(cyrptography_chapter)= # Cryptographic concepts and terms ```{admonition} VISUAL :class: warning - Introduce visualizations for cryptographic primitives - Show example visualizations for operations? (encrypt/decrypt and signing/verification - only if we're going to reuse the visual primitives later) ``` ## Cryptographic hash functions [Cryptographic hash functions](https://en.wikipedia.org/wiki/Cryptographic_hash_function) take data strings of any length (like a text message or file) and output a fixed-size code, often called a "hash" or "digest." This hash acts like a unique identifier for the original data. Here are two important properties of cryptographic hash functions: - ["Pre-image resistance"](https://en.wikipedia.org/wiki/Preimage_attack): Given a hash value, it should be very difficult to determine the original data it represents. - ["Collision resistance"](https://en.wikipedia.org/wiki/Collision_resistance): It should be very difficult to find two distinct pieces of data that map to the same hash value. ## Symmetric-key cryptography [Symmetric-key cryptography](https://en.wikipedia.org/wiki/Symmetric-key_algorithm) uses the same cryptographic key for both encryption and decryption, unlike asymmetric cryptography where a pair of keys is used: a public key for encryption and a corresponding private key for decryption. Symmetric-key cryptographic systems support *encryption/decryption* operations. Participants in symmetric-key operations need to exchange the shared secret over a secure channel. ```{admonition} VISUAL :class: warning - visualization? (maybe a black key icon, following wikipedia's example?) ``` ### Benefits and downsides Symmetric-key cryptography has major benefits: It is much faster than public-key cryptography (see below). Also, most current symmetric cryptographic algorithms are considered quantum-resistant[^postquantum]. ```{admonition} :class: warning I am not convinced that this information is helpful but, if it remains, perhaps we need this additional statement: "That is, symmetric-key cryptographic mechanisms are currently considered to be resilient against known computer threats, providing a measure of assurance in the evolving landscape of cryptography and quantum computing." [^postquantum]: Daniel J. Bernstein (2009). ["Introduction to post-quantum cryptography" (PDF)](http://www.pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf) states that: "many important classes of cryptographic systems", including secret-key cryptographic mechanisms like AES "[..] are believed to resist classical computers and quantum computers." (pages 1, 2). ``` However, exchanging the required shared secret is a problem that needs to be solved separately. [Hybrid cryptosystems](hybrid_cryptosystems) combine the advantages of symmetric-key cryptography with a separate mechanism for managing the shared secret, using public-key cryptography. ### Symmetric-key cryptography in OpenPGP Symmetric-key cryptography is used in OpenPGP in three contexts: - most prominently, as part of a hybrid cryptosystem to encrypt and decrypt data, - to encrypt [password-protected private key material](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption), and - for [password-protected data encryption](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-symmetric-key-encrypted-ses), a less commonly used feature of the standard. Where symmetric keys are used in OpenPGP for data encryption, they are called either "message keys" or "session keys[^sessionkey]." [^sessionkey]: In OpenPGP version 6, the ["Version 2 Symmetrically Encrypted Integrity Protected Data Packet Format"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-2-symmetrically-enc) requires that a "message key" is derived from a "session key." In contrast, up to OpenPGP version 4, and in version 6 when using ["Version 1 Symmetrically Encrypted Integrity Protected Data Packet Format"](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-version-1-symmetrically-enc), the "session key" was used directly as a symmetric encryption key. ### Authenticated encryption with associated data (AEAD) [Authenticated encryption](https://en.wikipedia.org/wiki/Authenticated_encryption) offers more than just confidentiality; it ensures data integrity too. In OpenPGP version 6, AEAD replaced the MDC[^MDC] mechanism to address malleability. In earlier OpenPGP versions, malicious alterations to ciphertext might go unnoticed. AEAD guards against such undetected changes. [^MDC]: In OpenPGP version 4, a mechanism called MDC (Modification Detection Code) was introduced to serve a comparable purpose as AEAD. While MDC is a non-standard mechanism, as of this writing, there are no known attacks against the scheme. By addressing the malleability problem, AEAD also counters a variation of the EFAIL[^efail] attack. [^efail]: A variation of the [EFAIL](https://en.wikipedia.org/wiki/EFAIL) attack can be prevented by both the MDC and AEAD mechanisms. Also see ["No, PGP is not broken, not even with the Efail vulnerabilities,"](https://proton.me/blog/pgp-vulnerability-efail) especially the section "Malleability Gadget Exfiltration Channel Attack." ## Public-key, or asymmetric cryptography [Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) systems use asymmetric pairs of related keys. Public-key cryptographic systems support *encryption/decryption* as well as *digital signature* operations. Unlike symmetric cryptography, public-key cryptography doesn't require participants to pre-arrange a shared secret. Instead, with public-key cryptography, the public parts of the key material can be shared openly and then used for cryptographic operations. (asymmetric_key_pair)= ### Asymmetric cryptographic key pairs In many places, we'll deal with asymmetric cryptographic key pairs: ```{figure} diag/cryptographic_keypair.png --- --- An asymmetric cryptographic key pair ``` An asymmetric cryptographic key pair consists of a public and a private part. In this document, we'll show the public part of a key pair in green, and the private part in red. Note that in many contexts, only the public part is present (more on that later): ```{figure} diag/keypair_pub.png --- --- Only the public part of an asymmetric key pair ``` ### Public-key cryptography in OpenPGP OpenPGP makes heavy use of public-key cryptography, both for encryption and signing operations. ```{admonition} Terminology :class: note For historical reasons, the OpenPGP RFC and other documentation often use the non-standard term "secret key" instead of the more common "private key." So in OpenPGP, the pair of terms "public/secret key" is sometimes used instead of the more common "public/private key." ``` ### Cryptographic digital signatures [Digital signatures](https://en.wikipedia.org/wiki/Digital_signature) are a mechanism that is based on asymmetric cryptography. With this mechanism, one actor can make a signature over a digital message, and another actor can check the validity of that signature. The signer uses digital signatures to make statements about the message. Third parties can then inspect these statements. ```{admonition} VISUAL :class: warning - add visualization showing: message + private key + sign = signature -> message + signature + public key + verify = ok? ``` In OpenPGP, digital signatures are used in two different contexts: - [Certification statements](certifications_chapter) - [Signatures over data](signing_data) (hybrid_cryptosystems)= ## Hybrid cryptosystems [Hybrid cryptosystems](https://en.wikipedia.org/wiki/Hybrid_cryptosystem) combine two cryptosystems and make use of their respective advantages: - A public-key cryptosystem is used to safely handle shared secrets over insecure channels (in OpenPGP: so-called "session keys") - A symmetric-key cryptosystem is used to efficiently encrypt and decrypt long messages (using an OpenPGP "session key" as the shared secret)