Encryption and Decryption

Windows CE 3.0

Encryption is the process of encoding data into cipher, a form unreadable without a decoding key. Decryption is the reverse process of converting encoded data to its original unencoded, plaintext, form. When a user encodes a file, another user cannot decode and read the file without the decryption key. Adding a digital signature, a form of personal authentication, ensures the integrity of the original message.

To encode plaintext, an encryption key is used to impose an encryption algorithm onto the data. To decode cipher, a user must possess the appropriate decryption key. A decryption key consists of a random string of numbers, from 40 through 2,000 bits in length. The key imposes a decryption algorithm onto the data. This decryption algorithm reverses the encryption algorithm, returning the data to plaintext. The longer the encryption key is, the more difficult it is to decode. For a 40-bit encryption key, over one trillion possible decryption keys exist.

There are two primary approaches to encryption: symmetric and public-key. Symmetric encryption is the most common type of encryption and uses the same key for encoding and decoding data. This key is known as a session key. Public-key encryption uses two different keys, a public key and a private key. One key encodes the message and the other decodes it. The public key is widely distributed while the private key is secret.

Aside from key length and encryption approach, other factors and variables impact the success of a cryptographic system. For example, different cipher modes, in coordination with initialization vectors and salt values, can be used to modify the encryption method. Cipher modes define the method in which data is encrypted. The stream cipher mode encodes data one bit at a time. The block cipher mode encodes data one block at a time. Although it tends to execute more slowly than stream cipher, block cipher is more secure. Within block ciphers, there are four encryption modes: electronic codebook (ECB), cipher block chaining (CBC), cipher feedback mode (CFB), and output feedback mode (OFB). For more information on these modes, see Encrypting and Decrypting Data.

Initialization vectors are random numbers used as starting points when encoding data. Usually, initialization vectors have the same number of bits as the block size and do not require encryption. With initialization vectors, two identical plaintext messages can be encoded with the same key and result in two completely different cipher messages. This variation is accomplished by encrypting each plaintext message with a different initialization vector.

Salt values are most useful when, by using the same encryption key, large numbers of nearly identical packets are transmitted or stored. Typically, two identical packets encode as two identical cipher packets. However, this would indicate to a hacker that the packets are identical and, thus, the packets could be attacked simultaneously. But if the salt value is changed with every packet sent, a completely different cipher packet is generated, even if the plaintext packets are the same. Salt values consist of random numbers and can be transmitted in plaintext form.

In addition to encrypting the data, a user can add a digital signature to data, enabling another user to verify that the data has not been compromised since the signature was applied. The identity of the user that signed the data can also be verified. This digital signature consists of a small amount of binary data, typically less than 256 bytes. A digital signature can be included with a signed message or stored separately, depending on the application.