When working in a company, it's important to be able to secure connections to ensure confidentiality and integrity, as well as to ensure that you are communicating with the right person or the right server.
For this, you will need to use encryption, as well as digital signatures (certificates).
Here is a short introduction to these notions of encryption and digital signatures (certificates).
When 2 peripherals (servers, computers, smartphones, ...) communicate via the network (including via the Internet), the data they transmit to each other is sent in the clear.
Which means anyone can see this data quite easily if they are on the same network or between devices (Man in the Middle (MITM)).
Worse, it means someone with bad intentions could potentially alter what was sent.
This person could therefore modify the message that someone sent you to modify the account number to which you must pay the money for a product that you have purchased, for example. Without you being able to know that the original message has been modified.
To avoid this problem, you must encrypt the data to be sent over the network.
To send data securely over the network, the sender must encrypt the data using an encryption algorithm (such as : DES, AES, ...) and an encryption key (symmetric or asymmetric), then send this encrypted data to the recipient.
Then, this recipient will have to use the same encryption algorithm, as well as the appropriate encryption key to be able to decrypt the data you sent to them.
This means that if an ill-intentioned person (thus not having the appropriate key) intercepts the data which has passed through the network, it will not be able to decrypt them (or very difficult).
Using encryption has several uses :
Thus, thanks to encryption, you can be sure :
Currently, encryption is used in many cases :
As explained previously, to encrypt data, you must use an encryption algorithm and a key.
However, to encrypt and decrypt data, it's possible to use symmetric or asymmetric encryption.
When using symmetric encryption, the key used to encrypt the data is the same key used to decrypt the data.
But, if you use asymmetric encryption, the key used to encrypt the data (private key) will be different from the one used to decrypt the data (public key).
Info : when you create your own certification authority, you are creating what is called a PKI.
Meaning : Public Key Infrastructure. It's therefore asymmetric encryption that will be mainly used by it.
When using a symmetric encryption algorithm, you will need to use a unique key that will be used to encrypt and decrypt the data.
In this case, the data will be encrypted in blocks.
Among the known symmetric encryption algorithms, you will find :
Important : this key must therefore :
Quick example :
In the example above, if a third party succeeds in recovering the data which has passed through the network, this person will not be able to decrypt the recovered data.
Indeed, it knows neither the algorithm nor the key used to decrypt the recovered data.
When using an asymmetric encryption algorithm (or public key encryption), you will need a pair of keys (a private key and a public key).
If we talk about asymmetric encryption, it's simply because the data is encrypted with one key and these can only be decrypted with the other key.
Important : as its name suggests, the private key must remain private (secret), unlike the public key which can be communicated to anyone.
Note that the private key and the public key are mathematically related.
Data that you encrypt with the public key can only be decrypted with the private key.
In the other direction, data encrypted with the private key can only be verified with the public key.
Among the known asymmetric encryption algorithms, you will find :
Quick example : Tom wants to send a message to Lionel :
Important : if the public key was sent via an unsecured network, Tom must ask Lionel if the public key he received is the correct one.
This ensures that the public key has not been modified by a hacker who has succeeded in intercepting it.
Following example : Lionel wishes to reply to Tom :
Microsoft recommends using RSA because DSA is less secure than RSA.
Also, Diffie-Hellman can only be used to generate keys.
With asymmetric encryption (or public key encryption), you can also create digital signatures.
These digital signatures (or certificates) will allow you to verify the identity of a sender (if their public key is reliable), as well as the integrity of the data.
Thanks to the sender's public key, the recipient can verify that the data received has indeed been sent by the right person (and not by a hacker trying to impersonate them).
To digitally sign a message, the sender must create a digest of their message.
For this, he will use a hashing algorithm and apply it to his message.
Then, the sender must encrypt this synthesis using his private key to create his own signature.
When the recipient receives the message and the signature linked to it, he must decrypt the signature using the sender's public key to recover the summary of the message received.
Then, the recipient hashes the digest of the received message using the same algorithm used by the sender.
If the summary of the message calculated by the recipient matches that conveyed by the sender, the recipient knows that the message was sent by the right person.
Note that a digital signature can be verified by anyone since the public key is obviously public.
This digital signature process therefore only verifies the identity of the sender of the data.
If you want the data sent not to be readable by anyone, you must also encrypt the data to be sent.
As explained earlier, to create a digital signature, the sender must use a hash algorithm.
Hash algorithms make it possible to obtain a binary value of fixed length from any binary value (text, file, ...).
When you hash a variable length value, you will always get a hash value with a fixed length.
This hash value is unique and will change if any bit or letter is changed in the source text.
With a hardened hash function, the hash value can change by up to 50% if even the smallest bit is changed in the hashed binary value.
Technically, hashing 2 different binary values will always result in 2 different hash values.
Although the risk of collision (2 binary values producing the same hash value) exists for older hashing algorithms, such as MD5. But this is very rare.
Note that for the sending of the message to be completely secure (confidentiality, integrity, authentication, ...), you must use a digital signature (a certificate) and encryption.
Important : MD5 and SHA-1 hashing algorithms have been detected as insecure. SHA-2 (which corresponds to SHA256, SHA384 and SHA512) is therefore recommended.
Moreover, Microsoft Edge blocks websites whose SSL certificate used with the HTTPS protocol uses a hash algorithm.
For data encryption to be as efficient as possible, it's important that the key or keys used for encryption are generated as randomly as possible.
Avoid using handwritten values such as "1234" or "mytoppassword" as an encryption key and instead use random values obtained from a random number generator.
Thus, it will be almost impossible to predict what was the output value of the random number generator used.
Windows Server 8/15/2014
Windows Server 9/22/2023
Windows Server 9/15/2023
Windows Server 9/29/2023
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.