Blog

AES Encryption

Bob wants to ask his new girlfriend, Alicia, out to dinner but is afraid that his old girlfriend, Eve (short for eavesdropper), will find out about it, and will come to the restaurant and cause a scene.  Bob and Alicia agree on encrypting all of their email communication with each other since Alicia also has an ex-boyfriend, who can be extremely jealous and even violent.

Bob and Alicia decide to use Advanced Encryption Standard (AES) encryption with a 128-bit key that they will generate using the Pseudo Random Number Generator (PRNG) that is part of Cryptool available at https://www.cryptool.org/en .  Bob’s Plaintext message then looks like the plaintext message in Red below.

Bob enters the 128 bit encryption key (also known by Alicia) into the application he is using to encrypt the message. The key is shown above in two different number bases. It is shown as a Hexadecimal number in Blue and a Decimal number in Red.

The AES algorithm places each 16 byte (128 bit) block of text/data, whether upper case characters, lower case characters, numbers, or punctuation marks into 4 BY 4 matrices for processing. This is true whether the text/data is a short message like Bob’s plaintext message above or a larger selection of text/data like the 200 page epic poem Bob is working on, expressing his undying love for Alicia.

The AES Encryption Process is summarized in the diagram below, and described in more detail below that.

S-Box. The Rijndael (Pronounced: Rain-Doll) Sbox (also called the SubBytes step) is a matrix (square array of numbers) used in the Rijndael cipher, which the Advanced Encryption Standard (AES) cryptographic algorithm was based on.  The S-box (substitution box) serves as a lookup table and is based on a Galois Field (or Finite Field) multiplier. In the this step, each byte ai,ja_{i,j} in the state matrix is replaced with a SubByte S(ai,j)S(a_{i,j})using an 8-bit substitution box, the Rijndael S-box. This operation provides the non-linearity in the cipher.

ShiftRows. The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain offset. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively.

MixColumns. In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. The MixColumns function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher.

AddRoundKey. In the AddRoundKey step, the subkey is combined with the state. For each round, a subkey is derived from the main key using Rijndael’s key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR.

 

 

Disk Encryption

Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people and uses disk encryption software or hardware to encrypt data that goes on a disk or disk volume.

Disk encryption prevents unauthorized access to data storage and is transparent to a user that has the proper logon credentials for the computer.

All common operating systems provide software based disk encryption, which should be used.

  • Microsoft Bit-Locker uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.
  • Apple FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.
  • Ubuntu Linux uses a combination of Cryptsetup (sets up dm-crypt managed device-mapper mappings), dm_crypt (provides transparent encryption of block devices) and LUKS (standardizes a partition header, as well as the format of the bulk data). Cryptsetup is usually run at Ubuntu installation, allowing you to tailor the encryption settings to your specification from the beginning.

Three Easy, Robust and Mostly Free Ways to Secure Your Emails

Symmetric-Key Encryption

Symmetric-key algorithms[1] are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link.[2] This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encryption (also known as asymmetric key encryption).[3]  Learn More

Public or Asymmetric Key Encryption

Public key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keyspublic keys, which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.  Learn More

SendSafely

SendSafely is an add in for either Google’s Gmail or Microsoft’s Outlook. The Gmail version, just like Gmail, is free. The Outlook version, just like Outlook, is not. It uses a synchronous algorithm (AES-256), however the receiver decrypts the email by receiving a code in an SMS message on their cell phone or in an email so the receiver does not need to have a private key nor the sender need to have the receiver’s public key. This approach combines the best of the synchronous approach but without the necessity having any keys.

The sender first invokes the SendSafely app within either gmail or Outlook, adds the recipients email address, message and attachments (step 1).  SendSafely generates the “Server Secret” and provides it to the sender’s machine (Step 2).  The “ClientSecret” is generated on the sender’s machine (unknown to SendSafely) and is merged with the “Server Secret” to form the key (Step 3).  The sender’s machine encrypts the items and Uploads them to SendSafely using the key (Step 4).

The sender  emails the “Client Secret” and a link to SendSafely to the recipient (Step 6). When the recipient attempts to connect via the email link, SendSafely sends an access code to either the recipient’s mobile phone or email address at their discretion.