Wi-Fi is a Passion


Overview - Encryption

In my first security study blog, Security Overview, I explained why encryption is important. In quick review, wireless transmits in the open air and without encryption all the data is plain text and able to read by everybody with the right tools. There are some terminologies that are used for data encryption that need to be explained.
Cipher: This is an algorithm that is used for encryption.
Encryption: The process to convert plain text into cipher text.
Decryption: The process to convert cipher text into plain text.
Cipher text: The text that is encrypted.
Plain text: The text that is not encrypted.
Code: Representing information in another way.
Cryptology: This is a technique that is needed to encrypt and decrypt the information.
Cryptography: This is the science of concealing the plain text and revealing the cipher text.
Cryptanalysis: This is the science of decrypting without knowing the cipher that is used.

Symmetric / Asymmetric
There are two types of algorithms, symmetric and asymmetric. With symmetric algorithm, the key is used for encrypting and decrypting the data. With asymmetric algorithm, there is a key for encrypting and a key for decrypting. The key for decrypting is called a private key and stays on the device/server and will not send to the client. The public key (for encrypting) is sent to the client and the client uses this to encrypt the data and send it back to the server. The server uses the private key to decrypt the text that is encrypted with the public key. Both algorithms have advantages and disadvantages. Symmetric algorithm is faster and requires less computer processing, but since they use the same key for encrypting and decrypting, the key should be changed to be sure the communication stays secure. With asymmetric, the key for decrypting stays secret.

Stream Ciphers / Block Ciphers
To create the cipher text, the encrypted text, you need to add random information to the plain text. You can do this with stream ciphers or block ciphers. With stream ciphers, you are doing this on bit-by-bit basis. To the plain text a pseudorandom cipher bit will be added, this is called the keystream. Some information (seed) needs to be used to feed the cipher stream, after that the keystream can be generated. The keystream and the plain text will be merged together through an exclusive-OR (XOR) operation. When both input values are the same, the output of the XOR operation will be a ‘0.’ When both inputs are not the same, the output will be a ‘1.’ Legacy encryption method WEP is an example of this.

As the name already tells, block ciphers are based on blocks instead of bit-by-bit like stream ciphers. It takes a block of a fixed length from the plain text and generates a same size block as a cipher text. The block size is fixed but can be picked between 64 bits to 256 bits. A function will apply to this block, and this will repeat itself. A single function is called a round. Depending on the block cipher, the function/round can be repeated multiple times. The more rounds there are, the more secure it is, but as well this will affect the performance since it takes longer.

This is the only stream cipher that is used within the wireless world. Rivest Cipher or Ron’s Code was designed by Ron Rivest in 1987. In 1994, it was leaked and not a trade secret anymore. After RC4 was leaked, it was allowed to be used when you had the permission. There was an unofficial version that was allowed and is named ARC4 (ArcFour). ARC4 is the cipher for WEP and TKIP, but since this is a weak cipher it is a legacy cipher and shouldn’t be used.

In 1994, when RC4 was leaked, Ron Rivest came out with RC5. RC5 is a block cipher with variable block size, key size, and rounds. For block size you can pick 32, 64, or 128; for the key size, you can pick from a range of 0 to 2040 and for the number of rounds from 0 to 255. The created key table depends on the number of rounds. The key expansion routine expands by the user-provided key and that will fill the table. The table is used for encryption and decryptions since it is symmetric method.

Data Encryption Standard (DES) was created in 1970. Since 1976, DES is selected to be part of Federal Information Processing Standards (FIPS) for United States. The selection was done by the National Bureau of Standards (NBS), now known as National Institute of Standards and Technology (NIST). The key is only 56 bits, and that is considered small, and for those reasons, insecure. DES use 64 bit as block size and official 64 bits as key size, but 8 bits is used for checking parity. Every block has 16 rounds.

Triple Data Encryption Algorithm (TDEA) or Triple DES (3DES), published in 1998, is the enhanced version of DES. As the name says, it is built up from 3 DES keys with all three 64 bit keys (56 + 8 bits for the parity as mentioned above). It uses 48 rounds on every block.

There are three options. The first one is that all three keys are unique. This is the strongest. The second option is that the first and second keys are unique and the third is equal to the first. The last, and weakest, is all keys are the same. Key 1 is to encrypt, Key 2 for decrypting, and the third key is to encrypt the data, so in option 2 the keys that are the same do both encrypting.

Advanced Encryption Standard is the latest version and used within CCMP and GCMP. AES supports three key sizes: 128, 192, and 256 bits. As you can see, those are way higher than RC or DES key sizes. AES was selected by the NIST to become FIPS 197 in November 2001. AES is not only the cipher security for Wi-Fi, but also for IPSEC with VPN. AES was invented by two Belgium cryptographers named Vincent Rijmen and Joan Daemen and is called the Rijndael algorithm. The block size is a 4x4 array of bytes (128 bits). Based on the key size there are three different type of number of rounds: AES-128 uses 10 rounds, AES-192 uses 12 rounds, and AES-256 uses 14 rounds.