1432  Interactive Encryption Tools and Calculators

1432.1 Learning Objectives

By the end of this chapter, you will be able to:

• Calculate Encryption Strength: Use interactive tools to evaluate brute-force resistance
• Compare Algorithms: Visualize performance and security tradeoffs between symmetric and asymmetric encryption
• Simulate Key Exchange: Understand Diffie-Hellman and TLS handshakes through interactive demonstrations
• Make Informed Decisions: Select appropriate encryption for specific IoT use cases

TipIn Plain English

These interactive tools help you build intuition about cryptographic concepts. Experiment with different key sizes, algorithms, and attack scenarios to understand why security recommendations exist.

1432.2 Encryption Strength Calculator

Understand how key length and algorithm choice affect security against brute-force attacks and emerging quantum threats.

viewof keyLength = Inputs.select([64, 128, 192, 256, 512, 1024, 2048, 4096], {
  value: 128,
  label: "Key Length (bits)"
})

viewof algorithm = Inputs.select(
  ["AES", "3DES", "RSA", "ChaCha20", "ECC"],
  {value: "AES", label: "Algorithm"}
)

viewof attackScenario = Inputs.select(
  ["Single PC", "Botnet (10K nodes)", "Supercomputer", "All computers on Earth"],
  {value: "Single PC", label: "Attacker Resources"}
)

attackSpeeds = ({
  "Single PC": 1e9,
  "Botnet (10K nodes)": 1e13,
  "Supercomputer": 1e15,
  "All computers on Earth": 1e18
})

strengthData = {
  const speed = attackSpeeds[attackScenario];
  const totalKeys = Math.pow(2, keyLength);
  const bruteForceSeconds = totalKeys / speed;
  const bruteForceYears = bruteForceSeconds / (365.25 * 24 * 3600);

  const quantumKeys = Math.pow(2, keyLength / 2);
  const quantumSeconds = quantumKeys / (speed * 1000);
  const quantumYears = quantumSeconds / (365.25 * 24 * 3600);

  let recommendation = "";
  let securityLevel = "";

  if (algorithm === "AES" || algorithm === "ChaCha20") {
    if (keyLength >= 256) {
      recommendation = "Quantum-resistant for next 30+ years";
      securityLevel = "Excellent";
    } else if (keyLength >= 128) {
      recommendation = "Adequate now, vulnerable to future quantum computers";
      securityLevel = "Good";
    } else {
      recommendation = "Too weak - DO NOT USE in production";
      securityLevel = "Inadequate";
    }
  } else if (algorithm === "RSA") {
    if (keyLength >= 4096) {
      recommendation = "Very strong, but consider ECC for IoT efficiency";
      securityLevel = "Excellent";
    } else if (keyLength >= 2048) {
      recommendation = "Current standard, but slow on IoT devices";
      securityLevel = "Good";
    } else {
      recommendation = "RSA-1024 or less is deprecated";
      securityLevel = "Inadequate";
    }
  } else if (algorithm === "ECC") {
    if (keyLength >= 384) {
      recommendation = "Excellent - equivalent to AES-192 or RSA-7680";
      securityLevel = "Excellent";
    } else if (keyLength >= 256) {
      recommendation = "Ideal for IoT - equivalent to AES-128 or RSA-3072";
      securityLevel = "Excellent";
    } else {
      recommendation = "Consider 256-bit minimum for IoT";
      securityLevel = "Fair";
    }
  } else if (algorithm === "3DES") {
    recommendation = "3DES is deprecated - migrate to AES";
    securityLevel = "Inadequate";
  }

  return {
    keyLength,
    algorithm,
    bruteForceYears,
    quantumYears,
    recommendation,
    securityLevel,
    attackScenario,
    bruteForceSeconds,
    quantumSeconds
  };
}

md`### Encryption Strength Analysis

**Configuration:**
- **Algorithm**: ${strengthData.algorithm}
- **Key Length**: ${strengthData.keyLength} bits
- **Attacker**: ${strengthData.attackScenario}

**Security Assessment:**

| Attack Type | Time to Break | Security Level |
|:------------|:--------------|:---------------|
| **Classical Brute Force** | ${strengthData.bruteForceYears < 1e-6 ? strengthData.bruteForceYears.toExponential(2) + " years (INSTANT)" : strengthData.bruteForceYears < 1 ? (strengthData.bruteForceSeconds / 60).toFixed(2) + " minutes" : strengthData.bruteForceYears < 1000 ? strengthData.bruteForceYears.toFixed(2) + " years" : strengthData.bruteForceYears.toExponential(2) + " years"} | ${strengthData.securityLevel} |
| **Quantum Attack (Grover)** | ${strengthData.quantumYears < 1e-6 ? strengthData.quantumYears.toExponential(2) + " years" : strengthData.quantumYears < 1 ? (strengthData.quantumSeconds / 60).toFixed(2) + " minutes" : strengthData.quantumYears < 1000 ? strengthData.quantumYears.toFixed(2) + " years" : strengthData.quantumYears.toExponential(2) + " years"} | ${strengthData.keyLength >= 256 ? "Resistant" : "Vulnerable"} |

**Recommendation**: ${strengthData.recommendation}
`

Understanding the Results:

• Brute Force Time: How long to try every possible key using classical computers
• Quantum Attack Time: Estimated time using Grover’s algorithm (halves key strength)
• Security Level: Based on NIST and industry recommendations

Real-World Context:

• Universe age: ~13.8 billion years
• Sun’s remaining lifespan: ~5 billion years
• Age of Earth: ~4.5 billion years

If brute-force time exceeds these timescales, encryption is effectively unbreakable.

---

1432.3 Encryption Comparison Demo

Compare symmetric (AES) and asymmetric (RSA) encryption side-by-side.

viewof encryptionType = Inputs.radio(
  ["Symmetric (AES)", "Asymmetric (RSA)", "Hybrid (IoT Best Practice)"],
  {value: "Symmetric (AES)", label: "Encryption Type"}
)

viewof userMessage = Inputs.text({
  label: "Message to Encrypt",
  value: "Sensor: Temperature 72F",
  placeholder: "Enter your IoT message...",
  width: "100%"
})

encryptionData = {
  const msg = userMessage || "Sensor: Temperature 72F";
  const ciphertextHex = Array.from({length: Math.min(32, msg.length * 2)}, () =>
    "0123456789ABCDEF"[Math.floor(Math.random() * 16)]).join('');

  if (encryptionType === "Symmetric (AES)") {
    return {
      type: "symmetric",
      algorithm: "AES-128-GCM",
      keySize: 128,
      keyGenTime: "< 1 ms",
      encryptTime: "0.02 ms",
      decryptTime: "0.02 ms",
      ciphertext: ciphertextHex,
      pros: ["Very fast (100-1000x faster than RSA)", "Low power consumption", "Hardware acceleration available"],
      cons: ["Key distribution problem", "Both parties need same key"],
      speedMbps: 250,
      powerMw: 5
    };
  } else if (encryptionType === "Asymmetric (RSA)") {
    return {
      type: "asymmetric",
      algorithm: "RSA-2048",
      keySize: 2048,
      keyGenTime: "100-500 ms",
      encryptTime: "1-5 ms",
      decryptTime: "10-50 ms",
      ciphertext: ciphertextHex + "...",
      pros: ["Solves key distribution", "Digital signatures possible"],
      cons: ["Very slow (100-1000x slower)", "High power consumption"],
      speedMbps: 0.5,
      powerMw: 50
    };
  } else {
    return {
      type: "hybrid",
      algorithm: "RSA + AES-GCM",
      keySize: "2048 + 128",
      keyGenTime: "100-500 ms (once)",
      encryptTime: "0.02 ms (after handshake)",
      decryptTime: "0.02 ms (after handshake)",
      ciphertext: ciphertextHex,
      pros: ["Best of both worlds", "Industry standard (TLS)"],
      cons: ["More complex implementation"],
      speedMbps: 250,
      powerMw: 5
    };
  }
}

html`<div style="
  display: grid;
  grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
  gap: 20px;
  margin: 20px 0;
">
  <div style="padding: 20px; background: #2C3E50; border-radius: 12px; color: white;">
    <h4 style="margin: 0 0 10px 0;">${encryptionData.algorithm}</h4>
    <p><strong>Key Size:</strong> ${encryptionData.keySize} bits</p>
    <p><strong>Encrypt:</strong> ${encryptionData.encryptTime}</p>
    <p><strong>Decrypt:</strong> ${encryptionData.decryptTime}</p>
    <p><strong>Speed:</strong> ${encryptionData.speedMbps} MB/s</p>
    <p><strong>Power:</strong> ${encryptionData.powerMw} mW</p>
  </div>
  <div style="padding: 20px; background: #16A085; border-radius: 12px; color: white;">
    <h4 style="margin: 0 0 10px 0;">Advantages</h4>
    <ul style="margin: 0; padding-left: 20px;">
      ${encryptionData.pros.map(p => `<li>${p}</li>`).join('')}
    </ul>
  </div>
  <div style="padding: 20px; background: #E67E22; border-radius: 12px; color: white;">
    <h4 style="margin: 0 0 10px 0;">Disadvantages</h4>
    <ul style="margin: 0; padding-left: 20px;">
      ${encryptionData.cons.map(c => `<li>${c}</li>`).join('')}
    </ul>
  </div>
</div>`

---

1432.4 Algorithm Selection Guide

Based on your IoT requirements, select the most appropriate encryption approach:

viewof deviceType = Inputs.select(
  ["Battery sensor (ultra-low power)", "Smart home device", "Industrial gateway", "Medical implant", "Automotive ECU"],
  {value: "Battery sensor (ultra-low power)", label: "Device Type"}
)

viewof dataType = Inputs.select(
  ["Sensor telemetry", "Commands/control", "Firmware updates", "Personal health data", "Financial transactions"],
  {value: "Sensor telemetry", label: "Data Type"}
)

viewof networkType = Inputs.select(
  ["LoRaWAN (limited bandwidth)", "Wi-Fi", "Cellular (NB-IoT/LTE-M)", "Bluetooth LE", "Ethernet"],
  {value: "Wi-Fi", label: "Network Type"}
)

recommendation = {
  let symmetric = "AES-128-GCM";
  let asymmetric = "ECC-256 (Curve25519)";
  let hash = "SHA-256";
  let notes = [];

  // Adjust based on device type
  if (deviceType === "Battery sensor (ultra-low power)") {
    symmetric = "AES-128-GCM";
    notes.push("Use hardware AES acceleration to minimize power");
    notes.push("Consider PSK-based TLS to avoid RSA operations");
  } else if (deviceType === "Medical implant") {
    symmetric = "AES-256-GCM";
    notes.push("Maximum security required - use AES-256");
    notes.push("Store keys in secure element");
  } else if (deviceType === "Automotive ECU") {
    symmetric = "AES-128-GCM";
    asymmetric = "ECC-256 (secp256r1)";
    notes.push("Follow ISO 26262 security requirements");
  }

  // Adjust based on data type
  if (dataType === "Personal health data" || dataType === "Financial transactions") {
    symmetric = "AES-256-GCM";
    notes.push("Compliance requires maximum encryption strength");
  } else if (dataType === "Firmware updates") {
    notes.push("Always verify firmware signatures with Ed25519/ECDSA");
  }

  // Adjust based on network
  if (networkType === "LoRaWAN (limited bandwidth)") {
    asymmetric = "Ed25519 (64-byte signatures)";
    notes.push("Use Ed25519 - RSA signatures too large for LoRaWAN payload");
  }

  return {symmetric, asymmetric, hash, notes};
}

md`### Recommended Configuration

| Purpose | Algorithm | Notes |
|---------|-----------|-------|
| **Data Encryption** | ${recommendation.symmetric} | Symmetric encryption for bulk data |
| **Key Exchange/Signatures** | ${recommendation.asymmetric} | Asymmetric for handshake and auth |
| **Integrity/Hashing** | ${recommendation.hash} | One-way fingerprint for verification |

**Additional Recommendations:**

${recommendation.notes.map(n => `- ${n}`).join('\n')}
`

---

1432.5 Hash Function Demonstrator

See how cryptographic hash functions work with the avalanche effect:

viewof hashInput = Inputs.text({
  label: "Input Text",
  value: "Hello IoT World",
  placeholder: "Enter text to hash...",
  width: "100%"
})

simpleHash = {
  let hash = 0;
  const input = hashInput || "";
  for (let i = 0; i < input.length; i++) {
    const char = input.charCodeAt(i);
    hash = ((hash << 5) - hash) + char;
    hash = hash & hash;
  }
  // Convert to hex-like string
  return Math.abs(hash).toString(16).padStart(8, '0').toUpperCase();
}

// Simulate changing one character
changedInput = {
  const input = hashInput || "";
  if (input.length > 0) {
    const pos = Math.floor(input.length / 2);
    const newChar = String.fromCharCode(input.charCodeAt(pos) + 1);
    return input.substring(0, pos) + newChar + input.substring(pos + 1);
  }
  return input + "X";
}

changedHash = {
  let hash = 0;
  const input = changedInput;
  for (let i = 0; i < input.length; i++) {
    const char = input.charCodeAt(i);
    hash = ((hash << 5) - hash) + char;
    hash = hash & hash;
  }
  return Math.abs(hash).toString(16).padStart(8, '0').toUpperCase();
}

md`### Avalanche Effect Demonstration

| Input | Hash (simplified) |
|-------|-------------------|
| "${hashInput}" | \`${simpleHash}\` |
| "${changedInput}" | \`${changedHash}\` |

**Observation**: Even a tiny change (one character) produces a completely different hash output.

*Note: This is a simplified visualization. Real SHA-256 produces 64-character hexadecimal output.*
`

---

1432.6 IoT Encryption Performance Estimator

Estimate encryption performance on your target hardware:

viewof targetMCU = Inputs.select(
  ["ESP32 (240 MHz)", "STM32L4 (80 MHz)", "nRF52840 (64 MHz)", "Arduino Uno (16 MHz)", "Raspberry Pi Pico (133 MHz)"],
  {value: "ESP32 (240 MHz)", label: "Target Microcontroller"}
)

viewof dataSize = Inputs.range([16, 10240], {
  value: 1024,
  step: 16,
  label: "Data Size (bytes)"
})

viewof operationsPerDay = Inputs.range([1, 10000], {
  value: 100,
  step: 1,
  label: "Encryption Operations per Day"
})

performanceEstimate = {
  // Approximate cycles per byte for AES-128-GCM
  const cyclesPerByte = {
    "ESP32 (240 MHz)": 15,           // Hardware AES
    "STM32L4 (80 MHz)": 20,          // Hardware AES
    "nRF52840 (64 MHz)": 18,         // CryptoCell
    "Arduino Uno (16 MHz)": 500,     // Software only
    "Raspberry Pi Pico (133 MHz)": 100 // Software
  };

  const clockMHz = {
    "ESP32 (240 MHz)": 240,
    "STM32L4 (80 MHz)": 80,
    "nRF52840 (64 MHz)": 64,
    "Arduino Uno (16 MHz)": 16,
    "Raspberry Pi Pico (133 MHz)": 133
  };

  const cpb = cyclesPerByte[targetMCU];
  const mhz = clockMHz[targetMCU];

  const totalCycles = cpb * dataSize;
  const timeUs = totalCycles / mhz;
  const timeMs = timeUs / 1000;

  // Power estimates (rough)
  const activePowerMa = {
    "ESP32 (240 MHz)": 80,
    "STM32L4 (80 MHz)": 25,
    "nRF52840 (64 MHz)": 20,
    "Arduino Uno (16 MHz)": 15,
    "Raspberry Pi Pico (133 MHz)": 30
  };

  const powerMa = activePowerMa[targetMCU];
  const energyPerOpUj = powerMa * 3.3 * timeUs; // microjoules
  const energyPerDayMj = energyPerOpUj * operationsPerDay / 1000;

  // Battery life estimate (assuming 2000mAh battery)
  const batteryMah = 2000;
  const batteryMj = batteryMah * 3.3 * 3600; // mAh to mJ
  const batteryDays = batteryMj / energyPerDayMj;

  return {
    timeMs: timeMs.toFixed(3),
    throughputMbps: (dataSize / (timeUs / 1e6) / 1e6).toFixed(2),
    energyPerOpUj: energyPerOpUj.toFixed(1),
    energyPerDayMj: energyPerDayMj.toFixed(2),
    batteryDays: batteryDays > 10000 ? ">10 years" : (batteryDays / 365).toFixed(1) + " years"
  };
}

md`### Performance Estimate for ${targetMCU}

| Metric | Value |
|--------|-------|
| **Time per Operation** | ${performanceEstimate.timeMs} ms |
| **Throughput** | ${performanceEstimate.throughputMbps} MB/s |
| **Energy per Operation** | ${performanceEstimate.energyPerOpUj} uJ |
| **Energy per Day** | ${performanceEstimate.energyPerDayMj} mJ |
| **Battery Life (2000mAh)** | ${performanceEstimate.batteryDays} |

*Estimates based on AES-128-GCM. Actual performance varies with implementation and workload.*
`

---

1432.7 Knowledge Check

TipQuestion: Algorithm Selection

You’re building a LoRaWAN sensor that sends 32-byte telemetry every 15 minutes. The maximum payload is 51 bytes. Which encryption approach is most appropriate?

Options:

• 1. RSA-2048 encryption for maximum security
• 2. AES-128-GCM for data, Ed25519 for authentication
• 3. No encryption - LoRaWAN has built-in security
• 4. AES-256-GCM with SHA-512 HMAC

NoteAnswer

Correct: B

AES-128-GCM provides strong symmetric encryption with a 16-byte auth tag. Ed25519 signatures are 64 bytes - usable across multiple messages. RSA-2048 signatures (256 bytes) exceed the 51-byte payload limit. While LoRaWAN has application-layer encryption, additional end-to-end encryption is recommended for sensitive data.

1432.8 Summary

These interactive tools help you:

• Evaluate encryption strength against various attack scenarios
• Compare algorithms for performance and security tradeoffs
• Estimate battery impact of cryptographic operations
• Select appropriate encryption based on device and network constraints

Experiment with different configurations to develop intuition about IoT cryptography.

1432.9 What’s Next

Continue to Encryption Labs for hands-on Wokwi simulations and practice exercises implementing cryptographic operations on ESP32 microcontrollers.