Unlocking the Secrets of Data Protection: A Simplified Guide to Encryption
There are few areas that are so misunderstood as data protection by encryption. Myths and misconceptions range from “I've encrypted and now it's completely secure (forever)”, via “encryption is only for engineers”, to “no one can see my data because it's encrypted”. In today's Tech Blog we are going on a joint journey to address what encryption is, and what it isn't. Warm welcome to this Tech Blog that is trying to demystify this area.
Introduction – a primer on data protection by encryption
In its absolute simplest form, encryption can be seen as a method to hide information by turning readable information into unreadable information. This magic transformation is done by an encryption key that is generated through an encryption algorithm. Let me pause shortly and be clear: an encryption key and a certificate are not the same. In many conversations those are mixed interchangeably, and I think we need to be clear what we are talking about to not end up in wrong places. A certificate (or a public key certificate) is a digital document that asserts ownership of a private key. It includes the public key that it is certifying, as well as the identity of the key owner among other things.
The main reason for protecting information by encryption is to keep unauthorized parties from intercepting your information. In information technology jargon this is called ensuring the confidentiality of information. The fastest way to hide information by encryption is to use one key that does both the encryption and the decryption of the information. This is called symmetric key cryptography, and the shared secret key that is created poses a risk if it is not transmitted securely to the intended recipients.
The solution to this problem is to create a key-pair and make one of the keys a publicly available key, while keeping the other key private (secret). In this way we can use the public keys of the recipient we want to share secrets with and encrypt the information with that key. The recipient can then use the private (secret) key to decrypt the information. This method is called asymmetric encryption and is also known as public-key cryptography (PKI).
In practical applications of encryption both symmetric and asymmetric encryption is employed, based on the sensitivity of information and the appropriate level of protection.
So, you can already conclude that the combination of symmetric and asymmetric key can be used to exchange information between involved parties. But in our networked (and malicious) world of today there are several potential termination points before the encrypted message reaches the intended recipient(s). This means that an encrypted message can be decrypted for inspection enroute. To solve the integrity part there must be another layer of encryption that is often referred to as hashing. This is a process that produces a sum of the encrypted information that the receiving party can check if it corresponds to the expected value or not.
Practical applications of encryption
You are subjected to encryption in many different settings during your daily (digital) life. When you read this blog post, your browser initiated an encrypted channel for the session. Most of the online experiences of today are done via encrypted channels without us paying attention to it. The mobile devices of today are encrypted at several layers and the dominating providers of mobile operating systems, Apple, and Google, constantly innovate within that space. Many of the regular messaging apps are encrypted. When using cloud storage solutions, they are also encrypted on the filesystem level. Encryption is around us and the practical applications of encryption are growing.
In a banking perspective, the application of encryption is a core capability. The sensitivity of information always dictates the needed level of applying the right level of encryption. When searching for data encryption on the internet, there is usually definitions of data encryption at rest, in transit, in use, and a context of digital signatures for the integrity of the data. When architecting a solution in a bank, there are considerations to be made how data remains secure in different states. This can mean that a solution cannot rely on a transport encryption only, but the payload needs to be encrypted as well. It is imperative to have a full understanding of the value of data to be protected, how the data is consumed, what the patterns are for different states, where the data is transformed to another set of data and so on.
Root of trust
A root of trust within the field of encryption is the goal to have as much sole possession of encryption keys as possible. This includes cryptographic key management: Generating, storing, and using cryptographic keys in a secure manner. It should include hardware-based key storage in special-purpose hardware security modules (HSMs) that need to be validated according to FIPS 140-2, level 3. That validation is to attest that the HSM is tamper resistant and have secure logical channels for crypto operations for authenticated users. It is preferable to do the authentication by means of multifactor authentication (MFA).
The term “root of trust” shouldn't be interpreted as putting full trust in a single entity sitting at the top of the pyramid. It is worth re-iterating: The term should be interpreted as the collective efforts to, as far as possible, secure the sole possession of encryption keys and their management. This has nothing to do with higher levels of security. Instead, it is a way to have higher levels of control of the most valuable secrets.
Cryptanalysis and quantum computing
Cryptanalysis is a field in which one analyses information systems to understand their hidden aspects and particularly to breach cryptographic security systems without knowing the key. There are various techniques adopted simultaneously to find weaknesses in cryptographic algorithms and try exploiting those to be able to decipher the data encrypted. Simply speaking to find an open window and break in to sniff around, without using the original key. The field is as old as the practices of trying to hide plain text.
Quantum computing is a completely new paradigm when it comes to computing. Instead of relying on bits (0 or 1) quantum computers use quantum bits, so called qubits. Those can exist in multiple states simultaneously due to the principles of entanglement and superposition. This makes quantum computers able to process vast numbers of possibilities simultaneously. The field of quantum computing is evolving rapidly and there are notably two algorithms that have the potential to accelerate the field of cryptanalysis:
- Shor's algorithm that can factorise large numbers in an efficient way, a task that is time-consuming for computers (as we know them). This can pose a threat to well-known public key algorithms.
- Grover's algorithm that offers a quadratic acceleration for unstructured searching. This algorithm could halve the bit strength of symmetric key algorithms.
There are, of course, developments in the field of encryption algorithms both within the quantum space, as well as quantum-resistant algorithms.
SEB and data protection by encryption
Protecting SEB customer data and assets and adhering to laws and regulations is at the core of our practices. A sound security culture, mindset, and realisation of needed security capabilities is a must. One of the crucial capabilities is to have proper data protection by encryption and the corresponding cryptographic key management practice, independent of the delivery model.
In conclusion – demystifying encryption
"Encryption is not a panacea!” An old saying that holds validity even today. We should acknowledge that no silver bullets exist and have that as a good starting point. Combine that view with the understanding that not all data is created equal, and we will have a constructive journey when architecting data protection measures. Encryption is going to be one part of the protection puzzle and the trick is to understand which pieces to apply this on. Poorly architected applications with bad handling of encryption keys and secrets are going to be bad wherever they are transformed. There is only so much lipstick you can put on a pig.
Striving for root of trust for critical data provides the value of good control. The value lies in the stringent processes needed to achieve the right level of root of trust. This is a prerequisite to build a strong chain and not take shortcuts.
Hope that this shed some light on the fascinating area of encryption. Stay safe and encrypted.
Author
Predrag Mitrovic, Information Security Officer at Group Security & Cyber Defence