Rotors of M-209 cipher machine.

Cryptography Flowcharts

Understanding Cryptography

Certification exams such as Security+, CISSP, and CCSP include several questions about cryptography. In order to achieve various goals, which keys do the sender and receiver use, which key is used first and last, and so on.

If you can draw your own versions of these pictures, you should find those questions very easy.

Symmetric Encryption for Confidentiality

Symmetric ciphers are efficient, we want to use them to protect data which can get bulky. However, this requires a shared secret key and that is difficult to accomplish safely. Your choices include:

  1. Diffie-Hellman key agreement
  2. Use asymmetric encryption to establish a symmetric session key: The sender first uses the "Asymmetric for Confidentiality" method below to send a short message specifying the cipher, cipher mode, and session key.
  3. Out-of-band key management: maybe you ship a DVD full of keys to the other party, or you meet in advance in a safe place to agree on a list of keys.
  4. QKD or Quantum Key Distribution: send the key via polarized single photons in the BB84 protocol, or entangled photon pairs in the E91 protocol. Any attempt to intercept the key corrupts the message. See Dan Bernstein's paper: "Is the security of quantum cryptography guaranteed by the laws of physics?" for how this still doesn't provide absolute security.

The concept is: "Protect the authentication and key exchange with asymmetric ciphers, protect the data with symmetric ciphers."

However you go about this, you need to do it over and over as these should be session keys. Generate a new session key for every file, or message, or connection, using a good source of entropy or randomness.

How to use symmetric encryption for confidentiality or privacy or secrecy.

Asymmetric Encryption for Confidentiality

You can't trust asymmetric encryption unless you can be absolutely certain that you really have the other party's public key.

So, public keys should come in the form of certificates. These are data structures containing the owner's public key, plus information about the owner and the key, all of that wrapped inside a digital signature made by a trusted third party, the CA or Certificate Authority.

How to use asymmetric encryption for confidentiality or privacy or secrecy.

Asymmetric Encryption for Authentication

How to use asymmetric encryption for confidentiality or privacy or secrecy.

Asymmetric Encryption for Authentication and Confidentiality

How to use asymmetric encryption for both authentication and confidentiality or privacy or secrecy.

Digital Signatures

These provide Proof of Origin and Proof of Content. That is, the identity of the sender, and the integrity of the message.

How to use digital signatures for sender authentication and message content.

Hashed Message Authentication Code or HMAC

This also provides Proof of Origin and Proof of Content.

HMACs are useful between peers, who share secret keys.

Digital signatures could be used between peers, or in a one-to-many situation. One person has a message for many receivers, all of whom need to trust the source identity and content.

How to use hashed message authentication codes or HMACs.