Cryptographic Algorithms: Why Are They Important?

Introduction

Algorithms are essential for many different fields. Cryptography is an example of a field that requires an understanding of the order in which things operate. Defining the steps taken to perform a task creates the algorithm. Understanding how these algorithms originated and evolved, along with their strengths and weaknesses, will help ensure that information technology infrastructure and data remain private and secure.

Origin of Encryption Standards

Humans have needed to keep information private and secure since the advent of civilization, when knowledge could be shared in written form. The Spartans developed a method for sharing information using different-sized wooden rods and leather straps, where the letters were scrambled unless the recipient had the correctly sized rod (Thales Group, 2023). Julius Caesar developed a method of masking information via an alphabet shift. A mechanical device to scramble a message using a shift disk that encoded a substitution table was invented by Edward Hebern, an American, in 1917. The disk changed the substitution with each typed character. This was the precursor to the Germans’ famous Enigma machine, developed in 1918 by Arthur Scherbius using multiple shift disks. This encryption device wasn’t cracked until 1941 by Alan Turing, who created another machine that was the precursor to the computer.

Modern Encryption

With the advent of the modern computer, a need arose for stronger encryption to deter attackers from quickly deciphering messages. The United States developed the Data Encryption Standard (DES) in 1973. This was considered a strong block cipher until it was cracked in 1997 (Thales Group, 2023). This encryption method became the first to be designated as the official Federal Information Processing Standard (FIPS) encryption standard. The downfall of DES was that it was a symmetric block cipher utilizing 56 bits (DigiCert, 2022). A replacement had to be obtained to protect electronic federal documents. As a safeguard until a new standard could be found, triple DES (3DES) was developed. The methodology for 3DES was the same as that for DES, using a 56-bit encryption key. The difference was that it encrypted the data thrice with the DES algorithm using three unique keys (Newton, N.D.).

The National Institute of Standards (NIST) commissioned the development of a new standard through a public competition (Chen & Scholl, 2022). In 2001, NIST adopted the Advanced Encryption Standard (AES), which utilized a 256-bit encryption algorithm (Newton, N.D). This new methodology was determined to be more secure and execute faster on the current hardware platforms than 3DES. Latest encryption standards are continually being developed for various applications.

As the computing world enters the quantum realm, the world will look toward the next level of post-quantum cryptography (Chen & Scholl, 2022). In 2016, NIST had already begun preparing for this eventuality by soliciting new algorithmic proposals. In 2022, President Biden signed the “Quantum Computing Cybersecurity Preparedness Act”, which requires federal agencies to adopt these post-quantum cryptography standards into practice once released.  In the fall of 2023, NIST announced four candidates for this standard, with the selection expected to occur in 2024 (Coker, 2023).

Modern Encryption Standards

Today’s technology requires modern protection. As the speed of computers continues to advance, the technological algorithms that protect the data stored, processed, and transmitted by these systems need to keep pace with today’s processing power. AES, Twofish, TLS, and RSA are all modern standards used today to maintain the security and integrity of data on modern platforms. Symmetric and Asymmetric key standards are utilized for different purposes in cryptography (Arcserve, 2023).

Advanced Encryption Standard (AES)

AES is a symmetric block cipher utilized in software and hardware platforms to encrypt 128-bit, 192-bit, or 256-bit data blocks. It is symmetric in that it requires the same encryption key for both encrypting and decrypting the data. For any data that exceeds the defined amount, it breaks the message into the defined data block. 128-bit block data encryption is adequate for most consumer applications (Awati et al., 2024). This encryption cipher is used to protect credentials for accessing wireless networks, VPN access, database encryption, and more.

AES applies encryption through multiple passes with different encryption keys. 128-bit encryption undergoes 10 passes through the encryption algorithm (Awati et al., 2024), 192-bit encryption undergoes 12 passes through the encryption algorithm, and 256-bit encryption undergoes 14 passes through the encryption algorithm. The encryption may consist of character transposition, alphabetic shift ciphers, or substitution. A copy of the cipher is used during decryption to reverse the process.

Twofish

Bruce Schneier created Twofish in 1998 in response to NIST's call to produce encryption algorithms. It is a symmetric block cipher with 128-bit, 192-bit, and 256-bit encryption blocks (Awati, 2021). Twofish's methodology is unique because it utilizes pre-computed, key-dependent substitution boxes (S-boxes). These S-boxes depend on the cipher key utilized, which obscures that relationship. Much like other methodologies, Twofish also utilizes a Feistel network. A Fiestel network operates by running one-half of the text block through the F-function in each encryption pass and XORing it with the second half for the remainder of the pass. In the 128-bit version, four 32-bit words are created and run through four different S-boxes with different keys (Schneier, N.D.). Each of those 4-byte words is run through a Maximum Distance Separation (MDS) matrix, recombined into 32-bit words, and then run through a transform. The other processes for this continue to become more complex. This methodology is utilized in the “Pretty Good Privacy” (PGP) standard and other applications (Awati, 2021).

Transport Layer Security (TLS)

The Internet Engineering Task Force (IETF) commissioned the development of the Transport Layer Security (TLS) encryption protocol. TLS was developed in 1999 to protect data privacy and integrity while providing an authentication mechanism (Froehlich et al., 2021). Today, this protocol is one of the most widely utilized Internet browser protection mechanisms. TLS is also used in remote desktop applications, file transfer services, VPNs, and, most recently, 5G cellular networks to protect the core network functions over the radio access network.

TLS utilizes digital certificates to authenticate one client to another. This allows the clients to ensure that they are who they claim to be (Froehlich et al., 2021).  Once the clients exchange the certificates, they can then exchange encryption keys. This is achieved through the public key exchange (PKE) protocol, which utilizes a shared public key, and each system maintains its private key. Once the keys are exchanged, data transfer can commence. This creates a session that is resilient to man-in-the-middle attacks.

Rivest-Shamir-Adleman (RSA) Algorithm

The RSA algorithm, at its heart, is an older cryptographic method first developed in 1977 that utilizes the public key encryption (PKE) methodology. This is a form of asymmetric encryption that utilizes a public key and a private key (Cobb, 2021). The PKE methodology was initially developed by Clifford Cocks, a British mathematician, and remained classified until 1997. The public key is shared as common knowledge, while each entity or client retains their private key.

With RSA, either the public or private key is used to encrypt the data, while the opposite key is utilized to decrypt it. These keys are generated using a very complex process. Using the Rabin-Miller primality test algorithm, two prime numbers are generated (Cobb, 2021). The key length is generated by multiplying the two numbers, creating a link between the keys.

To make the public key, a public exponent (usually 65537) is combined with a modulus. As this public exponent is already known, this doesn’t create any security risk to the public key. The private key is generated by calculating a private exponent with the “Extended Euclidean algorithm” and determining the multiplicative inverse of the modulus (Cobb, 2021). This allows each client to retain a private key that is inexplicably linked to the generated public key. The strength of this algorithm is determined by the key size and the computational complexity of factoring large whole numbers.

Strengths and Weaknesses

Comparison

Each encryption methodology has its benefits and drawbacks. Complexity, computational difficulty, and even speed are all factors to be considered. As a cryptographic method ages, these factors change as computational hardware and software advance. Attackers become more familiar with the algorithm and develop tools to match the processing of these protocols. The protocols must be updated regularly to ensure they are not implementing deprecated methodologies in the algorithms.

Advanced Encryption Standard (AES)

As a modern encryption methodology, AES has multiple strengths that organizations and individuals can implement. AES is free as it was developed under the open-source license model (Awati et al., 2024). This is appealing from a cost and security analysis perspective. AES is also a very flexible algorithm. This enables ease of implementation across software and hardware platforms. Many manufacturers have taken advantage of integrating AES encryption into their platforms. Since AES utilizes multiple encryption passes with different cryptographic keys and methods, this creates a stronger algorithm.

While AES has several strengths, there are some drawbacks as well. Open-source development saves licensing costs, but this comes at the expense of making the source code publicly available for development (Awati et al., 2024). As AES is widely used, various types of attacks are routinely developed to break AES encryption. If configured improperly, the AES protocol can be open to specific related and known-key attacks. While these are drawbacks, there are mitigations to help prevent breakage of the AES protocol. Some of these mitigations require a layered security approach, training employees, and monitoring software such as firewalls and anti-malware.

Twofish

Twofish has been around for a while but has proven, after significant study, to be resilient to many different types of attacks. Due to the size of its key space, there are many different types of keys (Nagaraj, 2023). This encryption methodology is computationally efficient, which lends to its speed. However, with the large key space, it is almost impossible to brute-force attack this algorithm. These advantages lead to a diverse pool of applicability for this methodology.

This encryption algorithm is complex and leads to errors during implementation. These errors can then compromise the system that Twofish is attempting to protect. While not directly a result of the protocol, this can still lead to trust issues during implementation with security professionals. While it is a speedy algorithm, its complexity also leads to challenges when used in lower-power applications (Nagaraj, 2023). This may include consumer-grade hardware, older enterprise hardware platforms, and Internet of Things (IoT) devices. This may not be suitable for use in web applications.

Transport Layer Security (TLS)

The TLS methodology can control the application session data between two clients, allowing security to be built directly into the client. This can establish end-to-end encryption between applications and clients, eliminating the security overhead associated with IPSec (Froehlich et al., 2021). TLS also minimizes network transport errors due to the session-level encryption. Audit and session logs are generated to ensure data integrity and confidentiality are maintained throughout the session.

TLS can introduce complexity when monitoring client security. Each application must create a unique TLS session and generate its own logs (Froehlich et al., 2021). An application must be developed with TLS in mind. If an application does not support TLS, it cannot run this protocol. If there are multiple unique TLS sessions, communication strain and network overhead may occur, ultimately affecting the client's network performance.

Rivest-Shamir-Adleman (RSA) Algorithm

RSA has implemented three secure key lengths: 1024-bit, 2048-bit, and 4096-bit. These are known to be very strong encryption methodologies. While 1024-bit is starting to see some challenges, most governments and industry organizations will require 2048-bit RSA encryption (Cobb, 2021). This is the encryption of choice when protecting data that needs to traverse geographic boundaries or protect a VPN (Awati et al., 2024). This level of encryption comes at a cost: processing power.

While doubling the number of bits used to protect the data through RSA encryption provides an exponential level of privacy and security, it requires significantly more processing power to decrypt the data upon receipt. This makes RSA a poor encryption method for data in transit (Cobb, 2021). There are methods to speed this up, including combining AES and RSA encryption techniques. Utilizing an AES encryption key and protecting that key with RSA would provide the level of protection offered by both methods (Awati et al., 2024).

Conclusion

Modern-day encryption methods are constantly evolving. Moving from the older RSA encryption to the faster AES is just one example of how a strong and true method may not always be advisable in all applications. While RSA may provide military-level encryption, AES is better suited for encrypting data quickly in transit between two clients in a web-based scenario. As encryption methods evolve, computing power continues to push the boundary of what is possible with decryption. With the advent of quantum computing technology, newer methods are on the horizon as NIST evaluates and releases new standards to meet this computing need. While society will always require data confidentiality and integrity, the field of encryption will continue to evolve to meet these needs.

References

ArcServe. (2023, September 19). 5 common encryption algorithms and the unbreakable of the  future. https://www.arcserve.com/blog/5-common-encryption-algorithms-and-unbreakables-future

Awati, R. (2021, December). Twofish. TechTarget. https://www.techtarget.com/searchsecurity/definition/Twofish

Awati, R., Bernstein, C., & Cobb, M. (2024, February). Advanced encryption standard (AES). TechTarget. https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard

Cobb, M. (2021, November). RSA algorithm (Rivest-Shamir-Adleman). TechTarget. https://www.techtarget.com/searchsecurity/definition/RSA

Coker, J. (2023, August 24). NIST publishes draft post-quantum cryptography standards. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/nist-post-quantum-cryptography/

Chen, L. & Scholl, M. (2022, May 26). The cornerstone of cybersecurity – Cryptographic standards and a 50-year evolution. NIST. https://www.nist.gov/blogs/cybersecurity-insights/cornerstone-cybersecurity-cryptographic-standards-and-50-year-evolution

DigiCert. (2022, December 29). The history of cryptography. https://www.digicert.com/blog/the-history-of-cryptography

Froehlich, A., Beaver, K., & Cobb, M. (2021, April). Transport layer security (TLS). TechTarget. https://www.techtarget.com/searchsecurity/definition/Transport-Layer-Security-TLS

Nagaraj, K. (2023, March 19). Twofish encryption: A comprehensive guide 2023. Medium.com. https://cyberw1ng.medium.com/twofish-encryption-a-comprehensive-guide-2023-b3ad0f844870

Newton, G. E., Dr. (N.D.). The evolution of encryption. Wired.com. https://www.wired.com/insights/2013/05/the-evolution-of-encryption/

Schneier, B. (N.D.). The twofish encryption algorithm. Schneier on Security. https://www.schneier.com/academic/archives/1998/12/the_twofish_encrypti.html

Thales Group. (2023, February 1). A brief history of encryption (and cryptography). https://www.thalesgroup.com/en/markets/digital-identity-and-security/magazine/brief-history-encryption