The pdf version of this journal can be downloaded at http://www.scribd.com/doc/20461254/Forensic-Cop-Journal-11-2009Symmetric-and-Asymmetric-Cryptography-in-Brief-Practice
Introduction
Introduction
Since cryptography offers a tight security for people to encode their message to be unreadable by third party, most people are interested in utilizing it in order to keep their privacy. It is expected that unauthorised people can not read it although they can get access for it because as long as they do not have the encryption key, they will not be able to open it unless they use decryption tools. However the tools have limited ability depending on the types of cryptography and the key size. Such tools can not generate decoding all encrypted message because they only work for certain encryption types.
Based on this fact, criminals use cryptography to conceal essential information related to their crime, so that police or forensic investigators can not open and read it. The crime perpetrators can use various types of cryptography and or strong level of key size in order to encode more securely their message, therefore cryptography is one of important concerns for forensic investigators on how to deal with it appropriately in order to solve the crime. It has been common fact that the encrypted message usually contains valuable information, so the forensic investigators are required to extract it. For this task, they have two duties. The first one is to find out files, partitions and emails which are being encrypted, and the second one is to try decrypting it to be readable. This decrypted information might be useful for police to investigate the crime.
Types of Cryptography
Simply cryptography converts a message from plain text to be ciphered text by using a cryptographic algorithm such as DES (Data Encryption Standard), IDEA (International Data Encryption Algorithm), Blowfish, AES (Advanced Encryption Standard) and so on. Generally there are two types of cryptography algorithm, namely symmetric and asymmetric. The clear and significant difference between them is encryption key meaning only one key (i.e. private key) on symmetric and two keys (public and private keys) on asymmetric. Below is the description of both.
Based on this fact, criminals use cryptography to conceal essential information related to their crime, so that police or forensic investigators can not open and read it. The crime perpetrators can use various types of cryptography and or strong level of key size in order to encode more securely their message, therefore cryptography is one of important concerns for forensic investigators on how to deal with it appropriately in order to solve the crime. It has been common fact that the encrypted message usually contains valuable information, so the forensic investigators are required to extract it. For this task, they have two duties. The first one is to find out files, partitions and emails which are being encrypted, and the second one is to try decrypting it to be readable. This decrypted information might be useful for police to investigate the crime.
Types of Cryptography
Simply cryptography converts a message from plain text to be ciphered text by using a cryptographic algorithm such as DES (Data Encryption Standard), IDEA (International Data Encryption Algorithm), Blowfish, AES (Advanced Encryption Standard) and so on. Generally there are two types of cryptography algorithm, namely symmetric and asymmetric. The clear and significant difference between them is encryption key meaning only one key (i.e. private key) on symmetric and two keys (public and private keys) on asymmetric. Below is the description of both.
Symmetric Cryptography
Initially people used cryptography with one key meaning the key used for encryption is same as the key for decryption. It can be analogized with the door key in real world because people use the same key for locking and unlocking the door. The key in cryptography is mathematical function designed to convert a plain text data to be cipher text data for encryption. With the same algorithm, the ciphered data can be converted to be original text data.
To protect the access in using such algorithm for decrypting a ciphered data, it is used a passphrase key controlling the operation of a cipher, so that the authorized users having known the passphrase key can only perform decryption. It means that although the type of cryptographic algorithm has been detected but the passphrase key is still missing, so the ciphered data can not be decrypted. This key made along with the process of encryption has various key sizes depending on the types of applied cryptography.
One of well known pioneer symmetric cryptographic algorithms is DES which is based on 56-bit block size. It is considered weak at this time because it can be broken by certain attacks such as brute force and cryptanalysis; therefore in 2002 it was superseded by AES using three block ciphers of 128-bit with key sizes of 128, 192 and 256-bit as a cryptography algorithm standard in the US. The other symmetric algorithms which are frequently used are Twofish with 128-bit block and up to 256-bit key size, Blowfish with 64-bit block and various key size between 32 and 448 bits, Serpent with the block size of 128 bits providing 128, 192 or 256-bit key size, CAST5 with 64-bit block size supporting 40 to 128-bit key size and Triple DES which is combination of three 56-bit DES. The algorithms above can also be applied with a combination of two or three algorithms in order to increase the security of cryptography such as AES-Twofish, Serpent-AES and AES-Twofish-Serpent. These combinations have been implemented by certain applications such as TrueCrypt.
Nowadays the forms of using symmetric cryptography is varied and more interesting with a nice Graphical User Interface (GUI) such as Remora USB Disk Guard in figure 1 and PixelCryptor using a picture as a bridge for encryption and decryption, so that it attracts people to use it for their current needs on information security.
To protect the access in using such algorithm for decrypting a ciphered data, it is used a passphrase key controlling the operation of a cipher, so that the authorized users having known the passphrase key can only perform decryption. It means that although the type of cryptographic algorithm has been detected but the passphrase key is still missing, so the ciphered data can not be decrypted. This key made along with the process of encryption has various key sizes depending on the types of applied cryptography.
One of well known pioneer symmetric cryptographic algorithms is DES which is based on 56-bit block size. It is considered weak at this time because it can be broken by certain attacks such as brute force and cryptanalysis; therefore in 2002 it was superseded by AES using three block ciphers of 128-bit with key sizes of 128, 192 and 256-bit as a cryptography algorithm standard in the US. The other symmetric algorithms which are frequently used are Twofish with 128-bit block and up to 256-bit key size, Blowfish with 64-bit block and various key size between 32 and 448 bits, Serpent with the block size of 128 bits providing 128, 192 or 256-bit key size, CAST5 with 64-bit block size supporting 40 to 128-bit key size and Triple DES which is combination of three 56-bit DES. The algorithms above can also be applied with a combination of two or three algorithms in order to increase the security of cryptography such as AES-Twofish, Serpent-AES and AES-Twofish-Serpent. These combinations have been implemented by certain applications such as TrueCrypt.
Nowadays the forms of using symmetric cryptography is varied and more interesting with a nice Graphical User Interface (GUI) such as Remora USB Disk Guard in figure 1 and PixelCryptor using a picture as a bridge for encryption and decryption, so that it attracts people to use it for their current needs on information security.
Figure 1
Remora USB Disk Guard protected by two types of passwords for logon and encryption/decryption is designed for mobile encryption on USB storage device.
These applications are easy to use and offer challenges such as PixelCryptor which can not be used to decrypt an encrypted package if the linked picture as the image key is missing or modified. To decrypt the encrypted package on PixelCryptor, it is required the image key as well as passphrase key as shown in figure 2. Besides those above, there are still symmetric cryptography applications using ordinary GUI such as Kruptos using 128/256-bit key size of Blowfish, and Blowfish Advanced CS offering various types of algorithm.
Figure 2
PixelCryptor uses an image file as a link to encrypted package as well as passphrase.
PixelCryptor uses an image file as a link to encrypted package as well as passphrase.
The other feature is encrypted volume which is used to store any files or folders to be encrypted by putting it within the volume. Actually the volume is a file which can be mounted as a virtual drive. The files and folders moved to the volume become encrypted automatically, so that it gives an ease for the users to modify the encrypted objects instantly as they want to. Once it is unmounted, all files or folders within the volume will be encrypted and the virtual drive will disappear, on the other hand if it is mounted, all files and folders within the volume will be decrypted. This feature is delivered by TrueCrypt and LockDisk.
Asymmetric Cryptography
Since symmetric is considered as inflexible and insecure in sharing the encryption key among the users, so the asymmetric cryptography is developed. Asymmetric provides two different types of key, namely public key and private key. Public key is designed to be shared to the other people for encrypting a plain text data to be ciphered text data, whereas private key which must be kept securely by the owner is used to decrypt ciphered text data to be plain text data.
This technique is considered secure because a user can distribute his public key to anybody he wants without worrying to be intercepted by third party. Although the encrypted data can be tapped by another people, they can not decrypt it without having the private key. Even the private key can be revoked if the owner considers the key is stolen.
One of common usage of asymmetric cryptography is email. Since people need to secure their email communication from interception by third party, the use of asymmetric cryptography becomes frequent because it is more flexible and secure in distributing public key to be shared to another people than symmetric cryptography.
This technique is considered secure because a user can distribute his public key to anybody he wants without worrying to be intercepted by third party. Although the encrypted data can be tapped by another people, they can not decrypt it without having the private key. Even the private key can be revoked if the owner considers the key is stolen.
One of common usage of asymmetric cryptography is email. Since people need to secure their email communication from interception by third party, the use of asymmetric cryptography becomes frequent because it is more flexible and secure in distributing public key to be shared to another people than symmetric cryptography.
The asymmetric cryptography algorithm which is often used in encrypted email is PGP (Pretty Good Privacy) providing privacy, authentication and integrity checking over generating public and private key and digital signature. For email encryption, the plug in Enigmail providing OpenPGP can be used along with mail clients such as Mozilla Thunderbird and SeaMonkey as security extension.
Figure 3
OpenPGP Enigmail within Mozilla Thunderbird generates key pairs for public key and private key with RSA algorithm and 4096-bit key size.
OpenPGP Enigmail offers key pairs generation as shown in figure 3 with 4096-bit RSA algorithm which is used widely in e-commerce protocols because it is accepted as one of means providing strong security. It also provides key expiry from only 1 day to no expiry at all and revocation to terminate the private key in the case of it is stolen or missing. Besides RSA, there are other algorithms such as DSA (Digital Signature Algorithm) and El Gamal. DSA is used for digital signature, while EL Gamal is asymmetric cryptography having three components namely key generator, encryption and decryption algorithms.
Figure 4
The encrypted message created by OpenPGP Enigmail within Mozilla Thunderbird uses RSA Algorithm with 4096-bit key size
Through short experiment, it shows that encryption and decryption using OpenPGP Enigmail within Mozilla Thunderbird is quite easy to carry out and reliable for strong security. In this experiment, a sender sends his public key to a recipient. After obtaining a public key, recipient sends an encrypted message using sender’s public key. The encrypted email will be then decrypted by the sender using his private key. If it is intercepted when it is in transit over network, the interceptor will gain an encrypted message as shown in figure 4. He needs sender’s private key to perform decryption of the message as well as passphrase key. Both are required to perform such decryption.
Conclusion
Both cryptography algorithms of symmetric and asymmetric are frequently used nowadays, even by criminals; therefore forensic investigators should know about it and how to deal with it properly. Although it is almos impossible to break a high level of key/block size of an encrypted message, there is still possibility to obtain the encrypted message. For instance when the suspected computer found is still running. It is not necessary to turn off directly because probably there is still an encrypted message or volume which has been decrypted. Even the only access an encrypted drive is when it is running. It means that it is being decrypted.
Bibliography
Anson, S. and Bunting, S. (2007). Mastering Windows Network Forensics and Investigation. Indianapolis: Wiley Publishing, Inc.
Carrier, B. (2005). File System Forensic Analysis. London: Addison – Wesley.
Casey, E. (2002). Practical Approaches to Recovering Encrypted Digital Evidence. International Journal of Digital Evidence. 1 (3). Available: http://www.utica.edu/academic/institutes/ecii/publications/articles/A04AF2FB-BD97-C28C-7F9F4349043FD3A9.pdf. Last accessed 28 February 2009.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 2nd edition. London: Elsevier Academic Press.
Casey, E. (2008). The Impact Of Full Disk Encryption On Digital Forensics. ACM SIGOPS Operating System Review. 42 (3). Available: http://portal.acm.org/ft_gateway.cfm?id=1368519&type=pdf&coll=GUIDE&dl=GUIDE&CFID=24053605CFTOKE N=64412596. Last accessed 28 February 2009.
CE-Infosys. (2008). Free CompuSec version 5.2 User Manual. Available: http://www.ce-infosys.com/ftp/cei/FREE_CompuSec_Handbook.zip. Last accessed 6 April 2009.
Code Gazer. (2008). PixelCryptor. Available: http://www.codegazer.com/pixelcryptor/. Last accessed 7 April 2009.
Huber, U. and Sadeghi, A-R. (2006). A Generic Transformation from Symmetric to Asymmetric Broadcast Encryption. Bochum: Ruhr-Universitat. Available: http://www.springerlink.com/content/50023w6877036027/fulltext.pdf. Last accessed 22 February 2009.
Katz, J. (2004). Cryptography. In: Tucker, A. B. (ed). Computer Science Handbook. 2nd edition. Florida: Chapman & Hall/CRC. p210-232.
Klonsoft. (2009). Klonsoft LockDisk 3.0 for Windows. Available: http://www.klonsoft.com/lockdisk/. Last accessed 7 April 2009.
Klonsoft. (2009). Klonsoft LockDisk 3.0 for Windows. Available: http://www.klonsoft.com/lockdisk/. Last accessed 7 April 2009.
Kolb, L. J. (2001). Blowfish Advanced CS Version 2.I2.00.0II. Available: http://www.lassekolb.info/bfacs.pdf. Last accessed 7 April 2009.
Mandia, K., Prosise, C. and Pepe, M. (2003). Incident Response & Computer Forensics. 2nd edition. London: McGraw-Hill/Osborne.
Marcella, A. J. and Greenfield, R. S. (2002). Cyber Forensics – A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. London: Auerbach Publications.
Microsoft. (2007). 2007 Microsoft Office System Document Encryption. Available: http://download.microsoft.com/download/6/7/f/67f1ff44-f1c9-4fae-a451-4e803f7b727e/2007_Office_DocEncryption.docx. Last accessed 6 April 2009.
Mohay, G., Anderson, A., Collie, B., de Vel, O. and McKemmish, R. (2003). Computer and Intrusion Forensics. London: Artech House.
Moller, B. (2004). A Public-Key Encryption Scheme with Pseudo-random Ciphertexts. Berkeley: University of California. Available: http://www.springerlink.com/content/2m9ukr0uqwke7nu4/fulltext.pdf. Last accessed 22 February 2009.
O'Connor, L. and Klapper, A. (1994). Algebraic nonlinearity and its applications to cryptography. Journal of Cryptology. 7 (4). Available: http://www.springerlink.com/content/h3158k76g3207h28/fulltext.pdf. Last accessed 22 February 2009.
Passware. (2008). Passware Encryption Analyzer Professional v.1.0. Available: http://www.lostpassword.com/pdf/EncryptionAnalyzer_datasheet.pdf. Last accessed 7 April 2009.
Sammers, T. and Jenkinson, B. (2007). Forensic Computing. 2nd edition. London: Springer.
Sammers, T. and Jenkinson, B. (2007). Forensic Computing. 2nd edition. London: Springer.
Seagate. (2007). Seagate DriveTrust™ Technology Enables Robust Security Within the Hard Drive. Available: http://www.seagate.com/docs/pdf/whitepaper/TP565_DriveTrustOverview_Oct06.pdf. Last accessed 6 April 2009.
Stephenson, P. (2000). Investigating Computer-Related Crime. London: CRC Press.
The Enigmail Project. (2009). A Simple Interface for OpenPGP Email Security. Available: http://enigmail.mozdev.org/home/index.php. Last accessed 7 April 2009.
TrueCrypt. (2008). TrueCrypt – Free Open Source Disk Encryption Software. Available: http://www.truecrypt.org/docs/. Last accessed 7 April 2009.
Ye, D. (2001). Decomposing Attacks on Asymmetric Cryptography Based on Mapping Compositions. Journal of Cryptology. 14 (2). Available: http://www.springerlink.com/content/efbjfqeempmfg7lr/fulltext.pdf. Last accessed 22 February 2009.