2013 has been an interesting year for whistle blowing about surveillance from the American and British governments. Earlier in the year Edward Snowden, a former NSA technologist, decided to put his own life on the line and leak a huge cache of documents about the NSA’s surveillance capabilities against its own people in the USA. This goes against the 4^{th} amendment in the constitution that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause.

The notion of surveillance is a complex topic. There are a lot of bad people out there that want to cause America, Britain, and Europe a lot of harm, and we need a way to keep tabs on these people. In this case I believe surveillance is justified. There will always be threats from domestic threats which also need to be monitored. The question here though is, have our governments crossed the line with the mass data collection that they are doing. In my opinion yes they have, but now this is all starting to get out in the open, maybe something will start to be done about it, hopefully. This all really started when George Bush gave the NSA the remit to collect this data after the September 11^{th} attacks against the USA.

I was going to write a fairly lengthy post about the Advanced Encryption Standard (AES) encryption and how it works, but when doing my research I found an excellent video presentation series by Patrick Townsend of Townsend Security and thought I would share this excellent find with you.

The series starts of by talking about what encryption is and then goes on about why you should use the AES encryption algorithm, how you should approach key management, and digging into more advanced detail on how the algorithm works including the different modes of encryption.

What I want to do in this final part is talk about using these different cryptographic primitives to do what is called Hybrid Encryption.

What is Hybrid Encryption?

So, what is hybrid encryption? Let’s start off with Wikipedia’s definition.

In cryptography, public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely (among other useful properties). However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. A hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem.

A hybrid cryptosystem can be constructed using any two separate cryptosystems:

a key encapsulation scheme, which is a public-key cryptosystem, and

a data encapsulation scheme, which is a symmetric-key cryptosystem.

The hybrid cryptosystem is itself a public-key system, who’s public and private keys are the same as in the key encapsulation scheme.

Note that for very long messages the bulk of the work in encryption/decryption is done by the more efficient symmetric-key scheme, while the inefficient public-key scheme is used only to encrypt/decrypt a short key value.

This is the 3^{rd} part in a short series on cryptography in .NET. In the previous 2 articles I covered using Symmetric algorithms like AES and Asymmetric algorithms like RSA. In this section I want to cover random number generation and hashing. This will lead into the final article which will be about combining cryptographic primitives to create hybrid encryption protocols.

The primitive I want to discuss is generating cryptographically strong random numbers. This is useful if you want to generate random session keys for AES for example. To generate a random number you use the RNGCryptoServiceProvider class in .NET. Once you have constructed the object you just call GetBytes() and pass in the length in bytes of the random number you want to generate.

The Data Encryption Standard (DES) was a standard encryption system used for many years, but it had a flaw, the key strength was only 56bits. This books is about a group of people that started an experiment to try and crack the algorithm by a brute force search of the DES Key-space.

“In 1996, the supposedly uncrackable US federal encryption system was broken. In this captivating and intriguing book, Matt Curtin charts the rise and fall of DES and chronicles the efforts of those who were determined to master it.“

That description sums up the book perfectly. This book is very interesting if you have an interest in cryptography, a bit of computing history, the change in the American encryption laws and grid computing by using available spare resources on peoples machines connected to the internet.

The book is very well written. This subjected could have been presented in such a dry way, but the author has really captured the subject well and it is an engaging read.

This is the 2^{nd} part in a small series on using encryption primitives in .NET. In the first article I concentrated on symmetric cryptography and more specifically the AES algorithm. In this article I will take a brief look at Asymmetric cryptography using the RSA system.

RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in 1977. Clifford Cocks, an English mathematician, had developed an equivalent system in 1973, but it was classified until 1997.

A user of RSA creates and then publishes the product of two large prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept secret. Anyone can use the public key to encrypt a message, but with currently published methods, if the public key is large enough, only someone with knowledge of the prime factors can feasibly decode the message. Whether breaking RSA encryption is as hard as factoring is an open question known as the RSA problem.

The AES symmetric process is classed as an algorithm where the plain text goes through multiple computation rounds to produce the cipher text. RSA is different in that is it a mathematical process. I won’t go into too much detail of how the keys are generated, but as stated above it is all around the complexity of factoring large prime numbers. The actual encryption process is based around modular arithmetic. For more detailed information on how this works check out this very useful Wikipedia page.

Cryptography is a subject that I personally find fascinating. It really is one of the mathematical branches of computer science that really does seem to have a sense of magic to it. But this “magic” normally comes at a price, and that is the need for some really heavy duty mathematics. This normally puts people off, including myself as I am no math genius.

Lots of cryptography books are very heavy on the math and theoretical aspects of encryption, like Applied Cryptography by Bruce Schneier, which is great if you want to delve that deep, but most people including software developers just need to understand at a higher level how the algorithms work and how best to apply them in real life. That is where this book, Everyday Cryptography: Fundamental Principles and Applications by Keith M. Martin, comes in. The book is structured as follows :