Cryptography-Advanced_-New-Techniques-That-Guarantee-Secure-Encryption_Blog-banner (2)

Introduction

Cryptography is the process of converting plain text into cipher text using Cryptographic algorithms. In our previous blog, we covered cryptography and its basic techniques, like symmetric, asymmetric encryption, salting, and hashing. Now, let’s look at some of the little advanced concepts:

In this blog post, we will be covering about the following cryptography techniques:

  1. HMAC
  2. Hybrid Encryption
  3. Key Layering
  4. HSM

HMAC

Hash-based Message Authentication Code, or HMAC, is a type of message authentication code that uses a cryptographic hash function and a secret shared key to authenticate data. HMAC ensures the integrity and authentication of a message.

The formula for HMAC SHA256 is:

HMAC Value = HMAC_SHA256 (“symmetricsecretkey”, “This is my message”)

HMAC_SHA256 is a popular keyed hash algorithm that is constructed from the SHA-256 hash function and used as an HMAC. The “symmetricsecretkey” is the secret symmetric key that both parties exchanged during the initial key exchange.

If the data has been tampered, HMAC lets you see changes in it.

  • HMAC can be helpful in conditions like digital signatures, transport layer security, certificate authorities, and secure sockets layer (TLS and SSL) protocols.
  • Transfer protocols like HTTPS, FTPS, SFTP, and others use HMAC.
  • Cryptographic hash functions used in HMAC can be SHA-1, SHA-256, or MD-5.

The HMAC authentication’s key component is the hash function. Once the hash function is combined with a secret key, the hashing technique is applied to the resulting message. This hash function can be MD2, MD4, MD5, MD6, SHA1 and SHA2. Message Digest 5 (MD5) and Secure Hashing Algorithm (SHA) 1 and 2 are the most common cryptographic hash functions. The output of these hash functions is a fixed-size string of bytes—the final Hash-based Message Authentication Code.

The hash function is a one-way encryption method, which implies that once the message is encrypted with hash-based code (or hashed), it can’t be unhashed. This technique ensures data integrity, as any changes occur in the message or the key, resulting in a different hash that can easily detect tampering.

HMAC can be used to ensure the integrity and authenticity of data, and it is also excellent for file transfer. As HMAC uses hash functions, it can take a message of ‘n’ length and convert it into a digest fixed length. That means if anyone wants to send a long message, their corresponding message digests can remain fixed-length, enabling you to maximize bandwidth.

Hybrid Encryption

Hybrid encryption methods combine the advantages of asymmetric encryption with the efficiency of symmetric encryption. Imagine this scenario: You need to send a large file securely to a third party. You know encryption is essential, but the challenge is how to do it quickly and safely. Due to its complex nature, using asymmetric encryption alone would take a long time. Luckily, there’s a smarter way: hybrid encryption.

Here’s how it works. First, your machine generates a random symmetric key, like a secret passcode, to encrypt your file. This method is fast and efficient for larger files. But to ensure the key itself stays safe, you can encrypt it using the 3rd party’s public key.

Now you’ve got two things: an encrypted file and an encrypted key. You send both of them to your 3rd party receiver. “It’s like sending a locked box with the key hidden inside,” you think. Once the receiver receives them, they’ll use their private key to unlock the symmetric key and then use the symmetric key to decrypt the file.

It’s the best of both worlds—fast encryption with the symmetric key and secure key exchange, thanks to asymmetric encryption!

Key Layering or Envelope Encryption

In all the above methods, only one or two keys were used; for instance, in HMAC, only one key, the shared secret key, is used, and in hybrid encryption, two keys are used. Now, let’s talk about a technique that utilizes multiple keys – one on top of the other, and this cryptography technique is called envelope encryption.

Envelope encryption is the process of encrypting a key with another key. The key used to encrypt data itself is called a data encryption key (DEK), and it should be generated locally. This DEK is then wrapped or encrypted using a key encryption key (KEK). This is envelope encryption. And the KEKs are centrally stored, and key rotation is required regularly.

Let’s see how encryption and decryption work in envelope encryption. In encryption, the DEK is generated locally, data is encrypted using the DEK, a KEK is used to wrap the DEK, and both the encrypted data and wrapped DEK are stored. The KEK never leaves the Cloud key management system.

Source

The process of decryption in envelope encryption starts with retrieving the encrypted data and the wrapped DEK. Now, the KEK that encrypted the DEK is identified, and it is used to unwrap the DEK. The DEK is identified, and it can be used to decrypt the data. In this case, as well, the KEK never leaves the Cloud Key Management System.

Source

Since the KEK never leaves the Cloud Key Management System, a root key is utilized to encrypt it to strengthen its protection and mitigate risks due to unauthorized access and data breaches. The root key is stored in an HSM (hardware security module).

What is HSM?

Source

Hardware Security Module is a dedicated crypto-processor, which is designed for the protection of the crypto key lifecycle. These modules act as trusted anchors to protect the cryptographic infrastructure by securely managing, processing, and storing cryptographic keys inside a hardened and tamper-resistant device.

The primary aim of the HSM is to control access and limit the risk associated with sensitive private keys. Employees can use the private keys without being required to access them directly. The secure environment of the HSM performs all cryptographic functions. For instance, your software, which is hosted on a web server, can execute the authentication and cryptography functions without loading a copy of the private key into the memory of a web server.

It is impossible to break through HSM because they employ special security mechanisms, like boot processes and physical security features. Hence, unauthorized personnel can never access the encryption keys inside the HSM. When an organization implements HSM, it can reduce the risk of data breaches and ensure the confidentiality and integrity of sensitive information.

HSMs as on-premise devices can vary in physical size and applications. Some are as small as plug-in cards or USB devices, and then there are HSMs, which are large external devices located in secure premises. However, the cost of deploying a single HSM is a cost-extensive initiative for business. Deployment of a single HSM can range upto $40,000, and it doesn’t include other costs, like additional hardware, maintenance, and support.

That’s why there are now cloud-based HSMs available where businesses can rent the security infrastructure rather than buying a dedicated physical appliance. Vendors like Thales and Amazon Web Security offer cloud-based HSMs, and here’s how businesses can opt to utilize them:

  • Rent a dedicated physical HSM appliance, which is stored in your off-site data center.
  • Pay for access to a virtual environment within a vendor’s shared hardware security module.
  • Pay to access to functionalities of HSM’s vendor devices and appliances.

The Bottom Line

It is time to encrypt the data with advanced cryptography methods, like HMAC and hybrid encryption, which makes it difficult for intruders or unauthorized personnel to access or decrypt the data. However, given the evolution of security attacks, it is never too late to increase the protection layer to secure your financial data and communication and invest in advanced cryptography infrastructure and techniques, like HSMs and envelope encryption.

The best way to stay safe from cybersecurity threats is to implement security protocols. However, while there are security protocols guarding the infrastructure, there are chances that an intruder or attacker can get through them due to a single gap. This is where cryptography encryption comes in. Even if the intruder gets past the security protocols and accesses the data, the intruder will not be able to decipher the original data, if it is encrypted using advanced cryptography techniques. So, investing in cryptography is a must to ensure data security.