EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Encryption schemes and mechanisms in SecureBlackbox and BizCrypto

SecureBlackbox is the comprehensive solution for data security and protection. As such, it offers different mechanisms to encrypt the data. The mechanisms differ in complexity, in used technologies and in intended usage scenarios.

In this article we will briefly review each of the offered mechanisms.

1. Symmetric encryption

This is the simplest mechanism which constitutes the basis of cryptography. Many people, when talking about encryption, think about this mechanism.

Symmetric encryption takes blocks of data and transforms them according to the algorithm's rules. Symmetric encryption uses so-called symmetric key - rather short byte sequences (8 to 32 bytes usually) which must be kept in secret.

Text passwords and passphrases are usually converted to symmetric keys using some key derivation algorithm, so when the application uses the password for encryption, in fact the symmetric key is used.

As the straightforward encryption does not produce any output besides encrypted data, you need to also invent the way to store the checksum of the data somehow, to ensure that decryption is done right (i.e. that the recipient has used the correct key for decryption).

Improper or not qualified use of symmetric encryption leads to information leak and security breaches, so it should be avoided.

Common sample of symmetric encryption nowadays is AES encryption.

2. Asymmetric encryption

This mechanism uses keypairs (each keypair contains a public and a private key). Asymmetric keys differ in size, and widely used RSA and Elgamal keys have length of 1024 bits and more (nowadays 2048 bits is preferred).

Asymmetric algorithms are often called public-key algorithms (though they use public keys for encryption and signature verification and private keys for decryption and signing).

Due to specifics of asymmetric algorithms only short blocks of data (not larger than the key size) can be encrypted directly. So to encrypt larger amounts of data the hybrid scheme is used: the data is encrypted using symmetric algorithm and the generated random symmetric key, then the symmetric key is encrypted using public-key algorithm and transferred with the encrypted data.

This encryption scheme requires certain standard for putting the encrypted data and the encrypted session key together.

Most widespread asymmetric encryption is RSA encryption and PKCS#1 scheme.

3. PKCS#7, CMS

These schemes (or different generations of one scheme) use X.509 certificates to encrypt the data. X.509 certificate is used for asymmetric encryption. It holds an embedded public key and has an associated private key as well as supplementary information. Encryption can be done for one or more certificates, i.e. the encrypted data can have one or several recipients which own the private key(s) that correspond to the certificates used for encryption.

PKCS#7/CMS uses asymmetric encryption and symmetric encryption for its purposes.

The schemes support not only encryption, but digital signing, timestamping and compression of data. Still they are limited to use of X.509 certificates.

When the data is encrypted using PKCS#7/CMS, it is wrapped with the "envelope", so if you encrypt, for example, a PDF document, the PDF reader won't recognized the encrypted data as a PDF document.

4. OpenPGP

OpenPGP is similar to PKCS#7 / CMS as it uses asymmetric cryptography to encrypt (and also to sign and compress data). However asymmetric keypairs are presented in the form of OpenPGP keys rather than of X.509 certificates. Also OpenPGP uses slightly different set of symmetric and asymmetric algorithms.

One of the benefits of OpenPGP is that this scheme supports use of passphrases for encryption. This means that asymmetric cryptography is not required (unlike PKCS#7/CMS). When the data is encrypted using OpenPGP, it is wrapped with the "envelope", so if you encrypt, for example, a PDF document, the PDF reader won't recognized the encrypted data as a PDF document.

One of the key differences between X.509 certificates and OpenPGP keys is that X.509 certificate infrastructure has hierarchical nature with a small number of topmost Root Certificate Authorities (CAs), while OpenPGP is completely decentralized and OpenPGP keys are created usually by the end-users themselves rather than issued by CAs.

5. XML encryption

XML encryption is defined in XMLEnc standard. It lets you encrypt XML documents, nodes of XML documents or any binary data. XML encryption is a mechanism of the higher level, and it can use symmetric encryption, asymmetric encryption with RSA keys, X.509 certificates and OpenPGP keys for encryption and signing.

The encrypted XML document has a form of valid XML document and can be handled by [almost] any XML parser/reader.

6. PDF encryption

PDF encryption is part of the PDF document format. This high-level scheme lets you use symmetric encryption and asymmetric encryption. Asymmetric encryption can be done using "plain" RSA keys and X.509 certificates.

The benefit of the scheme is that the encrypted PDF document has a form of valid PDF document and can be handed by [almost] any PDF reader.

7. Office document encryption

This mechanism is very similar to XML and PDF encryption and slight differences in details depend on particular office document format and version.

Data security during transfer

The above described mechanisms are used to encrypt the data when you store or transfer it. However, they are hardly usable "as is" when you have a network communication. In this case some secure channel mechanism must be introduced.

When the data is transferred via secure channel, it's encrypted on-the-fly when the data is sent to the channel and decrypted on-the-fly when it's received on the other side. This is different from "static" encryption described above, as security is provided only during transfer (endpoints are considered to be safe and secure).

Currently most widespread mechanisms are SSL / TLS and SSH .

1. SSL / TLS

SSL / TLS is a complex scheme that includes encryption, authentication and several other features (compression etc.). It can use many different mechanisms for data protection. Symmetric encryption and asymmetric encryption are two cornerstones of the scheme of course, but X.509 certificates, symmetric keys, one-time passwords, OpenPGP keys are involved as well.

SSL/TLS is used by many application-level protocols including HTTP and FTP to secure the transfer.

2. SSH

SSH protocol is similar to SSL / TLS yet offers channel multiplexing and uses different authentication schemes and slightly different set of symmetric encryption algorithms. SSH family of protocols includes SFTP (SSH File Transfer Protocol) for secure transfer of files.

Return to the list


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!