Share via


Encryption and Decryption (Windows Embedded CE 6.0)

1/6/2010

Encryption is the process of encoding data into cipher, a form unreadable without a decoding key. Decryption is the reverse process of converting encoded data to its original unencoded form, plaintext. When a user encodes a file, another user cannot decode and read the file without the decryption key. Adding a digital signature, a form of personal authentication, ensures the integrity of the original message.

To encode plaintext, an encryption key is used to impose an encryption algorithm onto the data. To decode cipher, a user must possess the appropriate decryption key. A decryption key consists of a random string of numbers, from 40 through 2,000 bits in length. The key imposes a decryption algorithm onto the data. This decryption algorithm reverses the encryption algorithm, returning the data to plaintext. The longer the encryption key is, the more difficult it is to decode. For a 40-bit encryption key, over one trillion possible decryption keys exist.

There are two primary approaches to encryption: symmetric and public-key. Symmetric encryption is the most common type of encryption and uses the same key for encoding and decoding data. This key is known as a session key. Public-key encryption uses two different keys, a public key and a private key. One key encodes the message and the other decodes it. The public key is widely distributed while the private key is secret.

Aside from key length and encryption approach, other factors and variables impact the success of a cryptographic system. For example, different cipher modes, in coordination with initialization vectors and salt values, can be used to modify the encryption method. Cipher modes define the method in which data is encrypted. The stream cipher mode encodes data one bit at a time. The block cipher mode encodes data one block at a time. Although block cipher tends to execute more slowly than stream cipher, block cipher is more secure.

Within block ciphers, there are four encryption modes: electronic codebook (ECB), cipher block chaining (CBC), cipher feedback mode (CFB), and output feedback mode (OFB). For more information about these modes, see Encrypting and Decrypting Data.

Initialization vectors are random numbers used as starting points when encoding data. Usually, initialization vectors have the same number of bits as the block size and do not require encryption. With initialization vectors, two identical plaintext messages can be encoded with the same key and result in two completely different cipher messages. This variation is accomplished by encrypting each plaintext message with a different initialization vector.

Salt values are most useful when using the same encryption key and transmitting or storing large numbers of nearly identical packets. Typically, two identical packets encode as two identical cipher packets. However, this would indicate to an unauthorized user that the packets are identical and, thus, the packets could be attacked simultaneously. But if the salt value is changed with every packet sent, a completely different cipher packet is generated, even if the plaintext packets are the same. Salt values consist of random numbers and can be transmitted in plaintext form.

In addition to encrypting the data, a user can add a digital signature to data, enabling another user to verify that the data has not been compromised since the signature was applied. The identity of the user that signed the data can also be verified. This digital signature consists of a small amount of binary data, typically less than 256 bytes. A digital signature can be included with a signed message or stored separately, depending on the application.

To help with security, Cryptography enables you to set encryption levels as shown in the following table.

Encryption levels

The following table shows the levels of encryption.

Level of encryption Description Supported by

Low

Only data sent from the client to the server is encrypted using 56-bit encryption.

Windows 2000, Windows Server 2003, Windows Embedded CE

Client compatible

All data sent from client to server and from server to client is encrypted at the maximum key strength supported by the client. On Windows 2000, this level is the medium level of encryption.

Windows 2000, Windows XP, Windows Server 2003, Windows Embedded CE

High

All data sent from client to server and from server to client is encrypted using strong 128-bit encryption. Clients that do not support this level of encryption cannot connect. This is the default encryption level in Windows Embedded CE.

Windows 2000, Windows XP, Windows Server 2003, Windows Embedded CE

For information about how to set the encryption level on the server programmatically, see this Microsoft Web site and search for "Change the Level of Encryption" or "Win32_TSGeneralSetting".

See Also

Other Resources

Cryptography Application Development
Cryptography