Protect the key or don’t bother encrypting your data

By Peter Carlisle, Vice President, nCipher Security.

There are many levels of data security. For companies who sensibly rely on more than perimeter security, data encryption gives extra protection. However, it’s worth remembering that its success depends entirely on the safety of the crypto key. Here we explain the importance of protecting your key by looking at the methods that hackers use - and don’t use - to get around encryption.

Encryption is one of the world’s oldest technologies. It can be traced back to Mesopotamian times, when craftspeople were securing recipes for pottery glaze - the commercially sensitive data of the day. For thousands of years, and until relatively recently, the method of encryption was considered as secret as the key itself and the opposing side would work on breaking both.

Now, all modern encryption processes are publically known, and perhaps counter intuitively, that’s a strength. The vulnerability in keeping an encryption process secret is that it can’t be peer reviewed and still remain effective. You don’t know if your enemies can break it until they do, and perhaps not for some time afterwards. If you have seen the film The Imitation Game about codebreakers during World War II you will recognise this point. The only way the Germans would know their code was broken was if the allies acted on their new intelligence in too obvious a way.

Today’s popular cryptographic algorithms like ECC, AES, 3DES and RSA are well documented, well tested and understood. They work because of the unique and complex keys that they generate. A 256 bit AES key has 1.15x1077 possible combinations. That’s 115 with 75 zeros. With our existing computing power, the time required to decrypt protected data is measured in millions of years. It doesn’t matter if you understand the complex mathematical equation that makes data unreadable, you cannot guess the unique key generated. Currently.

A side note on computing power. When quantum computing becomes available to hackers data encrypted with current keys will likely be unprotected. New quantum resistant keys will be required. As the National Institute of Standards and Technology (NIST) says in a recent report, “when that day comes, all secret and private keys that are protected using the current public-key algorithms—and all available information protected under those keys—will be subject to exposure.” Our industry is already working on larger signatures and key sizes (for example using message segmentation) to meet that challenge.

Because of the strength of our encryption technologies, the bad guys don’t try to break it any more. A hacker won’t attempt to brute force an encryption key, they will try to steal it instead. And if you store your encryption key in software, you are giving them a head start. A crypto key in software can be recognised as such. In a binary data scan a saved crypto key has a randomised pattern that can be identified using relatively unsophisticated tools. If a hacker finds this type of random data they can be confident that they have found some type of crypto key.

A company is likely to have only a few thousand keys, a number low enough for a hacker to work through. Based on a number of studies, the time between a hacker’s penetration and detection is between 160 and 260 days. Even at the low end, that’s a large number of hours. At the corporate hacking level, it’s likely that your attack will come from a group of hackers, multiplying the time available to match your keys to your data.

Thankfully, there’s a better way to store your crypto keys, one that isn’t visible to an intruder. A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys and performs other cryptographic functions. A HSM is designed using strict standards developed by NIST precisely to provide the final layer of security in data encryption.

Keeping crypto keys anywhere other than a HSM is to fail at the final hurdle of data security. It’s the digital world version of locking your doors and then leaving your key under the doormat. Or if you are old enough to remember, leaving your car key in a magnetic box under the front wheel. A smart burglar will look there, and a hacker who sees encrypted data will look in every possible hiding place on your system for your keys. Make sure to investigate the best way to keep your crypto key secure before you take full comfort in having encrypted data.

By James Preston, Security Architect for ANSecurity.
By Tod Beardsley, research director, Rapid7.
It’s undeniable that cybercrime is quickly becoming one of the biggest threats to businesses today....
By Richard Hutchings, CTO at Littlefish.
For a long time many have thought of identity security as a necessary burden. All those passwords, a...
At a recent forum of senior CTOs, CISOs and analysts, several participants expressed a dislike for t...
Turning privacy and governance into competitive advantage. By Joe Gaska, Founder and CEO of GRAX.
Ever since Snowden revealed the extent to which US intelligence agencies can so easily access our da...