with their own private key. As long as the user keeps that private key secure, they are the only person who possesses the knowledge necessary to decrypt the message. This ensures the confidentiality of RSA-encrypted communications. The algorithm uses variable-length keys, normally between 1,024 and 4,096 bits, and is still considered secure when using a sufficiently long key.
So now we know in order to have secure communication over a channel sender and receiver should share their keys. They must somehow agree upon and exchange the shared secret key that they’re going to use. But this is where the real challenge comes in. One might go ahead and randomly select a secret key, which is fine, but then he must somehow send it to other parties over the still unsecured channel to communicate as he cannot encrypt the key as the other party doesn’t have the key to decrypt. So when they were exchanging keys initially over the unencrypted channel, a third party can easily intercept the key in transit, and then use that key to eavesdrop on all of the subsequent communications that happen in between or play the imposter game pretending to be either of them. This is called the man-in-the-middle attack. So how do we know that the person sending us their public key really is who they claimed to be? It’s simply impractical to meet somewhere safe and share the keys. So the solution is using PKI.
Public key infrastructure
before moving on to how this actually works there are common terminologies and algorithms that we need to know when understanding the PKI.
- Hash functions
Hash functions are a one-way function that transforms a variable-length input to a unique, fixed-length output. The output is called the message digest. Regardless of the length of the input, the message digest will remain fixed in length and unique. The important thing about hash functions is once you hashed data there is no way that you can go back and derive the input. Commonly used hash functions are the class of Secure Hash algorithms (SHA). Despite some controversy, this is still widely used in digital signatures for authentication and integrity.
- Digital signature
We use a digital signature to achieve three of the cryptographic goals described earlier. The sender who sends a message to the receiver will first hash the text using a hashing algorithm and then encrypt the message digest using his own private key. This is called the digital signature. Now the sender will send the signature along with the text and the receiver decrypt the signature using the sender's public key and then apply hashing to the text. So both outcomes should be equal. By verifying this, the receiver can make sure that the message is actually coming from who the sender claimed to be, and the text has not been changed during the communication. So authentication, integrity, and non-repudiation can be achieved by digital signs but do not provide confidentiality as anyone can receive the message.
- Digital certificate
A digital certificate contains the certificate holder’s information, public key, the certificate expiry date, and the digital signature of the third-party certificate issuer wrapped in a standard format called X.509. These certificates are issued by a certificate authority to verify the identity of the certificate holder over the network.
Now It’s time to go back to describe how we can recover from the man-in-the-middle attack that I explained earlier. The public key infrastructure relies upon the trust that participants have in highly trusted centralized service providers. These providers, known as certificate authorities, form the basis of the public key infrastructure. In cryptography, a certificate authority (CA) is an entity that issues digital certificates. The CA uses an entity’s information to create a digital certificate that contains information about the identity and the public key. The CA then digitally signs the certificate. You can then provide your certificate to anyone you’d like to communicate with. The person receiving the certificate does not have to verify your identity directly. They simply verify that the certificate is valid by verifying the CA signature. If that signature checks out, they know that the public key contained in the certificate does, in fact, belong to the individual or organization named on the certificate. So this works as a trust chain. You trust an identity because you trust a CA. CA issue a certificate to an identity because they both trust each other.
Wrapping up, that’s how we ensure the security in a network using cryptography. Though still there are many things which I didn’t discuss here like how to obtain a certificate, how to revoke a certificate, certificate chaining, pinning, stapling, and types and formats of a certificate, I hope this will be enough for one article. In my next article, I will describe how WIFI networks ensure the end to end security over the data link layer and what is the role played by cryptography.