Tag Archives: asymmetric encryption

JAR is a coin-sized biometric crypto key

Leave a reply

Instead of using passwords to access websites, JAR lets you login or register with the touch of your finger.

With seemingly a new data breach emerging every week, cybersecurity has become a key concern among a majority of consumers. Despite these incidents, many people still rely on stupidly simple passwords. Just how simple, you ask? Take a look at this recently-revealed list from 2014. The problem with these codes is that most, if not all, of us are pretty bad at remembering them, and with so many different ones for different sites, we rely upon insecure behaviors.

jar-with-background-handheld-962x644

Fortunately, one German startup has devised a solution to the ever-growing password epidemic with a coin-sized gadget. Equipped with its own fingerprint reader, JAR connects to your mobile device via its audio jack, enabling you to securely access your online accounts with a single touch. Just how secure are we talking? Its creators claim that the encryption is so strong that it would take a hacker 6.4 quadrillion years to access your data.

The JAR, which is tiny enough to be attached to a keyring, runs an asymmetrical encryption method based on a pair of 2048-bit RSA keys. To gain entry, gently place your finger on its built-in biometric reader and presto! Because each message is encrypted separately, there’s no way to derive one message from the previous message; each encrypted message broadcasted is non-deterministic and pseudorandom.

565ca70e08afed8e33bc6a5bbe39a6cc_original

“Your devices will only unlock for the most recent message, so a hacker is unable to unlock your devices by re-broadcasting an old message,” the team explains. “Only devices that you’ve set up with your JAR will have the ability to interact with it. A device still has to verify its legitimacy through an automatic encrypted handshake in order to interact with your JAR.”

Should you lose your JAR, not to worry as it can be easily deactivated. When this occurs, a message is immediately sent to all of your devices, letting them know that they should not prompt access to your accounts safeguarded by the lost piece.

cb41135932cbd46a73aa5dbe5620eecf_original

Looking ahead, JAR will also offer a range of services including reliable cloud storage, an offline data vault, and an encrypted messenger, among several others from third parties. At the moment, JAR is available in two colors (soft white and dark grey) as well as two different sizes (1.6” and 1.4”).

Ready to forget about passwords? Head over to JAR’s Kickstarter page, where the team is currently seeking $108,305. Units are expected to begin shipping in January 2016.

Symmetric or asymmetric encryption, that is the question!

1 Reply

With the emergence of breaches and vulnerabilities, the need for hardware security has never been so paramount.

Confidentiality — one of the three foundational pillars of security, along with data integrity and authenticity — is created in a digital system via encryption and decryption. Encryption, of course, is scrambling a message in a certain way that only the intended party can descramble (i.e. decrypt) it and read it.

pillars

Throughout time, there have been a number of ways to encrypt and decrypt messages. Encryption was, in fact, used extensively by Julius Caesar, which led to the classic type of encryption aptly named, Caesar Cipher. The ancient Greeks beat Caesar to the punch, however. They used a device called a “Scytale,” which was a ribbon of leather or parchment that was wrapped around a rod of a diameter, of which only the sender and receiver were aware. The message was written on the wrapping and unfurled, then sent to the receiver who wrapped on on the rod of the same diameter in order to read it.

Skytale

 

Modern Encryption

Modern encryption is based on published and vetted digital algorithms, such as Advanced Encryption System (AES), Secure Hashing Algorithms (SHA) and Elliptic Curve Cryptography (ECC), among many others. Given that these algorithms are public and known to everyone, the security must come from something else — that thing is a secret cryptographic “key.” This fundamental principal was articulated in the 19th century by  Auguste Kerckhoffs, a Dutch linguist, cryptographer and professor.

Kerckhoffs’ principle states that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. In other words: “The key to encryption is the key.” Note that Kirchoffs advocated what is now commonly referred to as “open-source” for the algorithm. Point being, this open-source method is more secure than trying to keep an algorithm itself obscured (sometimes called security by obscurity). Because the algorithms are known, managing the secret keys becomes the most important task of a cryptographer. Now, let’s look at that.

kirchoff 1

Symmetric and Asymmetric

Managing the key during the encryption-decryption process can be done in two basic ways: symmetric and asymmetric. Symmetric encryption uses the identical key to both encrypt and decrypt the data. Symmetric key algorithms are much faster computationally than asymmetric algorithms because the encryption process is less complicated. That’s because there is less processing involved.

The length of the key size directly determines the strength of the security. The longer the key, the more computation it will take to crack the code given a particular algorithm. The table below highlights the NIST guidelines for key length for different algorithms with equivalent security levels.  You can see that Elliptic Curve Cryptography (ECC) is a very compact algorithm. It has a small software footprint, low hardware implementation costs, low bandwidth requirements, and high device performance. That is one of the main reasons that ECC-based asymmetric cryptographic processes, such as ECDSA and  ECDH, are now being widely adopted. The strength of the sophisticated mathematics of ECC are a great ally of all three pillars of security, especially encryption.

table

Not only is symmetric faster and simpler; furthermore, a shorter key length can be used since the keys are never made public as is the case with asymmetric (i.e. Public Key Infrastructure) encryption. The challenge, of course, with symmetric is that the keys must be kept secret on both the sender and receiver sides. So, distributing a shared key to both sides is a major security risk. Mechanisms that maintain the secrecy of the shared key are paramount. One method for doing this is called Symmetric Session Key Exchange.

Asymmetric encryption is different in that it uses two mathematically related keys (a public and private key pair) for data encryption and decryption.  That takes away the security risk of key sharing. However, asymmetric requires much more processing power. Unlike the public key, the private key is never exposed. A message that is encrypted by using a public key can only be decrypted by applying the same algorithm and using the matching private key.

A message that is encrypted by using the private key can only be decrypted by using the matching public key. This is sort of like mathematical magic. Some of the  trade offs of symmetric and asymmetric are summarized below.

Symmetric

  • Keys must be distributed in secret
  • If a key is compromised the attacker can decrypt any message and/or impersonate one of the parties
  • A network requires a large number of keys

Asymmetric

  • Around 1000 times slower than symmetric
  • Vulnerability to a “man-in-the-middle” attack, where the public key is intercepted and altered

Due to the time length associated with asymmetric, many real-world systems utilize combination of the two, where the secret key used in the symmetric encryption is itself encrypted with asymmetric encryption, and sent over an insecure channel.Then, the rest of the data is encrypted using symmetric encryption and sent over the insecure channel in the encrypted format. The receiver gets the asymmetrically encrypted key and decrypts it with his private key. Once the receiver has the symmetric key, it can be used to decrypt the symmetrically encrypted message. This is a type of key exchange.

Note that the man in the middle vulnerability can be easily addressed by employing the other pillar of security; namely authentication. Crypto engine devices with hardware key storage, most notably Atmel’s CrypotoAuthentication, have been designed specifically to address all three pillars of security in an easy to design and cost-effective manner. Ready to secure your next design? Get started here.

Symmetric vs. Asymmetric Encryption: Which Way is Better?

14 Replies

There are two fundamental ways to use keys or secrets for encryption:symmetric and asymmetric.  Symmetric encryption uses the identical key to both encrypt and decrypt the data.  Symmetric key algorithms are much faster computationally than asymmetric algorithms as the encryption process is less complicated.  The length of the key size is critical for the strength of the security.  NIST has recommendations on how long a key should be– in general, 160-512 bits.   There are inherent challenges with symmetric key encryption in that the key must somehow be managed.  Distributing a shared key is a major security risk.

symmetric encryption

symmetric encryption

Asymmetric encryption uses two related keys (public and private) for data encryption and decryption, and takes away the security risk of key sharing.  The private key is never exposed.  A message that is encrypted by using the public key can only be decrypted by applying the same algorithm and using the matching private key.   Likewise, a message that is encrypted by using the private key can only be decrypted by using the matching public key.

Asymmetric Encryption

Asymmetric Encryption

Are you building out for secure devices to protect your engineering designs and secure any potential hacking in your product? Receive a FREE Atmel CryptoAuthentication development tool?

This blog was written by Steve Jarmusz, Atmel Applications Manager for Crypto, Memory and Analog Devices.