Forensic Cop Journal Volume 1(1), Sept 2009

http://forensiccop.blogspot.com

Symmetric and Asymmetric Cryptography in Brief Practice

by Muhammad Nuh Al-Azhar, CHFI
MSc in Forensic Informatics from the University of Strathclyde, UK
Forensic Investigator at Forensic Laboratory Centre of Indonesian National Police HQ.

Introduction

Since cryptography offers a tight security for people to encode their message to be
unreadable by third party, most people are interested in utilizing it in order to keep
their privacy. It is expected that unauthorised people cannot read it although they
can get access for it because as long as they do not have the encryption key, they
will not be able to open it unless they use decryption tools. However the tools have
limited ability depending on the types of cryptography and the key size. Such tools
can not generate decoding all encrypted message because they only work for certain
encryption types.
Based on this fact, criminals use cryptography to conceal essential information
related to their crime, so that police or forensic investigators cannot open and read it.
The crime perpetrators can use various types of cryptography and or strong level of
key size in order to encode more securely their message, therefore cryptography is
one of important concerns for forensic investigators on how to deal with it
appropriately in order to solve the crime. It has been common fact that the encrypted
message usually contains valuable information, so the forensic investigators are
required to extract it. For this task, they have two duties. The first one is to find out
files, partitions and emails which are being encrypted, and the second one is to try
decrypting it to be readable. This decrypted information might be useful for police to
investigate the crime.

Types of Cryptography
Simply cryptography converts a message from plain text to be ciphered text by using
a cryptographic algorithm such as DES (Data Encryption Standard), IDEA
(International Data Encryption Algorithm), Blowfish, AES (Advanced Encryption
Standard) and so on. Generally there are two types of cryptography algorithm,
namely symmetric and asymmetric. The clear and significant difference between
them is encryption key meaning only one key (i.e. private key) on symmetric and two
keys (public and private keys) on asymmetric. Below is the description of both.

Symmetric Cryptography
Initially people used cryptography with one key meaning the key used for encryption
is same as the key for decryption. It can be analogized with the door key in real
world because people use the same key for locking and unlocking the door. The key
in cryptography is mathematical function designed to convert a plain text data to be
cipher text data for encryption. With the same algorithm, the ciphered data can be
converted to be original text data.

1
Forensic Cop Journal Volume 1(1), Sept 2009
http://forensiccop.blogspot.com

To protect the access in using such algorithm for decrypting a ciphered data, it is
used a passphrase key controlling the operation of a cipher, so that the authorized
users having known the passphrase key can only perform decryption. It means that
although the type of cryptographic algorithm has been detected but the passphrase
key is still missing, so the ciphered data cannot be decrypted. This key made along
with the process of encryption has various key sizes depending on the types of
applied cryptography.
One of well known pioneer symmetric cryptographic algorithms is DES which is
based on 56-bit block size. It is considered weak at this time because it can be
broken by certain attacks such as brute force and cryptanalysis; therefore in 2002 it
was superseded by AES using three block ciphers of 128-bit with key sizes of 128,
192 and 256-bit as a cryptography algorithm standard in the US. The other
symmetric algorithms which are frequently used are Twofish with 128-bit block and
up to 256-bit key size, Blowfish with 64-bit block and various key size between 32
and 448 bits, Serpent with the block size of 128 bits providing 128, 192 or 256-bit
key size, CAST5 with 64-bit block size supporting 40 to 128-bit key size and Triple
DES which is combination of three 56-bit DES. The algorithms above can also be
applied with a combination of two or three algorithms in order to increase the security
of cryptography such as AES-Twofish, Serpent-AES and AES-Twofish-Serpent.
These combinations have been implemented by certain applications such as
TrueCrypt.

Nowadays the forms of using symmetric cryptography is varied and more interesting
with a nice Graphical User Interface (GUI) such as Remora USB Disk Guard in figure
1 and PixelCryptor using a picture as a bridge for encryption and decryption, so that
it attracts people to use it for their current needs on information security.

Figure 1
Remora USB Disk Guard protected by two types of passwords for logon and encryption/
decryption is designed for mobile encryption on USB storage device.

These applications are easy to use and offer challenges such as PixelCryptor which
cannot be used to decrypt an encrypted package if the linked picture as the image
key is missing or modified. To decrypt the encrypted package on PixelCryptor, it is
required the image key as well as passphrase key as shown in figure 2. Besides
those above, there are still symmetric cryptography applications using ordinary GUI
such as Kruptos using 128/256-bit key size of Blowfish, and Blowfish Advanced CS
offering various types of algorithm.

2
Forensic Cop Journal Volume 1(1), Sept 2009
http://forensiccop.blogspot.com

Figure 2
PixelCryptor uses an image file as a link to encrypted package as well as passphrase.

The other feature is encrypted volume which is used to store any files or folders to
be encrypted by putting it within the volume. Actually the volume is a file which can
be mounted as a virtual drive. The files and folders moved to the volume become
encrypted automatically, so that it gives an ease for the users to modify the
encrypted objects instantly as they want to. Once it is unmounted, all files or folders
within the volume will be encrypted and the virtual drive will disappear, on the other
hand if it is mounted, all files and folders within the volume will be decrypted. This
feature is delivered by TrueCrypt and LockDisk.

Asymmetric Cryptography
Since symmetric is considered as inflexible and insecure in sharing the encryption
key among the users, so the asymmetric cryptography is developed. Asymmetric
provides two different types of key, namely public key and private key. Public key is
designed to be shared to the other people for encrypting a plain text data to be
ciphered text data, whereas private key which must be kept securely by the owner is
used to decrypt ciphered text data to be plain text data.
This technique is considered secure because a user can distribute his public key to
anybody he wants without worrying to be intercepted by third party. Although the
encrypted data can be tapped by another people, they cannot decrypt it without
having the private key. Even the private key can be revoked if the owner considers
the key is stolen.
One of common usage of asymmetric cryptography is email. Since people need to
secure their email communication from interception by third party, the use of
asymmetric cryptography becomes frequent because it is more flexible and secure in
distributing public key to be shared to another people than symmetric cryptography.
The asymmetric cryptography algorithm which is often used in encrypted email is
PGP (Pretty Good Privacy) providing privacy, authentication and integrity checking
over generating public and private key and digital signature. For email encryption,
the plug in Enigmail providing OpenPGP can be used along with mail clients such as
Mozilla Thunderbird and SeaMonkey as security extension.

3
Forensic Cop Journal Volume 1(1), Sept 2009
http://forensiccop.blogspot.com

Figure 3
OpenPGP Enigmail within Mozilla Thunderbird generates key pairs for public key and private
key with RSA algorithm and 4096-bit key size.

OpenPGP Enigmail offers key pairs generation as shown in figure 3 with 4096-bit
RSA algorithm which is used widely in e-commerce protocols because it is accepted
as one of means providing strong security. It also provides key expiry from only 1
day to no expiry at all and revocation to terminate the private key in the case of it is
stolen or missing. Besides RSA, there are other algorithms such as DSA (Digital
Signature Algorithm) and El Gamal. DSA is used for digital signature, while EL
Gamal is asymmetric cryptography having three components namely key generator,
encryption and decryption algorithms.

Figure 4
The encrypted message created by OpenPGP Enigmail within Mozilla Thunderbird uses RSA
Algorithm with 4096-bit key size

Through short experiment, it shows that encryption and decryption using OpenPGP
Enigmail within Mozilla Thunderbird is quite easy to carry out and reliable for strong
security. In this experiment, a sender sends his public key to a recipient. After

4
Forensic Cop Journal Volume 1(1), Sept 2009
http://forensiccop.blogspot.com

obtaining a public key, recipient sends an encrypted message using sender’s public
key. The encrypted email will be then decrypted by the sender using his private key.
If it is intercepted when it is in transit over network, the interceptor will gain an
encrypted message as shown in figure 4. He needs sender’s private key to perform
decryption of the message as well as passphrase key. Both are required to perform
such decryption.

Conclusion
Both cryptography algorithms of symmetric and asymmetric are frequently used
nowadays, even by criminals; therefore forensic investigators should know about it
and how to deal with it properly. Although it is almos impossible to break a high level
of key/block size of an encrypted message, there is still possibility to obtain the
encrypted message. For instance when the suspected computer found is still
running. It is not necessary to turn off directly because probably there is still an
encrypted message or volume which has been decrypted. Even the only access an
encrypted drive is when it is running. It means that it is being decrypted.

Bibliography
Anson, S. and Bunting, S. (2007). Mastering Windows Network Forensics and
Investigation. Indianapolis: Wiley Publishing, Inc.
Carrier, B. (2005). File System Forensic Analysis. London: Addison – Wesley.
Casey, E. (2002). Practical Approaches to Recovering Encrypted Digital Evidence.
International Journal of Digital Evidence. 1 (3). Available:
http://www.utica.edu/academic/institutes/ecii/publications/articles/A04AF2FB-
BD97-C28C-7F9F4349043FD3A9.pdf. Last accessed 28 February 2009.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science,
Computers and the Internet. 2nd edition. London: Elsevier Academic Press.
Casey, E. (2008). The Impact Of Full Disk Encryption On Digital Forensics. ACM
SIGOPS Operating System Review. 42 (3). Available:
http://portal.acm.org/ft_gateway.cfm?id=1368519&type=pdf&coll=G
UIDE&dl=GUIDE&CFID=24053605CFTOKEN=64412596. Last
accessed 28 February 2009.
CE-Infosys. (2008). Free CompuSec version 5.2 User Manual. Available:
http://www.ce-infosys.com/ftp/cei/FREE_CompuSec_Handbook.zip. Last
accessed 6 April 2009.
Code Gazer. (2008). PixelCryptor. Available:
http://www.codegazer.com/pixelcryptor/. Last accessed 7 April 2009.
Huber, U. and Sadeghi, A-R. (2006). A Generic Transformation from Symmetric to
Asymmetric Broadcast Encryption. Bochum: Ruhr-Universitat. Available:
http://www.springerlink.com/content/50023w6877036027/fulltext.pdf. Last
accessed 22 February 2009.
Katz, J. (2004). Cryptography. In: Tucker, A. B. (ed). Computer Science Handbook.
2nd edition. Florida: Chapman & Hall/CRC. p210-232.

5
Forensic Cop Journal Volume 1(1), Sept 2009
http://forensiccop.blogspot.com

Klonsoft. (2009). Klonsoft LockDisk 3.0 for Windows. Available:

http://www.klonsoft.com/lockdisk/. Last accessed 7 April 2009.
Kolb, L. J. (2001). Blowfish Advanced CS Version 2.I2.00.0II. Available:
http://www.lassekolb.info/bfacs.pdf. Last accessed 7 April 2009.
Mandia, K., Prosise, C. and Pepe, M. (2003). Incident Response & Computer
Forensics. 2nd edition. London: McGraw-Hill/Osborne.
Marcella, A. J. and Greenfield, R. S. (2002). Cyber Forensics – A Field Manual for
Collecting, Examining, and Preserving Evidence of Computer Crimes.
London: Auerbach Publications.
Microsoft. (2007). 2007 Microsoft Office System Document Encryption. Available:
http://download.microsoft.com/download/6/7/f/67f1ff44-f1c9-4fae-a451-
4e803f7b727e/2007_Office_DocEncryption.docx. Last accessed 6 April 2009.
Mohay, G., Anderson, A., Collie, B., de Vel, O. and McKemmish, R. (2003).
Computer and Intrusion Forensics. London: Artech House.
Moller, B. (2004). A Public-Key Encryption Scheme with Pseudo-random
Ciphertexts. Berkeley: University of California. Available:
http://www.springerlink.com/content/2m9ukr0uqwke7nu4/fulltext.pdf. Last
accessed 22 February 2009.
O'Connor, L. and Klapper, A. (1994). Algebraic nonlinearity and its applications to
cryptography. Journal of Cryptology. 7 (4). Available:
http://www.springerlink.com/content/h3158k76g3207h28/fulltext.pdf. Last
accessed 22 February 2009.
Passware. (2008). Passware Encryption Analyzer Professional v.1.0. Available:
http://www.lostpassword.com/pdf/EncryptionAnalyzer_datasheet.pdf. Last
accessed 7 April 2009.
Sammers, T. and Jenkinson, B. (2007). Forensic Computing. 2nd edition. London:
Springer.
Seagate. (2007). Seagate DriveTrust™ Technology Enables Robust Security Within
the Hard Drive. Available:
http://www.seagate.com/docs/pdf/whitepaper/TP565_DriveTrustOverview_Oct
06.pdf. Last accessed 6 April 2009.
Stephenson, P. (2000). Investigating Computer-Related Crime. London: CRC Press.
The Enigmail Project. (2009). A Simple Interface for OpenPGP Email Security.
Available: http://enigmail.mozdev.org/home/index.php. Last accessed 7 April
2009.
TrueCrypt. (2008). TrueCrypt – Free Open Source Disk Encryption Software.
Available: http://www.truecrypt.org/docs/. Last accessed 7 April 2009.
Ye, D. (2001). Decomposing Attacks on Asymmetric Cryptography Based on
Mapping Compositions. Journal of Cryptology. 14 (2). Available:
http://www.springerlink.com/content/efbjfqeempmfg7lr/fulltext.pdf. Last
accessed 22 February 2009.