Protected Data

Full title or Meme

Everyone seems to want to protection (1) data at rest and (2) data inflight. What does that really mean?

Context

Can you encrypt with elliptic curve methods? Ans: Not quite. Unlike RSA, you can’t just encrypt and decrypt using elliptic curves, and actually use an offline Diffie-Hellman method with symmetric key encryption.

With ECC (Elliptic Curve Cryptography), we have an opportunity to use both the power of public-key encryption with the speed and security of symmetric key encryption. And, so we slowly move to the best practice for encryption, where there’s an increasing consensus around:

Public key encryption key exchange: ECDH (P256), ECDH (P384), ECDH (P521), X25519 and X448.
Public key encryption: RSA and ECIES.
Hashing method for key derivation (HKDF): SHA256, SHA384 and SHA512.
Symmetric key: 128-bit AES GCM and 256-bit AES GCM.

All of the above methods are compatible with most systems. For this, Bob and Alice could pick an elliptic curve to define their key pair and then use a given hashing method to derive an encryption key. This is normally achieved with HKDF (HMAC Key Derivation Function). For the actual encryption, we can use symmetric-key encryption, as this is the most efficient and much faster than public key encryption. Overall, with this, there is a general move towards using AEAD (Authenticated Encryption with Additional Data). A typical mode for this is GCM.

So let’s build a hybrid encryption method with C#.

The basics = Now, let’s say that Bob will send an encrypted message to Alice. Alice will then generate a key pair (a public key and a private key). She then sends her public key to Bob, and he then uses this to derive a symmetric key for the encryption (S). He then encrypts the message using K and with AES GCM. Bob receives the cipher (c) and a value of R. From R, she can then derive S from her private key. With this key, she can decrypt the cipher text to derive the plaintext message.

To achieve this in RSA, Alice would create a random symmetric key (KA), and then encrypt it with the public key of Bob, and then encrypt a file with KA. She would then send the encrypted key (Epk(KA)) to Bob, and the encrypted file, and then he would decrypt the encrypted key to reveal KA, and can then decrypt the file:

• Elliptic Curve Integrated Encryption Scheme (ECIES): Encrypting Using Elliptic Curves

Problems

These are the vulnerabilities that should be addressed by Protected Data solutions.

1. Disclosure
2. Spoofing
3. Destruction or Denial of Service

References