On encrypting a file, it is transformed from its original state to a secret representation. This can be done with all sorts of files like text-, picture-, or program files. Text- or picture files are no longer viewable after encryption; program files are no longer executable after encryption. Encryption ensures that a third party has no access to content or functionality of a file. For reversing this transformation, the file must be decrypted. The encryption process for files is either asymmetric or symmetric.
Asymmetric encryption
For asymmetric encryption a pair of keys is required. This pair consists of a private and a public key. The private key is never handed out; the public key can be passed to all of your business partners. Business partners exchange their public keys. If a file is to be encrypted the public key of the business partner is used. Then, only this particular business partner is able to decrypt the encrypted file with his secret, private key.
· Advantage: since only the receiver can decrypt the files with his private key, the public key can be sent without danger to other recipients.
· Disadvantage: Asymmetric encryption is by far more time consuming, since the process (the algorithm) is very complex.
Symmetric encryption
The symmetric encryption uses only one key for encryption and decryption.
· Advantage: This procedure is by far faster than the asymmetric process.
· Disadvantage: If the symmetric key is sent and is intercepted by a third party everybody that has this key can decrypt messages that were encrypted with this key. Hence, it is also possible to decrypt a file, change it, and encrypt it again.
Password based encryption uses symmetric encryption. The key used for encryption and decryption is the password used.
Hybrid encryption methods
The standard that is used by Governikus DATA Boreum for encryption and decryption by certificate contains both methods. The file is first encrypted with the fast, symmetric encryption. The required symmetric key is created by Governikus DATA Boreum. For each file that will be encrypted a new key is created. The symmetric key is then encrypted with the public key of the receiver and added to the encrypted file. The receiver now uses his private key to decrypt the symmetric key and then uses the symmetric key to decrypt the file. In case an encrypted file is to be sent to various recipients the symmetric key is encrypted step by step with all public keys of the recipients. All resulting encrypted symmetric keys are then added to the encrypted file and thus all recipients are able to decrypt the sent file. For the user of Governikus DATA Boreum this procedure is completely automated and only pressing the "Encrypt" button is required.
|
Note: For encryption, DATA Boreum always uses the AES-256-GCM cipher suite. The BSI (see BSI technical guideline TR-3116-4) and the IETF (see RFC 7525) recommend AES-256-GCM for symmetric encryption and SHA256 as digest algorithm and classify this cypher suite as secure. |