Case Studies 05/04/2019

Data encryption protects the most important

DO WE REALLY NEED A SHIELD OF CRYPTODEFENCE?

Privacy is a new religion. We set the highest value on privacy. But even children know – if there is something valuable for some, there will undoubtedly be those who want to get it valuable without the permission of the rightful owner.

Aforetime values were purely material – like golden accessories, Amati violins, Flemish painting, and Qin era porcelain – but nowadays, values are more abstract, although their essence has not been changed. Diamonds and pearls were hidden in strongboxes and caches, and we keep modern treasures on hard drives of computers or servers, on flash drives and smartphone SD cards.

Entrusted the most intimate things to gadgets and computers, we’ve made ourselves vulnerable. All that is stored on the hard drives, in the memory of applications and browsers, is the Achilles heel of the modern human civilization. Information about family, career, tangible assets, political views, financial data, planned transactions, the second set of books, access to banking accounts, keys to e-wallets, corporate secrets, proprietary information and trade secrets – all of them are the new targets of cyber-era robbers.

It is quite easy to open a safe box by a lock-pick or autogenous cutting – extracting information from a disk is just as easy. To provide more safety you can hide a strongbox in the wall or a bunker at a depth of 200 meters, or you can enclose it with barbed wire and set the going flow of electricity through it. Data encryption is much more efficient (and more humane!) – hardware and software cryptographic tools can give your digital values real protection.

SOME WORDS ABOUT HISTORY OF CRYPTOGRAPHY

As a science that studies information security tools, cryptography has been existing for more than four thousand years. At the same time, with the development of writing, people were looking for ways to encrypt what was written, hiding its essence from uninitiated. There much historical evidence of cryptographic systems from ancient times, for example, Caesar’s monoalphabetic cipher, which used the principle of shifting letter positions in the alphabet.

Over the centuries, both new cipher codes and new cryptanalytic methods (decryption methods), as well as devices that facilitate the encryption/decryption operation was invented — e.g., the Aeneas's line and disk, Ancient Spartan Scytale (Skytale), Cardan grille, St Cyr Slide (or Sliderule), The Jefferson disk (or wheel cypher, or Bazeries Cylinder), etc. For a long time, alphanumeric combinations were the basis of encryption — more complex poly-alphabetic systems replaced mono-alphabetic systems. A bit more than a hundred years ago, electromechanical devices began to be used for polyalphabetic encryption. Classical encryption is considered to be the symmetric key encryption, which uses the same sequence of characters both to encrypt and decrypt data.

The first attempts to use mathematical methods for encryption were made from the first half of the twentieth century.

The "father of the information age", an American mathematician and engineer Claude Elwood Shannon, made a significant contribution to the development of cryptography as science. He'd formulated the theoretical basis of cryptography and introduced many basic concepts.

Cryptographic data encryption technology

Shannon gave mathematical definitions to informational entropy, data transfer, amount of information, and formulated encryption functions. By the way, we use his term "bit" as the smallest unit of information. Besides, Shannon included as a mandatory element of encryption the study of the cipher for vulnerability by linear and differential cryptoanalysis.

Asymmetric encryption (aka public-key cryptography, or key pair encryption) has emerged as a new thread of cryptography since the mid-1970s, and now it is used everywhere. The essence of asymmetric encryption is that for encrypting and decrypting data, two keys are selected, public and corresponding to it private. Each key of the pair performs a well-defined function — the public key encrypts information, and the private key decrypts it.

Over the past four decades, information technologies have been progressing rapidly, offering new ways of cryptography and new areas for its using. Now cryptography is a combination of math and computer science. The progress of quantum computing technologies will upgrade cryptology to a new level, quantum cryptography, which is based on the principles of not math, but quantum physics. A branch of quantum cryptography is post-quantum cryptography that specifies in creating of synthetic cryptographic schemes that are resistant to both “classical” cryptanalysis methods and quantum ones.

Site transition statistics from http to https protocol

PURPOSES FOR WHICH CRYPTOGRAPHY IS SUITABLE

In ancient times and the Middle Ages, people used cryptography to allow certain information to be found only to those to whom the secret message is addressed. Now, over the centuries, the essence of this process still remains the same.

We can find out cryptographic information security tools everywhere — smartphones, smartwatches, and other gadgets, computers and routers, tablets and smart TV, household appliances, messengers and social networks, forex and trading software, etc. All data stored and/or transferred via all those things are ALWAYS encrypted.

Encryption is the most valuable in the financial transactions process, e.g., via NetBanking or PayPal and other international payment systems, and when withdrawing cash at an ATM or during transactions with payment terminals, when acquiring at retail POS or during forex deals.

Let's add here the tough competition among mobile operating systems, whose crypto-protection will more effectively protect user information.

Various cryptocurrencies, the most hype of the last decade, are also based on cryptographic algorithms.

Internet traffic needs crypto-protection, too, and HTTPS crypto-extension provides security on the data transferred through a secure socket layer (SSL) or transport layer security (TLS) protocol in “client-to-site” connection. Some years ago, Google accented on https and SSL-certificates using, and explained, that websites on https have better search-engine ranking.

Soon, other browsers began to use the label “http = dangerous site, https = secure” after Google Chrome. The infographics described the dynamic using https protocol by web sites can illustrate the statistics compiled on Mozilla Firefox from November 2013 to the present: As you can see, in March 2014, the global volume of https traffic was 28.31%, then five years later, in March 2019, this figure increased almost three times, to 78.38%. But the reason of this phenomenon can be artificial (due to the pressure from the global players of the information market), the results are still very positive — we can confidently say that the level of security of data transmitted over the Internet has increased significantly. So, our information protection is enhanced.

HARDWARE- OR SOFTWARE-BASED ENCRYPTION: A HARD CHOICE

Three types of encryption are used to protect information on hard drives: hardware, software, and soft-hardware. All of them use a cryptographic algorithm to protect data but has a difference in the way the encryption/decryption function is implemented.

When you should make a choice among them all, you should estimate your real needs. Software encryption is cheaper than hardware, but significantly inferior to it in reliability. Additionally, the CPU’s capacity in different cryptographic algorithms types are used in different ways: software encryption uses the computer's processor, while the hardware encoder has its own processor. So, software encryption is quite appropriate for personal computers and small businesses. And for corporate purposes, more perspective to choose hardware encryption to secure critical information — e.g., financial transactions, trade secrets, authoring, etc. Network traffic, communications, instant messengers — they all also use hardware cryptographic protection.

Some technical characteristics both hardware and software-based encryption to compare are in the table below:

Hardware-based encryption Software-based encryption
CPU Own; located on the encryptor/token/drive A part of the computer CPU’s capacity use to encrypt data, at the same time while other tasks and software are performing
Key Generates by using the built-in random number generator and unlocks with a user password. Hardware is used for authentication A password created by user
Performance impact Computer performance raises due to the host system is uninvolved in encryption tasks processing Encryption process works simultaneously with other software. It reduces computer performance
Key and data security Protection of keys and critical security parameters is performed by hardware encryption. Data is protected from the most common attacks (cold boot, malicious code injection, brute force, etc.) Vulnerability in password brute force attacks, especially in case of a RAM ingression
Economical efficiency Suits for large and medium-sized business, corporations. Allows scaling For small business and private persons
Gadget dependency The encryption function is implemented on only one specific device Encryption is available for all types of data storage
Installation of additional software or drivers Not needed Can be needed

One cute fact — despite the lifelong rivalry, both giants of the IT industry, Apple and Microsoft, came to the same decision: to implement software encryption for users of their operating systems. BitLocker becomes a component of MS Windows from version 7 of the corporate OS.

But sometimes encryption can decrease security. For example, soft-and-hardware encryption in some SSD drives was compromised, as researchers from the Netherlands found out. They found several variants of vulnerabilities, using which attackers could gain access to the data. One of these vulnerabilities was “hidden” just in the software and hardware system of cryptographic protection. The built-in BitLocker in Windows 10, having detected a hardware cryptographic system in the SSD disk, simply “gave way to an expert” and did not use its encryption function, relying on the competence of the hardware defense.

In that case, SSD manufacturers have eliminated the defects on time. But you should never forget that total protection against cyberattacks, as well as the universal equation of happiness or a cure for all diseases, does not exist. And in many ways, data security depends on the integrity of software vendors, equipment and infrastructure service providers.

This is especially true of cloud security. The SIM Networks team believes that ensuring our customers’ data security is one of our priorities. Therefore, we use hardware-based encryption to protect of SIM-Cloud IaaS data. Equally responsible, we approach the safety of data in all our other infrastructure solutions, including the private clouds for our customers.

WHY IS EVERYTHING NOT ENCRYPTED YET?

Until now, we talk about the importance of encryption. But vast volumes of information remain unencrypted. Why? If encryption is so efficient in the current cybercriminalized environment, why not all data are encrypted yet? There are some reasons can be mentioned.

It is not a big secret that encryption is quite expensive. And it means not only cryptography software and hardware measures but computing resources, too — RAM and processor time. Mathematically complex data conversion operations in the encryption process require significant resources, and it is a problem.

As we told early, Microsoft and Apple included data encryption functionality option for all customers who use their OSs. And it makes an illusion that encryption is free. But you should agree, that a couple of Tb (1012 bites) at the notebook drive is not the same as a couple of petabytes (1015 bytes) those are transmitted across and stored in a corporate infrastructure! In a first case, the user could not register out a little performance reduce on the hardware-encrypted notebook; but in the second case, when users are thousands or tens of thousands, and the number of transactions goes to millions, the resources diverted to data encryption can seriously slow down the system. That’s why when you are choosing cryptographic software and equipment for business, you should to take into account the economic factor, too – you need to estimate the actual value of the data to be encrypted, and relate it to the cost of encryption.

Another problem is a lack of transparency of the encryption. You cannot provide an interim check of encrypted data without full decryption. When it comes to cyberprotection, that's great. But if the data requires checking for consistency or compliance with any regulatory requirements – well, Houston, we have a problem. It is clear that this problem disturbs corporate users whose functions are distributed: one department creates a document, another edits it, a third does a compliance check, and a fourth publishes it on the web site. Data has to be decrypted, verified, and then re-encrypted at each node in this chain. It is quite costly, both in time and in resources, although it is possible to minimize performance reducing by specifically designing this process. But, in the case of data transfer through the VPN, all things are more complicated.

Often when you need view data transmitting via VPN connection, you should use an “intrusion from inside”, like a man-in-the-middle attack – a type of hacking in which an attacker can read, insert and modify the data transmitted within the VPN at will, and none of the sides of the channel is aware of the intervention. The VPN connection needs to be interrupted, the data should be decrypted and verified, and then the new tunnel should be created, through which the already verified data will be transmitted to the destination point. Some experts think, this option, especially on the scale of a corporation, is expensive and creates at least one network failure point.

Over the past few years some security solutions, containing partial transparency of encryption, have already appeared at the IT security market. However, the question of the vulnerability of systems with such an encryption scheme requires additional research.

A HIDDEN DANGER

A lack of transparency provides some more unpleasant surprises for users and systems. E.g., encrypted data mass may contain malicious code inside. The question is whether this type of data can be found and cleaned out by pointwise, without affecting the entire storage or data stream. The answer is – no, actually. For effective protection, malware needs to be detected before data is encrypted, or before it is decrypted for verification. In any case, this complicates the process and increases its cost. That’s why corporate IT divisions, after estimating the cost of implementation and support of a cryptographic system for their infrastructure, often decline this idea. Sure, it affects IT security in a bad way.

One more problem is infrastructure complication due to the use of cryptographic tools. It provides creating potential security systems failure-points those can be detected and used by hackers. Corporate data encryption consists of mass active elements, and the addition of a few more can significantly affect the overall performance of the security system. In hybrid cloud infrastructures with dozens of components, this impacts most of all — each additional component or process adds the possibility of failure and the costs of implementation and maintenance. Not every business is ready for this situation.

It may sound paradoxical but encryption procedure needs protection in the same way as data which it protects. Especially in a case of use key pair encryption. Much corporate security — in particular, based on materials from experts serving the networks of Starwood Hotels and Marriott International, — prove that the loss of a key to the encryption scheme seriously damages its security. Regardless of whether there is a stream of data to cryptographic protection in normal mode or via VPN, always exist mechanisms to start the encryption process and encryption keys – both must be stored and protected. Therefore, it is important to provide the security infrastructure for encryption mechanisms, as well as to plan the whole process of cryptographic protection, like all other corporate business processes.

Implementing cryptography security system in a business, you should do it attentively to each of critical details, without undue haste and acting in strict accordance to a previously developed plan. It is important because the consequences of careless planning can cause irreparable damage to the company.

The startler of the Canadian Cryptocurrency Exchange QuadrigaCX is a good example of bad planning. CEO of the company, Gerald Cotten, stored encryption keys on his encrypted laptop. Everything went well smoothly until he died suddenly. At the same time, no one - NO ONE - knew passwords and keys. As a result, the potential losses of the exchange may amount to $190 million, and this is the money of its customers! So far these funds have been frozen, and experts are puzzled over the solution of the CEO’s cipher.

Custom Server

Custom server

Create your own custom dedicated server

See configurator

CONCLUSION

So, you see, that that data encryption is difficult. Some managers and even some IT experts have a stereotype that encryption is reduced to filling in a couple of text fields and remembering a password, — voila, it's in the bag: you and your data are completely safe. No way! Like all other aspects of complicated, multilevel cybersecurity, encryption requires careful analysis, planning, logging, and clear implementation. And, of course, high competency at all stages. Only when all these conditions are fulfilled you can relax a bit and appreciate the advantages of data protection provided by cryptographic algorithms.

And we recommend you do not forget to backup to guarantee the integrity of your data. Sometimes a backup can save what is valuable to you, even if no other means work.

Did you like the article?

Cookie consent

By clicking «I agree», you consent to our website's use of cookies to give you the most relevant experience by remembering your preferences and repeat visits. However, you may visit «Manage сookies» to provide controlled consent. Learn more

Cookies settings

functional

Necessary cookies are crucial for the basic functions of the website and the website will not work in its intended way without them.

Analytics

Analytical cookies are used to understand how visitors interact with the website.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns.