Welcome to Ewon's Blog

Discover how Ewon solutions can turn your IIoT ambitions into reality!

The basics of cybersecurity : asymmetric cryptography

by Jean-David Epaillard, Security Manager | May 18, 2021

 

3. Encryption and signature with asymmetric cryptography

More than 2000 years ago, Caesar was protecting his military messages by encrypting them. Could it be that easy today?

In one of our last blogs, we saw that symmetric cryptography, even if providing confidentiality until a certain extent, was not sufficient to ensure authenticity and integrity. So, how can asymmetric cryptography solve this equation?

Let’s take an example and name Alice and Bob as the 2 persons wanting to exchange a confidential message. Each has a public key and the corresponding private key.

Good to know as a postulate: A message encrypted with a public key can only be decrypted by the corresponding private (secret) key. A message encrypted with a private key can only be decrypted by the corresponding public key (we will see the benefit of this later in this article).

Based on the above situation, Alice who wants to send a message to Bob, will encrypt it with Bob's public key. In that case, only Bob will be able to decrypt it with his own secret key.

We have just answered to the need for confidentiality.

But how can Bob be certain that it was Alice who sent him the message? How can he be certain that the message was not modified in transit? To answer this question, Alice will also use a signature mechanism.

Before talking about signature, we must introduce the concept of “hash function”. A “hash function” is a "mill" that turns a text into a signature (also called a fingerprint).

This “mill” has 5 properties:

  • For the same function, the number of characters in the fingerprint is always the same,
  • The fingerprint does not allow the original text to be reconstructed,
  • A fingerprint is not predictable,
  • Identical data gives an identical fingerprint,
  • Different data results in a completely different fingerprint.

MD5” and “SHA” are two well-known hash functions. With MD5, the text “Ewon: Leading IIoT for 20 years” is converted in the chain of 32 characters: “5b184c5cafcad9ef410afbcb0fab5518”. The complete content of Wikipedia would also result in a (completely different) chain of 32 characters.

Nothing is easier than to convert in one direction: just use one of the on-line tools easy to find on the internet. Needless to say that the opposite is not that easy 😉

The above being considered, let’s come back to our example:

To sign a document, Alice first generates the document fingerprint using a hash function (like https://www.md5hashgenerator.com/ or any other one you can find on the internet . Then, she encrypts this fingerprint with her private key. She gets a signature on her document which she can send to Bob along with the original document.

Bob will then decrypt the signature using Alice's public key. If that doesn't work, it's because the document was not sent by Alice (who is the only one in possession of the private key). If this works, he can be sure it was Alice who signed the message.

He therefore obtains a first fingerprint of the document.

Once this step achieved, Bob will generate the fingerprint of the original the document he also received, using the same hash function as Alice.

If both fingerprints are identical, then he is perfectly sure that the document has not been modified between the time Alice sent it and the time he received it.

The combination of encryption and signature is the only way to simultaneously encode and sign a document and ensure the confidentiality, integrity, and authenticity of the message.

That’s very nice but there might be a final issue: Indeed, how can Alice be certain that she is using Bob's public key when she encrypts a message? Indeed, if a hacker (let's call him Eve) would produce a pair of keys (private/public) and would then transmit them to Alice by making her believe that they are Bob's keys, Alice would continue to encrypt the messages and transmit them to Bob. In that case, it would only by Eve who could decode and read the messages...

So, Alice needs to be able to authenticate Bob before using Bob's public key. To do this Bob can have his public key recognized by a Certification Authority (CA) which will ensure that he is the owner of this public key. This insurance takes the form of a certificate that the CA provides to Bob. This certificate contains information to identify Bob and Bob's public key. It is in turn signed by the Certification Authority to ensure legitimacy.

This will allow Alice to contact this authority for confirmation that the public key she is using is Bob's one.

Difficult to do better !

Asymmetric cryptography has only one drawback compared to symmetric cryptography; it is slower. To gain speed, a secure connection uses both types of encryption, symmetric and asymmetric.

When an internet browser establishes a secure connection with a server, it will first generate a symmetric session (temporary) key. Then it will use the public key of the server (whose authenticity and validity is verified thanks to its certificate) to encrypt this session key and send it back to the server, which after having decrypted it will be able to communicate with my browser in a symmetrical way.

This approach is the solution of the 2000-year-old Caesar problem. Thanks to this, two entities who don't know each other can exchange a secret without first agreeing on an encryption / decryption key.

Learn more here about Ewon highly professional security approach

Industrial Routers

Ewon Industrial Routers for Easy and Secure Connectivity

Enjoy the benefits of on-demand remote access, collect and aggregate industrial operations data locally or centrally in the cloud.
Your machine portal

Web Dashboard: M2Web

The free white label web portal of Talk2M providing secure mobile access to your remote HMI, web server, PC and panels.
Remote Access VPN client

Smart VPN Client: Ewon eCatcher

The Talk2M Remote Connectivity software enabling you to connect within a high secure environment to all your devices.
Connectivity as a Service

Industrial Cloud: Ewon Talk2M

Discover Talk2M, a scalable, reliable, and fully redundant Industrial Cloud.