Encryption

Security Features

Encryption keeps data secret while it is transmitted. It provides the basis for information confidentiality secure data communication over public networks is unthinkable without encryption and consequently encryption is a crucial component for all NCP solutions.

There are different types of encryption.

• Symmetric encryption with the algorithms: 3DES, IDEA, Blowfish, and AES.
• Asymmetric encryption with the RSA algorithm
• Hybrid encryption, this means a combination of symmetric and asymmetric processes

Processes Symmetric (secret key process)
This is the oldest process. A transmits a message to B and encrypts it. In order for B to understand the message he must decrypt or decode the message using the same key. Advantage: the encryption is executed quickly online. Disadvantage: the number of required keys increases geometrically with every new participant. For example in a network of 1000 participants 500,000 keys are required. Key management becomes cumbersome because key assignment before transmission is handled in a relatively dangerous open mail environment, or the keys must be given out personally. In this case there is a risk that that the key could be intercepted en-route and compromised.
top of page

Asymmetric (public key process)
This is a more modern process. A and B each have a key pair available. The key pair is comprised of a public key and a secret private key. A wants to send a message to B. He must then obtain B's public key from a central location. With this key A then encrypts his data. Only B can decrypt this message and B can only decrypt it with the help of his private key based on a certain mathematical relationship existing between both keys. A communication partner's private key cannot be derived from his public key.
Now in order for B to be really sure that the message indeed came from A, A will sign the message electronically with the help of his private key. B can verify this digital signature with A's public key. This is the reverse of the principle described above. Advantage: A and B do not require the same key, as is the case with symmetric encryption, because the key pairs will be encrypted and decrypted. So-called trust centers, or Certificate Authorities assume responsibility for assigning keys within a Public Key Infrastructure (PKI). The CA checks the authenticity of the respective key owner and can thus guarantee to each recipient that the sender is "genuine". Disadvantage: Because of the large key lengths this process is significantly slower than the symmetric process. This is why it is not used for payload encryption of the data to be transmitted.
top of page

Hybrid process
This is a really a combination of the advantages of both encryption processes. The public key process is used for the negotiation of a secret key (session key), this means symmetric encryption of payload data, asymmetric encryption of the symmetric key, and integrity security through hash function and digital signature. However this process only works if all communication partners have been provided with digital certificates. Creation and distribution of certificates is the object of a Public Key Infrastructure (PKI).

In a Public Key Infrastructure all security negotiations occur before transmitting the actual payload data and are on based on asymmetric encryption. The messages or payload data are coded with permanent symmetric key.

This is how it works:
First a message is encrypted according to the symmetric process. this means that a one-time, exclusive key is generated for every message. This one time key, (session key), afterwards is then encoded with the public key of the recipient and the message is added. The recipient can reconstruct the session key with his private key and with the session key he can then decode the message on his side.
top of page

Hash Functions
Actually the hash process is not an encryption or decryption process. It serves rather to seal the messages and prevent manipulation of the message. That is why it is also called a one-way function.
A sort of "cross sum" of all the data is constructed according to a mathematically determined process. Then a value with a permanent length, for example 160-bit (SHA), is formed regardless of the data volume to be transmitted (100 bytes, 1000 bytes or 1 Mbyte).

This "short version" (hash value) is comparable to a finger print of the data. Even if only one character was changed in the document and a new hash value is constructed this document is thus differs from the first. In this way it can be determined if changes were made to a document during transmission. The hash value is encrypted out of principle even though the message itself may not require it but for security reasons this is how it is done as a rule.

Hash values can be used to guarantee integrity and authentication if both message sender and recipient are in possession of the shared secret key. In this case the term is digital signature. Unsuccessfully negotiated connections (no common denominator) are immediately broken off.
top of page

DES (Data Encryption Standard)
DES - The ANSI designation is Data Encryption Algorithm or DEA. DES was specified in 1977 as a unified encryption standard for confidential data by the National Bureau of Standards. The organization is known today as the National Institute of Standards and Technology (NIST). In 1997 a successful brute force attack using higher performance hardware was executed on the 64- key. The DES algorithm was compromised within 3 days. Today it is possible to break the key within seconds using expensive specialized hardware.
top of page

Triple DES (3DES)
A new approach was tried to prevent a complete search of the key area. Agreement was reached on multiple encryption 3DES (Triple Data Encryption Standard). The effective key length is approximately doubled only after a three-fold encryption. While 3DES is dependable, it is processor intensive and, consequently, slow.
top of page

The future encryption standard that supersedes 3 DES encryption mode is known as AES.

AES (Advanced Encryption Standard)
The AES norm possesses more efficient algorithms than 3 DES, requires less time encrypting and decrypting, can process large data volumes concurrently, and requires less memory. The National Institute of Standards and Technology chose the "Rijandael Algorithm" which supports 128, 192, and 256-bit, key lengths
top of page

IDEA
An algorithm developed in the early 90's by Xueja Lay and James Massey, with 128-bit key lengths it is considered among the most secure algorithms available. It is significantly faster than DES and is regarded as immune against brute force attacks. Bruce Schneider confirms this with the following hypothetical model. If you take a billion processor chips and each one tests a billion keys per second then the search would still require 10 to the 13th power seconds. This is longer than the universe has been in existence. The fly in the ointment: The company ASCOM holds the patent and requires a license fee for commercial use.
top of page

SSL (Secure Socket Layer)
Netscape developed the Secure Socket Layer for secure encrypted communication over the Internet. It builds a secure layer between the applications and the transport protocol TCP. SSL has established itself in the meantime as the de facto standard for Internet transactions in spite of limited key lengths. NCP used the SSL Handshake protocol -a part of the SSL specification - to establish a highly secure data connection over any IP network. To achieve this it was necessary to bind in the SSL Handshake on Level 2 as an integral part of the PPP negotiation. This implementation is essentially the basis for RFC 2716 that describes the PPP EAP TLS authentication. EAP stands for Extensible Authentication Protocol and TLS stands for Transport Layer Security. Actually TLS is equivalent to SSL. This protocol is currently considered the most secure method for establishing and negotiating a data connection after secure authentication.
top of page