Protect the key or don’t bother encrypting your data

By Peter Carlisle, Vice President, nCipher Security.

  • 3 years ago Posted in

There are many levels of data security. For companies who sensibly rely on more than perimeter security, data encryption gives extra protection. However, it’s worth remembering that its success depends entirely on the safety of the crypto key. Here we explain the importance of protecting your key by looking at the methods that hackers use - and don’t use - to get around encryption.

Encryption is one of the world’s oldest technologies. It can be traced back to Mesopotamian times, when craftspeople were securing recipes for pottery glaze - the commercially sensitive data of the day. For thousands of years, and until relatively recently, the method of encryption was considered as secret as the key itself and the opposing side would work on breaking both.

Now, all modern encryption processes are publically known, and perhaps counter intuitively, that’s a strength. The vulnerability in keeping an encryption process secret is that it can’t be peer reviewed and still remain effective. You don’t know if your enemies can break it until they do, and perhaps not for some time afterwards. If you have seen the film The Imitation Game about codebreakers during World War II you will recognise this point. The only way the Germans would know their code was broken was if the allies acted on their new intelligence in too obvious a way.

Today’s popular cryptographic algorithms like ECC, AES, 3DES and RSA are well documented, well tested and understood. They work because of the unique and complex keys that they generate. A 256 bit AES key has 1.15x1077 possible combinations. That’s 115 with 75 zeros. With our existing computing power, the time required to decrypt protected data is measured in millions of years. It doesn’t matter if you understand the complex mathematical equation that makes data unreadable, you cannot guess the unique key generated. Currently.

A side note on computing power. When quantum computing becomes available to hackers data encrypted with current keys will likely be unprotected. New quantum resistant keys will be required. As the National Institute of Standards and Technology (NIST) says in a recent report, “when that day comes, all secret and private keys that are protected using the current public-key algorithms—and all available information protected under those keys—will be subject to exposure.” Our industry is already working on larger signatures and key sizes (for example using message segmentation) to meet that challenge.

Because of the strength of our encryption technologies, the bad guys don’t try to break it any more. A hacker won’t attempt to brute force an encryption key, they will try to steal it instead. And if you store your encryption key in software, you are giving them a head start. A crypto key in software can be recognised as such. In a binary data scan a saved crypto key has a randomised pattern that can be identified using relatively unsophisticated tools. If a hacker finds this type of random data they can be confident that they have found some type of crypto key.

A company is likely to have only a few thousand keys, a number low enough for a hacker to work through. Based on a number of studies, the time between a hacker’s penetration and detection is between 160 and 260 days. Even at the low end, that’s a large number of hours. At the corporate hacking level, it’s likely that your attack will come from a group of hackers, multiplying the time available to match your keys to your data.

Thankfully, there’s a better way to store your crypto keys, one that isn’t visible to an intruder. A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys and performs other cryptographic functions. A HSM is designed using strict standards developed by NIST precisely to provide the final layer of security in data encryption.

Keeping crypto keys anywhere other than a HSM is to fail at the final hurdle of data security. It’s the digital world version of locking your doors and then leaving your key under the doormat. Or if you are old enough to remember, leaving your car key in a magnetic box under the front wheel. A smart burglar will look there, and a hacker who sees encrypted data will look in every possible hiding place on your system for your keys. Make sure to investigate the best way to keep your crypto key secure before you take full comfort in having encrypted data.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...