About encryption keys

Software developers who are concerned about the leakage of their algorithms or in-house technology, or who are struggling with data/information confidentiality, are likely considering the technology known as "encryption." Cryptographic keys are essential when discussing encryption, and this article provides an easy-to-understand explanation of the basics of cryptographic keys that engineers should know, as well as the latest applications.
In this article, we will explain what a cryptographic key is and the various types of keys and how to use them depending on the application, providing practical knowledge for engineers considering security design and reverse engineering countermeasures.

What is a cryptographic key?

Cryptographic keys are used when encrypting and decrypting data, and if an eavesdropper or attacker learns the key, it becomes difficult to maintain confidentiality and authentication. Therefore, it is necessary to operate and manage various keys so that the contents of the keys cannot be discovered.
First of all, you may be wondering, what is the key here?
A key is a unique piece of data used in encryption algorithms that is recognized by both parties in communication, and is expressed as the number of bits (56 to 256 bits or more) that can represent the total number of keys.
The larger the number of bits in the key, the more difficult it becomes to decrypt or perform brute force attacks.
The number of bits varies depending on the use of encryption technology such as symmetric encryption, public key encryption, message authentication encryption, and digital signatures, so the details of each key are listed below.

*In the case of DES and triple DES, a parity bit is added to detect communication errors, but this part is omitted because it is not part of the encryption area.

DES key

DES is an abbreviation for "Data Encryption Standard" and is one of the algorithms for encrypting data using a symmetric key cryptosystem. A method of encrypting data of a certain length in bulk is called a block cipher, and DES is a block cipher that divides data into 64-bit units and encrypts them in bulk. The key length is 56 bits, but 8 bits are added for parity check, making it 64 bits in total.
A parity check is a mechanism to check whether data has been sent correctly. DES uses a total of 64-bit keys and encrypts and outputs data in 64-bit units.
DES involves dividing 64-bit data in half (L and R) and repeating the same process. This unit of repetition is called a round. Even though it is repeated, the key used for the conversion process is calculated from the original key for each round, and the same key is never used twice.
When the data is split in half, only R is first transformed and combined with L. The combined result is then made the new R, and the previous R is now made L, and the same process is carried out. A feature of this method is that the processing load for each round is lighter, as the entire data is not processed all at once.

Triple DES Key

DES was adopted as a highly secure encryption method, but vulnerabilities were eventually discovered. One of the methods devised to compensate for this vulnerability is Triple DES. This is a method that repeats the DES process three times. However, it does not repeat encryption three times; rather, it repeats the process in the order of encryption → decryption → encryption.
If the above steps are normally performed, the first encryption step will be wasted in the next decryption step, resulting in the same result as encrypting only once. Therefore, Triple DES uses a different key for each step.
A meet-in-the-middle attack is a method of determining the intermediate value between two processes. Triple DES repeats the process three times, so even a meet-in-the-middle attack can only determine a part of it, maintaining security.

*Symmetric cipher Triple DES comes in two variants: DES-EDE2, which uses two DES keys, and DES-EDE3, which uses three DES keys. The data length for DES-EDE2 is 112 bits (14 bytes), while the data length for DES-EDE3 is 168 bits (21 bytes).

AES key

DES is currently not recommended due to its vulnerabilities, and the National Institute of Standards and Technology has proposed banning the use of Triple DES, the most secure form of DES, after 2023.
No encryption algorithm is absolutely secure. As computer performance improves, older algorithms become less secure. DES was also adopted with the understanding that it would eventually become obsolete.
Currently, the American standard has replaced DES as AES (Advanced Encryption Standard). Like DES, it is a symmetric key encryption method, but the specific mechanism is different. AES key lengths can be selected from 128, 192, or 256 bits, which is longer than DES's 56 bits and makes it more secure.

As shown above, the key data is a string of numbers, but for a malicious person who obtains the ciphertext, the key that can decrypt it to plaintext is very important data. It is important to understand that it is not just a string of data.
It is also a good idea to adopt or develop your own strong encryption algorithm, but I hear that it is not difficult for malicious hackers to decipher the algorithm.
Therefore, the best way to increase confidentiality is to use the proven algorithms mentioned above and keep the key secret, which is a common solution in the world of cryptography.

Various types of keys depending on the purpose and their usage ① Symmetric encryption keys

Regarding symmetric encryption keys

Symmetric ciphers use the same key for encryption and decryption.
It is also called symmetric key cryptography because it uses a common key.
The keys used in symmetric encryption must be kept secret from anyone except those authorized to decrypt it.
(If the key is given to a third party, it can be decrypted.)

Various types of keys depending on the purpose and how to use them ② Public encryption keys

Public key cryptography uses different keys for encryption and decryption.
The key used for encryption is called the "public key" and the key used for decryption is called the "private key".
These use closely related numbers (data) when generating the data and are called key pairs.

Various types of keys and their usage depending on the purpose ③ Message authentication

Message authentication is a mechanism that uses a shared encryption key to check whether data has been tampered with.
Since the key is proof that the sender and receiver have the correct key, it must be kept secret from anyone else. Also, unlike symmetric encryption, checking data is sent along with the key.
This makes it possible to prevent tampering and spoofing.

The procedure outline is as follows:

① Create check data based on the data sent by the sender
② Send the plaintext message and the check data together
③ The receiver creates check data based on the received plaintext message
④ Determine whether the check data sent matches the check data created on the receiving side.

*MAC value: An abbreviation for Message Authentication Code, a short code used to verify that a message received from the other party has not been tampered with or replaced along the way. It is generated from the message itself and secret data (key) shared between the sender and receiver.

Various types of keys and their uses (4) Digital signatures

Digital signatures are a technology that verifies that the data being sent is indeed from the person who sent it.
For example, even if you receive data from a sender called Nexty, you cannot confirm that the data is actually from Nexty. There is also the possibility that the data may have been tampered with or spoofed during communication.
To verify that the sender is indeed Nexty and that the data has not been tampered with or impersonated, it is possible to prove that it is really from Nexty by using a digital signature.

Digital signatures can verify the sender of data, ensuring that the data has not been tampered with.
Digital signatures are a technology that applies public key cryptography, and the digital signature mechanism involves a public key and a private key, and also uses hash value generation. The encryption methods commonly used for digital signatures are RSA and DSA.

With a digital signature, instead of sending the plain text data, the plain text data is converted into a hash value and sent to the recipient as the signed data.
The recipient can verify that the data has not been tampered with by calculating a hash value from the received data and comparing it with the hash value received as the signature. In addition, because the hash value is encrypted and transmitted using a private key that cannot be known to third parties, it is possible to detect tampering even if both the data and the hash value have been tampered with.

The procedure outline is as follows:

1. The sender creates a public key and a private key and sends the public key to the receiver.
② The sender creates plaintext data to be sent to the receiver and calculates a hash value using a hash function.
③ Use this hash value as a private key to encrypt.
④ Send the plaintext data and signature data (encrypted hash value).
⑤ The recipient decrypts the signed data using the public key obtained from the sender.
⑥ Calculate a hash value for the received plaintext data using the hash function in the same way as the sender.
⑦ The decrypted hash value is compared with the calculated hash value, and if they match, the data is determined to be correct.

Summary

Cryptographic keys have a variety of uses, and depending on the use, there are various methods and ways to use them.
Symmetric encryption and public key encryption are key methods used to "maintain confidentiality," meaning that if you do not possess the correct key when decrypting, you will not be able to see the contents of the plaintext data.
The keys used in message authentication and digital signatures are key methods for "performing authentication," meaning that data cannot be tampered with or spoofed unless the correct key is in possession of the key.
This article is written as an introductory guide.
There are many complexities surrounding keys. For example, you can create a key with another key and use it for one-time authentication, or you can use a key to encrypt data and a key to encrypt another key to create and use master keys and session keys.
This also requires key management, and there are a wide range of key utilization technologies available, including methods for securely transferring keys, updating, exchanging, storing, and deleting keys, etc.
An encryption key is a set number of bits of data, but this data protects important data and enables verification through signatures, so we hope you will understand that it is the most important data in cryptographic technology.