Operating systems, applications, and other components of information systems typically use a hybrid cryptography system. A hybrid cryptography system combines the strengths of hashing, symmetric, and asymmetric encryption depending on the need for cryptographic services. For example:
- Use symmetric encryption for fast and efficient encryption of bulk data.
- Use hashing to verify message integrity.
- Use asymmetric encryption for authentication and non-repudiation.
- Use asymmetric encryption for secure exchange of symmetric encryption keys (i.e. by encrypting the key used for symmetric encryption prior to sharing the key with the recipient). Using asymmetric cryptography for encryption is best suited for small pieces of data.
The following table lists some of the applications for cryptography:
|Encrypting File System (EFS)
||The Encrypting File System (EFS) encrypts files and folders stored on NTFS partitions. Use EFS to protect data on workstations whose physical security cannot be guaranteed, such as workstations in unsecured locations or laptops. Files that are encrypted with EFS using the following process called key encapsulation:
- The user saves the file.
- The system generates a symmetric key also known as a file encryption key (FEK). This key is used to encrypt the file contents.
- The encryption key is then encrypted using asymmetricencryption with the user's public key and stored in the file header in the Data Decryption Field (DDF).
- The encryption key is also encrypted using the public key of a recovery agent. This allows a trusted recovery agent to open (decrypt) encrypted files if the user's private key is lost.
- Adding additional users as authorized users of the file encrypts the symmetric encryption key using the private key of the additional authorized users.
||A digital signature or signing is a combination of asymmetric encryption and hashing values. It provides confidentiality, integrity validation, strong authentication, and non-repudiation. A general digital signature works as follows:
- A hash value is generated for a message.
- The hash value is asymmetrically encryptedusing the sender's private key. Non-repudiation is provided because only the sender could have encrypted the hash using the private key (only the sender knows the private key).
- The encrypted hash value and the message (in plain text) are sent.
- The recipient decrypts the hash using the sender's public key.
- The recipient hashes the message.
- Message integrity and sender authenticity (non-repudiation) is confirmed if the two hash values match.
||In addition to the digital signatures, the data can be secured during transmit by using secure data transmission. This protects the message from hackers by using asymmetric encryption to secure the message before sending it to the recipient. Secure data transmission uses the following process.
- The sender requests a copy of the recipient's public key.
- The recipient or CA sends a digital certificate containing the public key to the sender.
- The sender asymmetrically encrypts the message using the recipient's public key.
- The sender sends the asymmetrically encrypted message to the recipient.
- The recipient uses his private key to decrypt the message.
|Trusted Platform Module (TPM)
||Trusted Platform Module (TPM). The TPM is a hardware chip on the motherboard that can generate and store cryptographic keys.
- A TPM is required to perform integrity checking of startup files and components in BitLockerimplementations.
- The TPM generates a hash of the startup files to verify integrity of those files.
- Additionally, the TPM creates a hash of system components. This hash acts as a validation check of the system to ensure that system components have not changed. The hash can also be used to uniquely identify the system.
- The system startup key can be saved in the TPM. With the startup key saved in the TPM, the system can start without additional intervention.
- Without a TPM, the startup key must be stored on a USB drive. The system will not start without the startup key.
- When the startup key is saved in the TPM, you can require an additional PIN or startup key that must be used to start the system
|Hardware Security Modules (HSM)
||A Hardware Security Module (HSM) is a piece of hardware and associated software/firmware that is connected to a computer system to provide cryptographic functions such as encryption, decryption, key generation, and hashing. HSMs traditionally come in the form of a plug-in card or an external security device that can be attached directly to the computer system. Other names for HSMs include the following:
- Personal Computer Security Module (PCSM)
- Secure Application Module (SAM)
- Hardware Cryptographic Device
- Cryptographic Module
|Whole disk encryption (BitLocker)
||BitLocker Drive Encryption (also known as full-volumeencryption) protects offline data access on lost or stolen laptops or other compromised systems in the following way:
- BitLocker encrypts the entire contents of the operating system partition, including operating system files, swap files, hibernation files, and all user files. A special BitLocker key is required to access the contents of the encrypted volume.
- BitLocker uses integrity checking early in the boot process to ensure that the drive contents have not been altered, and that the drive is in the original computer. If any problems are found, the system will not boot, and the drive contents remain encrypted. The integrity check prevents hackers from moving the hard disk to another system in order to try to gain access to its contents.
BitLocker differs from the Encrypting File System (EFS) in the following ways:
- BitLocker encrypts the entire volume. EFS encrypts individual files.
- BitLocker encrypts the volume for use on the computer, regardless of the user. Any user who has the PIN or startup key and who can successfully log on can access a BitLocker volume. With EFS, only the user who encrypted the file and any additionally-designated users can access the file.
- BitLocker only protects files against offline access. If the computer boots successfully, any authorized user who can log on can access the volume and its data. EFS protects against offline access as well as online access for unauthorized users. EFS does not provide online protection if an authorized user's credentials are compromised.
DriveLock is another solution that includes disk encryption.
|GNU Privacy Guard (GPG) and Pretty Good Privacy (PGP)
||Gnu Privacy Guard (GPG) is an encryption tool that encrypts emails, digitally signs email, and encrypts documents. GPG is an implementation of the Pretty Good Privacy (PGP) protocol. PGP provides products that can be used to protect laptops, desktops, USB drives, optical media, and smart phones. Both PGP and GPG:
- Follow the OpenPGP standard (RFC 4880) for encrypting and decrypting data.
- Use both asymmetric and symmetric cryptography:
- GPG/PGP generates a random symmetric key and uses it to encrypt the message.
- The symmetric key is then encrypted using the receiver's public key and sent along with the message.
- When the recipient receives a message, GPG/PGP first decrypts the symmetric key with the recipient's private key.
- The decrypted symmetric key is then used to decrypt the rest of the message.
GPG supports DSA, ElGamal, RSA, AES, 3DES, Blowfish, MD5, and SHA-1. DSA and ElGamal are used by default. GPG is unable to use IDEA because IDEA is patented.
PGP can use either RSA or the Diffie-Hellman algorithm for asymmetric encryption and IDEA for symmetric encryption.