Willkommen in Ewons Blog

Entdecken Sie, wie Ewon-Lösungen Ihre IIoT-Ambitionen in die Realität umsetzen können!

The basics of cybersecurity: asymmetric cryptography

by Jean-David Epaillard, Security Manager | Mai 18, 2021

 

3. Encryption and signature with asymmetric cryptography

More than 2000 years ago, Caesar was protecting his military messages by encrypting them. Could it be that easy today?

In one of our last blogs, we saw that symmetric cryptography, even if providing confidentiality until a certain extent, was not sufficient to ensure authenticity and integrity. So, how can asymmetric cryptography solve this equation?

Let’s take an example and name Alice and Bob as the 2 persons wanting to exchange a confidential message. Each has a public key and the corresponding private key.

Good to know as a postulate: A message encrypted with a public key can only be decrypted by the corresponding private (secret) key. A message encrypted with a private key can only be decrypted by the corresponding public key (we will see the benefit of this later in this article).

Based on the above situation, Alice who wants to send a message to Bob, will encrypt it with Bob's public key. In that case, only Bob will be able to decrypt it with his own secret key.

We have just answered to the need for confidentiality.

But how can Bob be certain that it was Alice who sent him the message? How can he be certain that the message was not modified in transit? To answer this question, Alice will also use a signature mechanism.

Before talking about signature, we must introduce the concept of “hash function”. A “hash function” is a "mill" that turns a text into a signature (also called a fingerprint).

This “mill” has 5 properties:

  • For the same function, the number of characters in the fingerprint is always the same,
  • The fingerprint does not allow the original text to be reconstructed,
  • A fingerprint is not predictable,
  • Identical data gives an identical fingerprint,
  • Different data results in a completely different fingerprint.

MD5” and “SHA” are two well-known hash functions. With MD5, the text “Ewon: Leading IIoT for 20 years” is converted in the chain of 32 characters: “5b184c5cafcad9ef410afbcb0fab5518”. The complete content of Wikipedia would also result in a (completely different) chain of 32 characters.

Nothing is easier than to convert in one direction: just use one of the on-line tools easy to find on the internet. Needless to say that the opposite is not that easy 😉

The above being considered, let’s come back to our example:

To sign a document, Alice first generates the document fingerprint using a hash function (like https://www.md5hashgenerator.com/ or any other one you can find on the internet . Then, she encrypts this fingerprint with her private key. She gets a signature on her document which she can send to Bob along with the original document.

Bob will then decrypt the signature using Alice's public key. If that doesn't work, it's because the document was not sent by Alice (who is the only one in possession of the private key). If this works, he can be sure it was Alice who signed the message.

He therefore obtains a first fingerprint of the document.

Once this step achieved, Bob will generate the fingerprint of the original the document he also received, using the same hash function as Alice.

If both fingerprints are identical, then he is perfectly sure that the document has not been modified between the time Alice sent it and the time he received it.

The combination of encryption and signature is he only way to simultaneously encode and sign a document and ensure the confidentiality, integrity, and authenticity of the message.

That’s very nice but there might be a final issue: Indeed, how can Alice be certain that she is using Bob's public key when she encrypts a message? Indeed, if a hacker (let's call him Eve) would produce a pair of keys (private/public) and would then transmit them to Alice by making her believe that they are Bob's keys, Alice would continue to encrypt the messages and transmit them to Bob. In that case, it would only by Eve who could decode and read the messages...

So, Alice needs to be able to authenticate Bob before using Bob's public key. To do this Bob can have his public key recognized by a Certification Authority (CA) which will ensure that he is the owner of this public key. This insurance takes the form of a certificate that the CA provides to Bob. This certificate contains information to identify Bob and Bob's public key. It is in turn signed by the Certification Authority to ensure legitimacy.

This will allow Alice to contact this authority for confirmation that the public key she is using is Bob's one.

Difficult to do better !

Asymmetric cryptography has only one drawback compared to symmetric cryptography; it is slower. To gain speed, a secure connection uses both types of encryption, symmetric and asymmetric.

When an internet browser establishes a secure connection with a server, it will first generate a symmetric session (temporary) key. Then it will use the public key of the server (whose authenticity and validity is verified thanks to its certificate) to encrypt this session key and send it back to the server, which after having decrypted it will be able to communicate with my browser in a symmetrical way.

This approach is the solution of the 2000-year-old Caesar problem. Thanks to this, two entities who don't know each other can exchange a secret without first agreeing on an encryption / decryption key.

Learn more here about Ewon highly professional security approach

Industrielle Router

Industrie-Router von Ewon für einfache, sichere Verbindungen

Genießen Sie die Vorteile von Remote Access bei Bedarf und erfassen bzw. aggregieren Industrieprozessdaten lokal oder zentral in der Cloud.
Ihr Maschinenportal

Web-Dashboard: M2Web

Das kostenlose White-Label-Webportal von Talk2M, das den sicheren mobilen Zugriff auf Ihre externen HMIs, Webserver, Computer, etc. ermöglicht.
VPN-Client für Fernzugriff

Intelligenter VPN-Client: EWON eCatcher

Die Fernverbindungssoftware Talk2M ermöglicht die Vernetzung aller Ihrer Router in einer hochsicheren Umgebung.
Konnektivität als Service

Industrielle Cloud: Ewon Talk2M

Talk2M ist unsere skalierbare, zuverlässige und komplett redundante industrielle Cloud.