### 要約

This installment is part of a series of application notes on cryptography. It is designed to be a quick study guide for a product development engineer and takes an engineering rather than theoretical approach. In this segment, we'll discuss the fundamental concepts behind modern cryptography. A similar version of this application note originally appeared on April 16, 2020, on Electronic Design.

### Cryptographic Keys

Keeping cryptographic applications secure relies upon symmetric keys and private keys that are continually kept secret. The method used to keep them secret is also protected.

Asymmetric keys and symmetric keys are two basic types of algorithms that are used in modern cryptography. Asymmetric key algorithms use a combination of private and public keys while symmetric algorithms use only private ones, commonly referred to as secret keys. Table 1 provides a snapshot of the main features of each algorithmic method.

Security Services and Feature Implementation | Algorithm Method | |

Symmetric Key | Asymmetric Key | |

Confidentiality | Yes | Yes |

Identification and Authentication |
Yes | Yes |

Integrity | Yes | Yes |

Non-repudiation | Yes, combined with a public/private key algorithm | Yes |

Encryption | Yes, Fast | Yes, Slow |

Decryption | Yes, Fast | Yes, Slow |

Overall Security | High | High |

Key Management | Key exchange and securing the key on both the sender and recipient side is needed | Securing each private key on both the sender and recipient's side is needed |

Algorithm Complexity | Easy to understand | Can be difficult to understand |

Key Size | 128 bits, 192 bits, or 256 bits or longer but do not need to be as long as the asymmetric key (depends on secrecy of keys) |
256 bits, 1024 bits, 2048 bits, 3072 bits or longer. Depends on the intractability (the amount of time and resources needed to be solved). |

System Vulnerabilities | Improper key management, generation and usage |
Improper implementation |

Attack Approaches | Brute force, linear/differential cryptanalysis | Brute force, linear/differential cryptanalysis and Oracle |

Let’s take a look at how we can achieve each of the cryptographic goals using these two types of algorithms.

### Confidentiality Using Symmetric Key Algorithms

The main goal of confidentiality is to keep information away from all who are not privy to it. In a symmetric key cryptographic system, this is very straightforward and is achieved by encrypting the data that is exchanged between the sender and the recipient. Both the sender and the recipient have access to the same secret key that is used to encrypt and decrypt the exchanged message, as shown in Figure 1.

As long as the key is secured and only the sender and the recipient have access to the encryption/decryption key, no one else can receive the transmitted message even if it is intercepted mid-transmission. Thus, the message stays “confidential.”

### Confidentiality Using Asymmetric Key Algorithm

In an asymmetric key system, the recipient freely distributes her/his public key. The sender acquires the public key and verifies the authenticity of it. There are a few steps, as shown in Figure 2, that are required to accomplish this. To keep things simple, let’s assume that the sender has access to the verified public key of the recipient. The sender then uses that public key to encrypt the message and sends it to the recipient.

The recipient’s public key is mathematically related to the recipient’s private key. The sender, and anyone else for that matter, doesn’t have access to the recipient’s private key. Once the recipient receives the message, the private key is used to decrypt the message. The recipient’s private key is the only one that can be used to decrypt the message that was encrypted with the related public key. Since the private key only resides with the recipient, another person or organization can’t decrypt the sent message. Thus, the message stays “confidential.”

### Identification and Authentication Using Symmetric Key Algorithm

The goal of identification and authentication is to first identify an object or a user and then authenticate them so we know that we are communicating with someone that we really meant to communicate with.

How is this achieved using a symmetric key scheme? Figure 3 shows a simple example of the symmetric key identification and authentication process. Review Steps 1 to 6 for a better understanding. Step 4 uses a concept called the “digest.” A digest or hash is a fixed-length value that is computed over a large data set.

#### Why Do We Need a “Nonce”?

An imposter could gain possession of the last digest transmitted by the recipient and then issue an “authenticate me” with that digest. These types of attacks are called “replay attacks,” i.e., a resend of a previously used digest. The use of a “nonce” or a single-use random number for authentication prevents such attacks. In this case, the authentication will fail, since for each authentication, the sender requires a new digest with a brand-new nonce number. These numbers are usually generated using an approved random number generator.

Now let’s investigate a real-life example of identification and authentication using the SHA3-256 algorithm.

### Identification and Authentication Using the SHA-3 Algorithm

Figure 4 shows a more complete example of the symmetric key identification and authentication process. This uses the SHA-3 symmetric key algorithm, which is the latest in the Secure Hash Algorithm (SHA) family. Maxim Integrated is the first to have a SHA3-256 secure authentication device in production. Review Steps 1 to 6 in the diagram to better understand the process. The “random number” in Figure 4 is basically the “nonce” needed to prevent replay attacks as discussed in the simple example in a section earlier.

### Identification and Authentication Using Asymmetric Key Algorithm

As mentioned, the goal for identification and authentication is to first identify an object or a user and then authenticate them so that we know we are communicating with someone that we really meant to communicate with.

How is this achieved using an asymmetric key scheme? Figure 5 shows a simple example of the symmetric key identification and authentication process. Review Steps 1 to 6 in the diagram to understand the process.

#### Why Do We Need a Nonce?

An imposter could obtain the last signature transmitted by the recipient and then issue an “authenticate me” with that signature. These types of attacks are called “replay attacks” i.e., a resend of a previously used signature. The use of a nonce or single-use random number for authentication prevents such attacks. In this case, the authentication will fail, since the sender requires a new signature with a brand-new nonce number for each authentication. These numbers are usually generated using an approved random number generator.

Now let’s investigate a real-life example of identification and authentication using the Elliptic Curve Digital Signature Algorithm (ECDSA) algorithm.

### Identification and Authentication Using the ECDSA Algorithm

Figure 6 shows a more complete example of the asymmetric key identification and authentication process using the ECDSA asymmetric key algorithm. Steps 1 to 6 in the diagram can help you better understand the process.

Although this method completes the device authentication, it doesn’t cover the complete system authentication process. This includes verification that the recipient is part of the system and the required verification of the device digital certificates.

### Comparing Cryptographic Algorithms

Figure 7 shows a side-by-side comparison of key usage for symmetric and asymmetric key algorithms. Before we go into the next topic, we need to understand the differences between the following two concepts:

- Secure hash
- HMAC (hashed message authentication code)

Figure 8 illustrates the differences between HMAC and secure hash. Essentially, secure hash uses a hashing algorithm, such as SHA-3, to produce a fixed-length hash of the message regardless of the message length. HMAC is similar but uses a key as an additional input to the hashing engine. It also produces a fixed-length hash regardless of the input message length.

### Preserving Integrity Using Symmetric Key Algorithms

The goal of preserving the integrity of a message is to ensure that any message received, or any new device being connected, is not carrying unwanted code or information. Let’s look at an example of how this can be achieved using a symmetric key algorithm such as SHA-3. Later, we’ll review the specifics of how these algorithms work.

In Figure 9, the sender calculates the digest of a message by using a specific key. As this is a symmetric key scheme, this key is shared between the sender and the recipient. The digest or hash that is generated using a key is called an HMAC (hash-based message authentication code).

This is generated by feeding the message and the key to the SHA-3 engine. The resultant HMAC and message is then sent to the recipient. The recipient then generates her own HMAC using the key she has. The two HMACs are then compared and, if they match, the message has not been tampered with. In this scenario, someone could intercept both the HMAC and the message and then alter the message and generate a new HMAC and send it to the recipient. This will not work, however, since the interceptor will not have the recipient’s secret key and the HMACs will not match.

### Preserving Integrity Using Asymmetric Key Algorithms

The goal of preserving the integrity of a message is to ensure that any message received, or any new device being connected is not carrying unwanted code or information. Let’s look at an example of how this is achieved using an asymmetric key algorithm such as ECDSA (Elliptic Curve Digital Signature Algorithm).

The basic idea behind this is that the sender signs a message with a digital signature and the recipient verifies the signature, to be assured of the received message’s integrity.

In Figure 10, the sender calculates the digest of a message by feeding the message to a SHA-2 hashing engine. As this is an asymmetric key scheme, this key is not shared between the sender and the recipient. The sender has a private key that is never shared, and the recipient has a public key that can be shared with many people and vice versa, unlike the symmetric key algorithm the digest/hash that is generated doesn’t use a key.

The generated digest is then fed to the ECDSA engine along with the sender’s private key to generate a digital signature of the message. This signature, along with the message, is sent to the recipient. This completes the signing process for the sent message.

Now that the recipient has received the message and the digital signature from the sender, she can start the verification process. This process consists of two distinct steps:

Step 1: The recipient computes a message digest from the received message.

Step 2: This newly computed digest, the received digital signature from the sender, along with the sender’s public key are then fed into the ECDSA engine for verification.

During the verification process, the ECDSA engine produces a “yes” or a “no” result. If the result is a “yes,” then the message integrity has been preserved. If the result is a “no,” the message integrity has been compromised.

### Non-Repudiation Using Asymmetric Key Algorithms

A message signed by a digital signature from the sender can be used to prove that the message was sent by the sender and that the message was unaltered. However, a digital signature cannot prove the identity of the sender. Proof of identity is achieved by using a digital certificate. Figures 11 through 14 show the complete steps needed to achieve a complete public key system where messages exchanged cannot be repudiated by either party.

The main idea is that both the sender and recipient need to prove their identity to one another, and their respective public keys need to be proven authentic by a trusted third party.

Why is it so important to use a digital certificate? Without it, someone pretending to be the sender (i.e., an imposter) could send a message encrypted with the recipient’s public key along with a digital signature signed with the imposter’s private key. The imposter would then send the recipient his/her made-up public key. The recipient would then use that public key to verify the digital signature and everything would be validated. But the message from the imposter may have malicious information that the recipient will never suspect. This is the issue that can be avoided by using a digital certificate that verifies that the public key received did indeed belong to the sender and not some imposter.

Maxim Integrated has a wide variety of symmetric and asymmetric key based hardware authenticators that can be used to accomplish all the concepts discussed in this chapter. Watch for other segments in our series of cryptography application notes to continue deepening your understanding of this important security technique.