Demystify PKI (aka AD Certificate Services) - Act I: Cryptography
Some things are just a lot to digest, and so I thought it may be useful to the ditial world to kind of break down and demystify some of the key concepts. This is part of a multi-part blog, as it's a lot to write at once. The intent here isn't to write a comprehensive end-to-end "read this and you will be omnicient in all things PKI", rather be able to say "hey, I know what this is", when building out PKI in your environment.
After writing this a bit, this could be a nice intro for a certification exam, not that I guarantee passing by simply reading a blog (that should make the lawyers happy). But, it wouldn't surprise me if some of this stuff shows up (been through a few exams in my time). Side point, you may want to check out my blog on So, how do you prepare for a Microsoft exam?
For reference, this is a multi-part blog on PKI, here are the other entries:
Demystify PKI – Act II: Certificate Logging
So, first and foremost.. What is Cryptography?
Ultimately, the short answer is that is about secure communication. This communication is verified by a third party (rather than "trust me", I'm on your domain, honest). It is more than just encryption, it's about building trust via verification.
There is quite a backstory when it comes to Cryptography. I'm not going to bore you with the ancient Egyptians and Hierglyphics or the Caesar method of a=b, b=c, etc. Anyone who lives in a human body knows we all have secrets we want to keep, and anything worth keeping a secret is worth safeguarding. Enter Cryptography.
Cryptography is about doing 4 things:
- It keeps things confidential.
- Keeps integrity by making sure the message isn't altered.
- Providing a way that the sending entity cannot claim later that "I didn't send that". This is known as Non-Repudiation.
- To the above point, the sender of the message can prove they are the sender of the message.
Symmetric vs. Asymmetric Cryptography
Perhaps the best way to describe the process is a simple table of differences.
Symmetric | Asymmetric | |
---|---|---|
Keys | One key is shared amongst multiple entities | One entity has a public key and the other has a private key. The private key is distinct. |
Key Exchange | Performed outside the normal communication channel or "out of band" | Symmetric key is encrpted and sent with the message. So, the key is distributed in-bound. |
Speed | Less complex algorythm and must faster | Due to complexity, the algorythm is much slower. |
Keys | Continually grows as users grow | Does not grow as one key exists per entity |
Services | Confidentiality | Confidentiality, Authentication, and Non-Repudiation |
About Symmetric Encryption
This is the process of converting plain text into cipher text using the same key and algorythm on both entities. Data is encrypted by the sending entity and decrypted by the receiving entity using the same key. Well crud, that made a lot of sense, I thought you were going to demystify this. Sure, so think of a "https" website - session keys are used for encryption.
There are two types of algorythms, either they encrypt one bit at at a time in groups of bits.
Examples of of Symmetric Algorythms
DES (or 3DES) is meant more to work on hardware more than software. DES encrypts data in 64-bit block sizes and effectively uses a 56-bit key (this produces about 72 quadrillion possibilities). Sounds like a lot? Well, it was hacked about 20 years ago, and has been done in less than a day.
Since DES was popular and so many were always using it, something had to be done. DES simply wasn't fit for security anymore. This is where 3DES was created as effectively it has a key length of 168 (56*3) bits and uses 3 different keys (K1, K2 and K3). For most purposes today (including things like electronic payments), it is still secure enough for use. There is another method of 3DES which uses two-key (K1 and K3) encryption. It lowers the key size to 112 (56*2) bits and is less seure.
Keep in mind here that 3DES takes 3 times the CPU (or 2 times with two-key), which can be a performance hit as well.
AES outperforms 3DES both on software and hardware, and works fast on small devices like cell phones and smartcards. AES stands for Advanced Encryption Standard and supersedes 3DES. AES uses 128 bit fixed block sizes and works with 128, 192, and 256-bit keys. The method, based on the Rigndael method, is flexible enouth to work with key and block sizes in any multiple of 32-bit, with a minimum of 128 bits. In many cases, AES has already replaced 3DES.
About Asymmetric Encryption
Asymmetric encrption is designed to keep the private key secret. Of course, the public key can and should be distributed, but again, the private key should never be distributed. Some may have heard Asymmetric encryption by its other name, Public Key Encryption. In this method, only the private key from the key pair can decrypt the information. This essentially means only messages encrypted with "Entity1's" public key can be decrypted by "Entity1's" private key.
Examples of of Asymmetric Algorythms
Diffie-Hellman was the first implementation of an asymmetric algorythm. It is prone to MITM (Man-In-The-Middle) attacks due to its lack of authentication. All isn't lost here, as digital signatures (sold separately) can counter the attacks on this algorythm. This method allows users to exchange keys over a non-secure medium and does not provide data encryption or digital signatures by default).
RSA is the most popular of the asymmetric algorythms and really is the de facto standard. It's used for digital signatures, key exchange, encryption as well as authentication.
The security comes from the difficulty in factoring large numbers, giving a huge advantage to encryption and digital signatures. Using its one-way function, RSA provides encryption and signature verification and in the inverse provides decryption and signature generation.
RSA is used in many web browsers over SSL, as well as government systems and PGP that use public key cryptosystems use RSA.
Digital Signatures
Digital signatures are most commonly used for:
- Identification: So we can be sure who sent the message.
- Integrity: The recipient of the signed message can verify the message was not tampered with.
- Non-Repudiation: Removes doubts that the sender actually sent the message.
This ends Part I of a multipart series on my attempt to demystify PKI. It can be challenging to learn and hopefully this made it a little less difficult.
— Easy link to my blog: https://aka.ms/leesteve —
If you like my blogs, please share it on social media and/or leave a comment.