Three Part Hybrid Encryption Schema

—Hybrid encryption schemes are consist of two parts. First part for encryting the text with symmetric algorithm called DEM (Data Encryption Mechanism) and the second one is for encrypting the symmetric algorithm key with asymmetric algorithm called KEM (Key Encryption Mechanism). If we think to expand the KEM packet with e-sign, message digest and extra security data for validation and authentication, how will be the encryption of KEM packet and also the performance KEM mechanism. Our study try to answer that question and also offer a new hybrid encryption mechanism for information security.


I. INTRODUCTION
T IS NEVER safe to do business or personal correspondence on the Internet unless it is possible to protect the information. Information security is provided by eliminating threats such as being listened by another one, change of information, imitation of identity. The basic tool used for securing information security is cryptography. Cryptography is a science that analyzes information security and makes the understandable one incomprehensible. Topics such as confidentiality, reliability, data integrity, authentication, authenticity, and irrefutability are important areas of work for cryptography. [1][2][3][4] Encryption techniques can be used to prevent unauthorized access to data content during data security. By using symmetric or asymmetric algorithms, the encrypted data will be meaningless even if it is captured by unauthorized persons. However, by using asymmetric algorithms and processing the data with the keys of the sender, it is possible to obtain unique values. If these values are related to the data and the sender, the sender of the data will be guaranteed if it is added to the data, which is a digitally signing process.
Nowadays, communication security is not only to secure the data content. It is now important for communication security to associate the sender with the data. It should also be proved that the received data is received without any modification on the recipient's side.
Complex security solutions are generally provided by hybrid encryption mechanisms. Symmetric algorithms only have the ability to encrypt data. They are fast and safe. Key management of asymmetric algorithms is successful. Symmetric algorithms are much slower when compared to symmetric algorithms in encryption processes. Hybrid mechanisms are built to complement the missing aspects of symmetric and asymmetric algorithms.

II. ENCRYPTION ALGORITHMS
A. Asymmetric Encryption Algorithms Asymmetric algorithms use two different keys, one for encryption and the other for decryption. These keys mathematically depend on each other, but one cannot get a key from the other. The decryption key is known only by the recipient, but the encryption key can be known by anyone. The fact that the keys are interlinked and one cannot get a key from the other makes it possible to use asymmetric algorithms rather than encryption. Today, asymmetric algorithms are used for digital signatures. [5] B. Symmetric Encryption Algorithms Symmetric algorithms use a single key for encryption and decryption. This key must be kept confidential by both the sender and the recipient, otherwise unauthorized persons can easily decrypt the encrypted data and access the actual data. They have a widespread use, because they perform encryption and decryption fast. [6] C. Hash Algorithms Hash algorithms are used to create a strict representation of the given data. Calculated hash value is unique. The smallest change in the actual data substantially changes the hash value. Since they are one-way functions, the actual data cannot be obtained. Because of these features, Hash algorithms play a big role in data integrity processes and in authentication. [14 -15] III. PREVIOUS WORKS One of the important works on this subject was made by Masayuki Abe, Rosario Gennaro, Kaoru Kurosawa and Victor Shoup. In this study, the hybrid mechanism is composed of two modules. It is called DEM Data Encapsulation Mechanism for the Hybrid Mechanism's encryption of the data itself, and KEM-Key Encapsulation Mechanism for the mechanism managing encryption keys. In principle, the data is Three Part Hybrid Encryption Schema H. GENÇOĞLU, T. YERLİKAYA  I encrypted with DEM and the keys are encrypted with KEM. [7] In the tag-KEM / DEM architecture, when a KEM is generated, first a random key is selected and then this key is encrypted with a tag value. Signing procedures are not available in this architecture.
Fujisaki-Okamoto's KEM-DEM architecture is an improved version of the "Tag-KEM / DEM" architecture. But this architecture does not have signing procedures either.
Another study was conducted by Kerim YILDIRIM and H. Engin DEMİRAY. The previous hybrid mechanisms have been improved in their study called "SİMETRİK VE ASİMETRİK ŞİFRELEME YÖNTEMLERİNE METOTLAR: ÇIRPILMIŞ VE BİRLEŞİK AKM-VKM". [8] Three algorithms are mentioned in this study. In the "Scrabbled KEM-DEM" architecture, KEM and DEM constructions were mixed using the receiver's open key and sent to the user in a single locale. It is stated that the purpose of this mixing process is to make sure that the attacker does not know if it works with KEM or DEM. In the cascaded KEM-DEM architecture, which is the other algorithm, the shuffle algorithm was considered to be safer to do with the random key instead of the receiver's open key. However, in both cases, it will be seen that there is no difference between the DEM keys if they are thought to be encrypted and stored in the KEM. In the "Combined KEM-DEM" structure, the server was first logged on and secure communication was established with the "Scrabbled KEM-DEM" architecture. The logon key encryption specified by the server in the logon process was performed as if it were in the other two systems.
Although this work enhances security measures, signing and verification procedures are incomplete. Plain or encrypted text is not signed in the system, only the key that generated the key which is used to encrypt the text is signed. However, the signing of the text instead of the key will be more meaningful. In addition, first a key is generated in the system with a string expression, then the encryption key is generated using this key, and encryption is performed. This process will increase the work load on the system and increase the working time of the system. If it is desired that the encryption key is independent of the sender, the system can generate the key without any string entry and encryption can be performed.
In both cases, data security is provided by encrypting the plain text and obtaining a summary to guarantee that it has not changed. Signaling by the sender to verify the sender of the message is also an important security parameter and it should be used for authentication purposes if the attack techniques are considered to be diverse today.
Another study, "A Novel Idea on Multimedia Encryption using Hybrid Crypto Approach", describes that multimedia files can be used safely without leaving the hybrid algorithm architecture. [9] In the study named "Dik eşleştirme arayış yöntemi ile hibrit veri sıkıştırma ve optiksel kriptografi ", the processed signal is secured with the hybrid mechanism and transmission is proposed. [10] In the study "A Password-Protected Secret Sharing Based on Kurosawa-Desmedt Hybrid Encryption", the hybrid mechanism has been used to eliminate defects in the secret sharing schemes. [11] In another study, implementation solution was presented for hybrid mechanism cloud storage systems. RSA is used as the asymmetric algorithm and AES is used as the symmetric algorithm in the work named "The hybrid encryption algorithm of lightweight data in cloud storage". [12] An idea is proposed for the hybrid architecture to work on the FPGA in the study called "Implementing a hybrid cryptocoding algorithm for an image on FPGA". [13] As it is seen, the vast majority of studies on hybrid encryption algorithms focus on the implementation of the architecture or performance enhancement rather than the development of the architecture.

IV. ENCRYPTED COMMUNICATION
The encrypted communication between two points is made using the keys of the point. There will be 4 keys at each point. These keys are; symmetric algorithm key for encryption of the data, public and private keys of asymmetric algorithm for signing, validation, and security packet encryption, and public key belonging to the receiver.
Create 3 packages during the communication. The first package, the message package, contains encrypted data. The second package, the security package, contains signing and authentication values. The third package is the key package that contains the keys of encrypting message package and the security package.
While there are two parts in classical hybrid cryptography architectures, we have created the architecture in three parts in our study. We designed the security package as a separate package and increased the security parameters to make the security of the message stronger. Because increasing the security parameters increases the packet size, we encrypted the security package with a symmetric algorithm. We have completed the hybrid architecture by encrypting two symmetric keys using asymmetric algorithm.

A. Package -Message (Data) Package
The plain data goes in two processes: • Encryption process • Sign the message by the sender The plain data is encrypted using the symmetric algorithm with the randomly generated key. The encrypted message goes to shuffle algorithm and produces two outputs: 1. Shuffled encrypted message 2. Coefficients after the shuffling operation The purpose of re-mixing the encrypted message is to make the prediction more difficult against the known text attack against the symmetric algorithms. To make this process meaningful, the coefficients must be sent to the receiver and the mapping must be reversed to determine the original locations of the data blocks. One of the inputs to the security package is these coefficients.
The digest value is calculated by entering the plain data in the digest algorithm. This value is signed using the sender's secret key, and a message signature is generated which means that the message is approved by the user. The message signature is one of the inputs of the security package.  The digest of the plain message and the digest of the scrambled message are created in a data packet, first by signing with the device secret key and then by signing with the user secret key. Coefficients of the data packet from shuffle algorithm are also added to the signed data and encrypted with a symmetric algorithm.
A randomly generated key is used for encryption, then this key goes to the package.    After receiving the recipient message, the keys needed to display the message content are encrypted in the key package. In this case, the key package must only be opened by the receiver. For this, the key package must be encrypted with the receiver's public key. Public keys must be mutually shared for the encryption to take place.

V. DECRYPTION PROCESS
When the data package arrives at the recipient, it is sufficient for the open message to reverse the order of the transactions in order to be able to access the signature information. The same key in the symmetric algorithm and the second key in the asymmetric algorithm must be used.
The packages are separated from each other in the very beginning. Each package follows its own sequence of operations within the architecture. First the security package is opened, and the shuffle coefficients and signatures are obtained, then signatures are checked to obtain hash values. Finally, the Message Pack is opened and a plain text is obtained. The shuffle algorithms for the plain text are compared with the hash values obtained from the security packet. If the values obtained in this comparison are the same, it is guaranteed that the message is not changed.

Message
Package Security Package Key Package

Fig.5. Combination of Password Pack and Packages
A.
Step 1. Unpacking the Key Package The key package is encrypted with the recipient's public key. The keys of the symmetric encryption algorithm used for message encryption and security packet encryption are obtained by unpacking the receiver's secret key.

Receivers Secret Key
Key Package = User's Secret Key (Asymmetric Algorithm) Encryption Key2 will be used to decrypt security package, Encryption Key1 will be used to obtain the clear message.

B.
Step 2: Uncpacking Security Package The security packet obtained from the data packet is decrypted using the Encryption Key2 obtained by decrypting the key packet. The obtained data are a hash of the message signed by the user and the device and the coefficients used in the process of shuffling the encrypted message. This hash value will be compared with a hash value of the message obtained in the next step, and the device and the person to whom the message is sent will be verified.  The signature is calculated by processing the digest value of the message data first with the device's secret key then sender's secret key by the asymmetric algorithm. The signature verification process is also performed by asymmetric algorithm using first the device's secret key then the sender's secret key. As a result of this process, a hash value of the signature data should be obtained.

C. Step 3: Unpacking Message Package
The string that was passed in the shuffling process after the message package is encrypted. Therefore, the cryptographic message must first be obtained by reversing the shuffling process, and the resulting cryptographic message must be decrypted with the Encryption Key 1 coming from the key packet with the symmetric algorithm. The coefficients that will be processed to recover the shuffling process come from the security package.  Step 4: Verification At the end of the second phase, the hash value was obtained. This summary value consisted of a message digest mixed with a plain message digest. Because it is not possible to obtain the original data from the summary value, the plain text is again processed to the shuffling and hashing operations to obtain the hash value which is verified by comparing the summary value with the data packet. Proof: Select two elements as in different places.
We assume that p + q=p + q mod n p + q=p + q + kn p =p + kn p p = kn p( ) = kn is found.
i. İf k=0, because of p 0 , is found, and it is against our approval ii. If ,because of gcd(p,n)=1, p n is found.
That means p cannot divide n. We assume that p divide k (p|k): . At this time is found. That means and that situation is against .
Therefore Sh(x) = px+q mod n function is 1 1 function. And for all , becomes .
B. Recovery Process: To recover the original array after shuffling process, we must use reverse of the Sh(x)=px+q function.
Reverse of Sh(x)=px+q mod n function is .
Because of this function's being linear the reverse of p and q to mod n can be used instead of them. Lets call to the reverse of . İf and are calculated becomes, . The place of each element of the array is calculated in function, and their new place is found. To recover the original array we must calculate for all places in the shuffled array and find their original places.

VII. CONCLUSION
Encryption and decryption times at different data sizes are measured by developing an application for performance evaluation.
RSA is used as the asymmetric algorithm in signing operations and ciphers, and AES-256 is chosen as the symmetric algorithm. The P and Q prime numbers required for the RSA algorithm are selected to be 402 digits -1334 bits and 401 digits -1331 bits.
The numbers E and D selected using P and Q are 802 digits -2662 bits and 801 digits -2658 bits.
The values measured by the application are given in the table. Certificate authorities do not prefer 1024 bit keys in signing and strategic applications anymore. Nowadays, 2048 or 4096 bit keys have begun to be preferred for longer security choice Absolute security is ensured in the transmission of thumbnails and textual data as well as problems during transmission of audio and video data. Our next work will be on ensuring faster delivery of larger data.