En­cryp­tion methods

The number of steps by which the char­ac­ters are moved counts as the key in this type of en­cryp­tion. This isn’t given as a number, but instead as the cor­re­spond­ing letter in the alphabet. A shift by three digits uses “C” as its key.

While the principle behind the Caesar cipher is rel­a­tive­ly simple, today’s ciphers are based on much a more complex math­e­mat­i­cal process, called an algorithm, several of which combine together various different sub­sti­tu­tions and trans­mu­ta­tions using keys in the form of passwords or binary codes as their pa­ra­me­ters. These methods are much more difficult for crypto-analysts (code-crackers) to decipher. Many es­tab­lished cryp­tosys­tems created using modern means are con­sid­ered un­crack­able.

An en­cryp­tion method is formed from two basic com­po­nents: a cryp­to­graph­ic algorithm and at least one cipher key. While the algorithm describes the en­cryp­tion method (for example, “move each letter along the order of the alphabet”), the key provide the pa­ra­me­ters (“C = Three steps”). An en­cryp­tion can therefore be described as a method by which plaintext and a key are passed through a cryp­to­graph­ic algorithm, and a secret text is produced.

Modern cipher methods use digital keys in the form of bit sequences. An essential criteria for the security of the en­cryp­tion is the key length in bits. This specifies the log­a­rith­mic units for the number of possible key com­bi­na­tions. It is also referred to in such as case as key space. The bigger the key space, the more resilient the en­cryp­tion will be against brute force attacks – a cracking method based on testing all possible com­bi­na­tions.

To explain brute force attacks, we’ll use the Caesar cipher as an example. Its key space is 25 – which cor­re­sponds to a key length of less than 5 bits. A code-cracker only needs to try 25 com­bi­na­tions in order to decipher the plaintext, so en­cryp­tion using the Caesar cipher doesn’t con­sti­tute a serious obstacle. Modern en­cryp­tion methods, on the other hand, use keys which can provide sig­nif­i­cant­ly more defense. The Advanced En­cryp­tion Standard (AES), for example, offers the pos­si­bil­i­ty to select key lengths of either 128, 192, or 256 bits. The key length of this method is ac­cord­ing­ly large, as a result.

Even with 128-bit en­cryp­tion, 2¹²⁸ con­di­tions can be mapped. These cor­re­spond to more than 240 sex­til­lion possible key com­bi­na­tions. If AES works with 256 bits, the number of possible key is more than 115 quat­tuorvig­in­til­lion (or 10⁷⁵). Even with the ap­pro­pri­ate technical equipment, it would take an eternity to try out all of the possible com­bi­na­tions. With today’s tech­nol­o­gy, brute force attacks on the AES key length are simply not practical. According to the EE Times, it would take a su­per­com­put­er 1 billion billion years to crack a 128-bit AES key, which is more than the age of the universe.

Because of the long key lengths, brute force attacks against modern en­cryp­tion methods are no longer a threat. Instead, code-crackers look for weak­ness­es in the algorithm that make it possible to reduce the com­pu­ta­tion time for de­crypt­ing the encrypted data. Another approach is focused on so-called side channel attacks that target the im­ple­men­ta­tion of a cryp­tosys­tem in a device or software. The secrecy of an en­cryp­tion process is rather coun­ter­pro­duc­tive for its security.

According to Ker­ck­hoffs’ principle, the security of a cryp­tosys­tem is not based on the secrecy of the algorithm, but on the key. As early as 1883, Auguste Ker­ck­hoffs for­mu­lat­ed one of the prin­ci­ples of modern cryp­tog­ra­phy: To encrypt a plaintext reliably, all you really need is to do is provide a well-known math­e­mat­i­cal method with secret pa­ra­me­ters. This theory remains basically unchanged today.

Like many other areas of software en­gi­neer­ing, the de­vel­op­ment of en­cryp­tion mech­a­nisms is based on the as­sump­tion that open source doesn’t com­pro­mise the security. Instead, by con­sis­tent­ly applying Ker­ck­hoffs’ principle, errors in the cryp­to­graph­ic algorithm can be dis­cov­ered quickly, since methods which hope to be adequate have to hold their own in the critical eyes of the pro­fes­sion­al world.

Users who want to encrypt or unencrypt files generally don’t come into contact with keys, but instead use a more man­age­able sequence: a password. Secure passwords have between 8 and 12 char­ac­ters, use a com­bi­na­tion of letters, numbers, and special char­ac­ters, and have a decisive advantage over bit sequences: People can remember passwords without requiring much effort.

As a key, though, passwords aren’t suitable for en­cryp­tion because of their short length. Many en­cryp­tion methods then include an in­ter­me­di­ate step where passwords of any length are converted into a fixed bit sequence cor­re­spond­ing to the cryp­tosys­tem in use. There are also methods that randomly generate keys within the scope of the technical pos­si­bil­i­ties.

A popular method of creating keys from passwords is PBKDF2 (Password- Based Key De­riva­tion Function 2). In this method, passwords are sup­ple­ment­ed by a pseudo-random string, called the salt value, and then mapped to a bit sequence of the desired length using cryp­to­graph­ic hash functions.

Hash functions are collision-proof one-way functions – cal­cu­la­tions which are rel­a­tive­ly easy to carry out, but take a con­sid­er­able effort to be reversed. In cryp­tog­ra­phy, a method is con­sid­ered secure when different hashes are assigned to different documents. Passwords that are converted into keys using a one-way function can only be re­con­struct­ed with con­sid­er­able com­pu­ta­tion­al effort. This is similar to searching in a phone book: While it’s easy to search for the phone number matching a given name, searching for a name using only a telephone number can be an im­pos­si­ble attempt.

In the framework of PBKDF2, the math­e­mat­i­cal cal­cu­la­tion is carried out in several it­er­a­tions (rep­e­ti­tions) in order to protect the key that’s been generated against brute force attacks. The salt value increases the re­con­struc­tion effort of a password on the basis of rainbow tables. A rainbow table is an attack pattern used by code-crackers to close out stored hash values to an unknown password.

Other password hashing methods are scrypt, bcrypt, and LM-Hash, however the later is con­sid­ered outdated and unsafe.

A central problem of cryp­tol­ogy is the question of how in­for­ma­tion can be encrypted in one place and decrypted in another. Even Julius Caesar was faced with the problem of key dis­tri­b­u­tion. If he wanted to send an encrypted message from Rome to the Germanic front, he had to make sure that whoever was going to receive it would be able to decipher the secret message. The only solution: The messenger had to transmit not only the secret message, but also the key. But how to transfer the key without running the risk of it falling into the wrong hands?

The same question keeps cryp­tol­o­gists busy today as they try to transfer encrypted data over the internet. Suggested solutions are in­cor­po­rat­ed in the de­vel­op­ment of various cryp­tosys­tems and key exchange protocols. The key dis­tri­b­u­tion problem of symmetric cryp­tosys­tems can be regarded as the main mo­ti­va­tion for the de­vel­op­ment of asym­met­ric en­cryp­tion methods.

In modern cryp­tol­ogy, a dis­tinc­tion is made between symmetric and asym­met­ric en­cryp­tion methods. This clas­si­fi­ca­tion is based on key handling.

With symmetric cryp­tosys­tems, the same key is used both for the en­cryp­tion and the de­cryp­tion of coded data. If two com­mu­ni­cat­ing parties want to exchange encrypted data, they also need to find a way to secretly transmit the shared key. With asym­met­ric cryp­tosys­tems on the other hand, every partner in the com­mu­ni­ca­tion generates their own pair of key: a public key and a private key.

When symmetric and asym­met­ric en­cryp­tion methods are used in com­bi­na­tion, it’s called a hybrid method.

Since the 1970s, en­cryp­tions of in­for­ma­tion have been based on symmetric cryp­tosys­tems whose origins lie in ancient methods like the Caesar cipher. The main principle of symmetric en­cryp­tion is that en­cryp­tion and de­cryp­tion are done using the same key. If two parties want to com­mu­ni­cate via en­cryp­tion, both the sender and the receiver need to have copies of the same key. To protect encrypted in­for­ma­tion from being accessed by third parties, the symmetric key is kept secret. This is referred to as a private key method.

While classic symmetric en­cryp­tion methods work on the letter level to rewrite the plaintext into its secret version, ciphering is carried out on computer-supported cryp­tosys­tems at the bit level. So a dis­tinc­tion is made here between stream ciphers and block ciphers.

• Stream ciphers: Each character or bit of the plaintext is linked to a character or bit of the keystream that is trans­lat­ed into a ciphered output character.

• Block ciphers: The char­ac­ters or bits to be encrypted are combined into fixed-length blocks and mapped to a fixed-length cipher.

Popular en­cryp­tion methods for symmetric cryp­tosys­tems are rel­a­tive­ly simple op­er­a­tions such as sub­sti­tu­tion and trans­po­si­tion that are combined in modern methods and applied to the plaintext in several suc­ces­sive rounds (it­er­a­tions). Additions, mul­ti­pli­ca­tions, modular arith­metic, and XOR op­er­a­tions are also in­cor­po­rat­ed into modern symmetric en­cryp­tion al­go­rithms.

Well-known symmetric en­cryp­tion methods include the now-outdated Data En­cryp­tion Standard (DES) and its successor, the Advanced En­cryp­tion Standard (AES).

The de­ci­pher­ing of DES encrypted secret texts follows the same scheme, but in the reverse order.

A major criticism of DES is the small key length of 56 bits results in com­par­a­tive­ly small key space. This length can no longer withstand the brute force attacks that are available with today’s computing power. The method of key per­mu­ta­tion, which generates 16 nearly identical round key, is con­sid­ered too weak.

A variant of DES was developed with Triple-DES (3DES), where the en­cryp­tion method runs in three suc­ces­sive rounds. But the effective key length of 3DES is still only 112 bits, which remains below today’s minimum standard of 128 bits. Ad­di­tion­al­ly, 3DES is also more computer-intensive than DES.

The Data En­cryp­tion Standard has therefore largely been replaced. The Advanced En­cryp­tion Standard algorithm has taken over as its successor, and is also a symmetric en­cryp­tion.

In the 1990s, it became apparent that DES, the most commonly used en­cryp­tion standard, was no longer tech­no­log­i­cal­ly up to date. A new en­cryp­tion standard was needed. As its re­place­ment, de­vel­op­ers Vincent Rijmen and Joan Daemen es­tab­lished the Rijndael Algorithm (pro­nounced “Rain-dahl”) – a method that, due to its security, flex­i­bil­i­ty, and per­for­mance, was im­ple­ment­ed as a public tender and certified by NIST as the Advanced En­cryp­tion Standard (AES) at the end of 2000. AES also divides the encrypted plaintext into blocks, so the system is based on block en­cryp­tion just like DES. The standard supports 128, 192, and 256 bit keys. But instead of 64-bit blocks, AES uses sig­nif­i­cant­ly larger 128-bit blocks, which are encrypted using a sub­sti­tu­tion per­mu­ta­tion network (SPN) in several suc­ces­sive rounds. The DES-successor also uses a new round key for each en­cryp­tion round, which is derived re­cur­sive­ly from the output key and is linked with the data block to be encrypted using XOR. The en­cryp­tion process is divided into roughly four steps: 1. Key expansion: AES, like DES, uses a new round key for every en­cryp­tion loop. This is derived from the output key via recursion. In the process, the length of the output key is also expanded to make it possible to map the required number of 128-bit round keys. Every round key is based on a partial section of the expanded output key. The number of required round keys is equal to the number of rounds (R), including the key round, plus a round key for the pre­lim­i­nary round (number of keys = R + 1). 2. Pre­lim­i­nary round: In the pre­lim­i­nary round, the 128-bit input block is trans­ferred to a two-di­men­sion­al table (Array) and linked to the first round key using XOR (KeyAd­di­tion). The table is made up of four rows and four columns. Each cell contains one byte (8 bits) of the block to be encrypted. 3. En­cryp­tion rounds: The number of en­cryp­tion rounds depends on the key length used: 10 rounds for AES128, 12 rounds for AES192, and 14 rounds for AES256. Each en­cryp­tion round uses the following op­er­a­tions:

• SubBytes: SubBytes is a monoal­pha­bet­ic sub­sti­tu­tion. Each byte in the block to be encrypted is replaced by an equiv­a­lent using an S-box.

• ShiftRows: In the ShiftRow trans­for­ma­tion, bytes in the array cells (see pre­lim­i­nary round) are shifted con­tin­u­al­ly to the left.

• Mix­Columns: With Mix­Columns, the AES algorithm uses a trans­for­ma­tion whereby the data is mixed within the array columns. This step is based on a re­cal­cu­la­tion of each in­di­vid­ual cell. To do this, the columns of the array are subjected to a matrix mul­ti­pli­ca­tion and the results are linked using XOR.

• KeyAd­di­tion: At the end of each en­cryp­tion round, another KeyAd­di­tion takes place. This, just like the pre­lim­i­nary round, is based on an XOR link of the data block with the current round key.

4. Key round: The key round is the last en­cryp­tion round. Unlike the previous rounds, it doesn’t include MixColumn trans­for­ma­tions, and so only includes the SubBytes, ShiftRows, and KeyAd­di­tion op­er­a­tions. The result of the final round is the ci­pher­text. The en­cryp­tion of AES-ciphered data is based on the in­vest­ment of the en­cryp­tion algorithm. This refers to not only the sequence of the steps, but also the op­er­a­tions ShiftRow, Mix­Columns, and SubBytes, whose di­rec­tions are reversed as well. AES is certified for providing a high level of  security as a result of its algorithm. Even today, there have been no known practical relevance attacks. Brute force attacks are in­ef­fi­cient against the key length of at least 128 bits. Op­er­a­tions such as ShiftRows and Mix­Columns also ensure optimal mixing of the bits: As a result, each bit depends on a key. The cryp­tosys­tem is re­as­sur­ing not just because of these measures, but also due to its simple im­ple­men­ta­tion and high level of secrecy. AES is used, among other things, as an en­cryp­tion standard for WPA2, SSH, and IPSec. The algorithm is also used to encrypt com­pressed file archives such as 7-Zip or RAR. AES-encrypted data is safe from third-party access, but only so long as the key remains a secret. Since the same key is used for en­cryp­tion and de­cryp­tion, the cryp­tosys­tem is affected by the key dis­tri­b­u­tion problem just like any other symmetric method. The secure use of AES is re­strict­ed to ap­pli­ca­tion fields that either don’t require a key exchange or allow the exchange to happen via a secure channel. But ciphered com­mu­ni­ca­tion over the internet requires that the data can be encrypted on one computer and decrypted on another. This is where asym­met­ri­cal cryp­tosys­tems have been im­ple­ment­ed, which enable a secure exchange of sym­met­ri­cal keys or work without the exchange of a common key. Available al­ter­na­tives to AES are the symmetric cryp­tosys­tems MARS, RC6, Serpent, and Twofish, which are also based on a block en­cryp­tion and were among the finalists of the AES tender alongside Rjindael. Blowfish, the pre­de­ces­sor to Twofish, is also still in use. Salsa20, which was developed by Daniel J. Bernstein in 2005, is one of the finalists of the European eSTREAM Project.

RSA is one of the safest and best-described public key methods. The idea of en­cryp­tion using a public en­cryp­tion key and a secret de­cryp­tion key can be traced back to the cryp­tol­o­gists Whitfield Diffie and Martin Hellman. This method was published in 1976 as the Diffie-Hellman key exchange, which enables two com­mu­ni­ca­tion partners to agree on a secret key over an unsecure channel. The re­searchers focused on Merkle’s puzzles, developed by Ralph Merkle, so it is sometimes also called the Diffie-Hellman-Merkle key exchange (DHM).

The cryp­tol­o­gists used math­e­mat­i­cal one-way functions, which are easy to implement, but can only be reversed with con­sid­er­able com­pu­ta­tion­al effort. Even today, the key exchanged named after them is used to ne­go­ti­at­ed secret keys within symmetric cryp­tosys­tems. Another merit of the duo’s research is the concept of the trapdoor. In the Diffie-Hellman key exchange pub­li­ca­tion, the hidden ab­bre­vi­a­tions are already addressed which are intended to make it possible to speed up the inversion of a one-way function. Diffie and Hellman didn’t provide concrete proof, but their theory of the trapdoor encourage various cryp­tol­o­gists to carry out their own in­ves­ti­ga­tions.

Rivest, Shamir, and Adleman also searched for one-way function ab­bre­vi­a­tions – orig­i­nal­ly with the intention of refuting the trapdoor theory. But their research ended up taking another direction, and instead resulted in the en­cryp­tion process even­tu­al­ly named after them. Today, RSA is the first sci­en­tif­i­cal­ly published algorithm that allows for the transfer of encrypted data without the use of a secret key.

The RSA uses an algorithm that is based on the mul­ti­pli­ca­tion of large prime numbers. While there generally aren’t any problems with mul­ti­ply­ing two primes by 100, 200, or 300 digits, there is still no efficient algorithm that can reverse the result of such a com­pu­ta­tion into its prime factors. Prime fac­tor­iza­tion can be explained by this example:

If you multiply the prime number 14,629 and 30,491 you’ll get the product 446,052,839. This has only four possible divisors: One is itself, and two others are the original prime numbers that have been mul­ti­plied. If you divide the first two divisors you’ll get the initial values of 14,629 and 30,491, since each number is divisible by 1 and by itself.

This theme is the basis of the RSA key gen­er­a­tion. Both the public and the private key represent two pairs of numbers:

                Public key: (e, N)

                Private key: (d, N)

N is the so-called RSA module. This is contained in both keys and results from the product of two randomly selected, very large primes p and q (N = p x q).

To generate the public key, you need e, a number that is randomly selected according to certain re­stric­tions. Come N and e to get the public key which is given in plaintext to each com­mu­ni­ca­tion partner.

To generate the private key, you need N as well as d as they contain the value resulting from the randomly generated primes p and q, as well as the random number e, which is computed based on Euler’s phi function (ϕ).

Which prime numbers go into the com­pu­ta­tion of the private key has to remain secret to guarantee the security of the RSA en­cryp­tion. The product of both prime numbers, however, can be used in the public key in plaintext, since it’s assumed that today there’s no efficient algorithm that can reverse the product into its prime factor numbers in an ap­pro­pri­ate amount of time. It’s also not possible to computer p and q from N, unless the cal­cu­la­tion can be ab­bre­vi­at­ed. This trapdoor rep­re­sents the value d, which is known only to the owner of the private key.

The security of the RSA algorithm is highly dependent on technical progress. Computing power doubles about every two years, and so it’s not out of the realm of pos­si­bil­i­ty that an efficient method for primary factor de­com­po­si­tion will be available in the fore­see­able future to match the methods that are available today. In this case, RSA offers the pos­si­bil­i­ty to adapt the algorithm to keep up with this technical progress by using even higher prime numbers in the com­pu­ta­tion of the key.

For a secure operation of the RSA process, rec­om­men­da­tions are provided by NIST that specifies the number of bits and suggested N values for different levels of security as well as different key lengths.

The central dif­fi­cul­ty with asym­met­ri­cal en­cryp­tion methods is the user au­then­ti­ca­tion. In classic public key methods, the public key is not as­so­ci­at­ed at all with the identity of its user. If a third party is able to use the public key by pre­tend­ing to be one of the parties involved in the encrypted data transfer, then the whole cryp­tosys­tem can be removed without having to directly attack the algorithm or a private de­cryp­tion key. In 1984, Adi Shamir, one of the de­vel­op­ers of RSA, proposed an ID-based cryp­tosys­tem that is based on the asym­met­ric approach but attempts to overcome its weakness. In identity-based en­cryp­tion (IBE), the public key of a com­mu­ni­ca­tion partner is not generated with any de­pen­dence on the private key, but instead from a unique ID. Depending on the context, for example, an e-mail address or domain could be used. This elim­i­nates the need to au­then­ti­cate public key through official cer­ti­fi­ca­tion bodies. Instead, the private key generator (PKG) takes its place. This is a central algorithm, with which the recipient of an encrypted message can issue a de­cryp­tion key belonging to their identity. The theory of ID-based en­cryp­tion solves a basic problem of the asym­met­ri­cal cryp­tosys­tem, and in­tro­duces two other security gaps instead: a central point of criticism is the question of how the private de­cryp­tion key is trans­ferred from the PKG to the recipient of the encrypted message. Here the familiar key problem arises again. Another downside to the ID-based method is the cir­cum­stance where there’s another entity next to the recipient of a ciphered message who then also finds out the de­cryp­tion key from the PKG. The key is then, by de­f­i­n­i­tion, no longer private and can be misused. The­o­ret­i­cal­ly, the PKG is able to decrypt all unau­tho­rized messages. This can be done by gen­er­at­ing the key pair using open source software on your own computer. The most popular ID-based method can be traced back to Dan Boneh and Matthew K. Franklin.

Hybrid en­cryp­tion is the joining of symmetric and asym­met­ric cryp­tosys­tems in the context of data trans­mis­sion on the internet. The goal of this com­bi­na­tion is to com­pen­sate for the weak­ness­es of one system using the strengths of the other.

Symmetric cryp­tosys­tems like AES (Advanced En­cryp­tion Standard) are regarded as safe by today’s technical standards and enable large amounts of data to be processed quickly and ef­fi­cient­ly. The design of the algorithm is based on a shared private key that must be exchanged between the receiver and the sender of the ciphered message. But users of symmetric methods are faced with the problem of key dis­tri­b­u­tion. This can be solved through asym­met­ric cryp­tosys­tems. Methods like RSA depend on a strict sep­a­ra­tion of public and private keys that enables the transfer of a private key.

But RSA only provides reliable pro­tec­tion again crypt­analy­sis with a suf­fi­cient­ly large key length, which must be at least 1,976 bits. This results in long computing op­er­a­tions that dis­qual­i­fy the algorithm for the en­cryp­tion and de­cryp­tion of large amounts of data. In addition, the secret text to be trans­mit­ted is sig­nif­i­cant­ly larger than the original plaintext after going through an RSA cipher.

In hybrid en­cryp­tion methods, asym­met­ric al­go­rithms aren’t used to encrypt useful data, but instead to secure the trans­mis­sion of a symmetric session key over an un­pro­tect­ed public channel. This in turn makes it possible to decrypt a ci­pher­text with the help of symmetric al­go­rithms.

The process of a hybrid en­cryp­tion can be describe in three steps:

1. Key man­age­ment: With hybrid methods, the sym­met­ri­cal en­cryp­tion of a message is framed by an asym­met­ri­cal en­cryp­tion method, so an asym­met­ric (a) as well as a symmetric (b) key must be generated.

• Before the encrypted data transfer occurs, both com­mu­ni­ca­tion partners first must generate an asym­met­ric key pair: a public key and a private key. Af­ter­wards the exchange of the public keys takes place – in the best case, secured through an au­then­ti­ca­tion mechanism. The asym­met­ric key pair serves to both cipher and decipher a symmetric session key, and so is generally used multiple times.

• The en­cryp­tion and de­cryp­tion of the plaintext is performed using the sym­met­ri­cal session key. This is generated anew by the message sender for each en­cryp­tion process.

2. En­cryp­tion: If an extensive message is to be trans­mit­ted securely over the internet, the sender must first generate a sym­met­ri­cal session key with which the user data can be encrypted. When this is done, the recipient’s public key is then used for the asym­met­ri­cal ciphering of the session key. Both the user data and the symmetric key are then available in a ciphered form and can safely be sent.

3. De­cryp­tion: The encrypted text is sent to the recipient together with the encrypted session key, who needs their private key in order to asym­met­ri­cal­ly decrypt the session key. This decrypted key is then used to decrypt the sym­met­ri­cal­ly ciphered user data.

According to this formula, an efficient en­cryp­tion method can be im­ple­ment­ed with which it’s possible to safely encrypt and decrypt an even large amount of user data at a higher speed. Since only a short session key is asym­met­ri­cal­ly encrypted, the com­par­a­tive­ly long cal­cu­la­tion times of asym­met­ric al­go­rithms in hybrid en­cryp­tion are not important. The key dis­tri­b­u­tion problem of the symmetric en­cryp­tion method is reduced through the asym­met­ric en­cryp­tion of session keys to simply be a problem of user au­then­ti­ca­tion. This is solved in asym­met­ric cryp­tosys­tems through digital sig­na­tures and cer­tifi­cates.

Hybrid en­cryp­tion methods are used in the form of IPSec, with the secured com­mu­ni­ca­tion taking place over unsecured IP networks. The Hypertext Transfer Protocol Secure (HTTPS) also uses TLS/SSL to create a hybrid en­cryp­tion protocol that combines symmetric and asym­met­ric cryp­tosys­tems. The im­ple­men­ta­tion of hybrid methods is the basis for en­cryp­tion standards such as Pretty Good Privacy (PGP), GnuPG, and S/MIME that are used in the context of e-mail en­cryp­tion.

A popular com­bi­na­tion for hybrid en­cryp­tion methods is the symmetric en­cryp­tion of user data via AES and the sub­se­quent asym­met­ric en­cryp­tion of the session key by means of RSA. Al­ter­na­tive­ly, the session key is arranged according to the Diffie-Hellman method. This can serve as Ephemeral Diffie-Hellman Forward Secrecy, but is prone to man-in-the-middle attacks. A re­place­ment for the RSA algorithm is the Elgamal cryp­tosys­tem. In 1985, Taher Elgamal developed the public key method, which is also based on the idea of the Diffie-Hellman key exchange and is used in the current version of the PGP en­cryp­tion program.