The key to strong encryption: Matching the right tools to the job

 

Connecting state and local government leaders

Cryptography is a tool, and to be effective, it must be implemented as part of a larger security program that takes into account the nature of the data being protected, the nature of the threats it faces and the network or devices where it lives.

Cryptography can be a powerful tool—so powerful, in fact, that the federal government has regulated the export of the technology for national-security reasons. But no matter how strong it is, no single cryptographic tool can solve all your data security needs.

Security technologies each have strengths and limitations, even when they use the same types of algorithms and key strengths.

“Organizations have to think about what type of threats they want to protect against, and that will determine the type of technology used,” said Karen Scarfone, a computer scientist at the National Institute of Standards and Technology, who helped write NIST’s guide to storage encryption.

Is the data to be protected at rest or in transit? Where is it being stored? Is it sensitive or highly classified? How valuable is it to someone else? How long is it likely to remain valuable? Are you worried primarily about theft or about loss? Answers to questions such as those can help determine whether you want a broad tool such as full-disk encryption, a more granular tool such as file encryption, or a specialty tool such as format-preserving encryption. Your answers can help determine what strength key you should be using.

With the increasing power of small handheld devices and growing efficiency of cryptographic tools, the computational overhead of cryptography is becoming less of an issue when selecting a tool. Organizations probably should go with the strongest cryptographic tools available, experts say, because bad guys can more easily crack encryption as computers become more powerful.

“If you start out strong, you probably will be able to use it longer,” Scarfone said.

However, strong cryptographic tools are not enough, said Terence Spies, chief technology officer of Voltage Security. “It doesn’t excuse you from doing the other things you should do,” such as using firewalls and anti-malware tools, monitoring network activity, and defining access policies, Spies said.

Cryptography is the scrambling of a message according to a formula or algorithm so that only someone with the proper key can unscramble and read it. It has been around for millennia, but until recently, it has been used largely by governments because of the difficulty of generating, distributing and securing the keys that are adequately strong and complex.

“The big challenge is: How do you protect the keys?” said Wayne Grundy, director of the Transglobal Secure Collaboration Program (TSCP). “We’re using the standards that have been laid down by the government.”

TSCP was formed in 2002 by the United Kingdom's Ministry of Defence to define technical specifications for secure collaboration between governments and among contractors. Its members include the U.S. Defense Department, the Dutch government, and a handful of major international defense contractors, including BAE Systems, Boeing, EADS, Lockheed Martin, Northrop Grumman, Raytheon and Rolls-Royce.

Specifications for a secure e-mail standard developed by TSCP use a trusted public-key infrastructure model, similar to the U.S. government’s Federal PKI Bridge. The specifications also include a set of policies and procedures for vetting and managing an organization's identity and access controls. This would assure users that an e-mail is securely encrypted and the senders and receivers are who they say they are and are entitled to access the contents.

Although the U.S. government is still a leader in strong cryptography, the development of powerful computing technology and invention of public-key cryptography have moved it into the private sector.

“Government and business are more closely aligned now than they ever were before,” said Jeff Nigriny, president of identity management company Certipath.

Banks and other businesses use PKI routinely for online transactions, and it is being implemented throughout the defense supply chain to enable secure collaboration.

“All of these things are hallmarks of a maturing industry,” Nigriny said.

Encryption essentially is a way to simplify the job of securing information, Spies said. It enables access to a large amount of information through a small amount of data: the encryption key.

“You don’t have to hide the data anymore, you just have to hide the key,” he said. “And when you know who has the key, you know who has access to the data.”

Building blocks

However, encryption is only part of an overall strategy for security, and effective encryption is built on good identity management and access policies. “One of the most basic jobs is to express who should have access to any data,” Spies said.

A more basic task is identifying data to protect. “If you are going to have a policy on who can have access to data, you have to know what data you have,” he said.

After you have identified data, you can evaluate the threats your organization faces and begin to think about the technology you need to counter them.

There is a traditional trade-off between the strength of encryption and its impact on a system’s performance. That has led to the practice of using the minimum strength necessary to affect performance as little as possible.

“People want security to just work, without adding any overhead,” Spies said.

The standard for Internet commerce for some time has been the 1,024-bit RSA encryption key. The RSA algorithm uses public/private key pairs to encrypt and decrypt data. If someone could figure out the two prime numbers used to generate the public key, that person could derive the private key and decrypt the data. The size of the key determines how hard it is to calculate. It still takes months or years to factor a 1,024-bit key, but the task becomes easier as more computing power becomes available. Many experts consider the protection offered by a 1,024-bit RSA key to be minimal, at best.

“It is time to move on” from 1,024, said Bill Lattin, chief technology officer of Certicom, a PKI company.

How far you should move depends on several things, Lattin said. One is the value of your data. Is it worth someone spending a year harnessing a distributed network of computers to crack a key? If it is, use a key that will take 10 years to crack. Another issue is how long the system you are using will be fielded and the longevity of your data.

For ephemeral data, such as a stock trade, 1,024-bit encryption might be acceptable. Personal information and state secrets need longer protection. And utility companies are in the process of fielding smart meters that will provide two-way communication between a power grid and a consumer’s home to improve efficiency. That infrastructure will be in the field for 20 years or more, so security must be strong enough not only to last 20 years but also to survive much stronger attacks that will be possible 20 years from now.

Implementing encryption without excessively taxing today’s technology is becoming easier. One development is elliptic curve cryptography, a type of algorithm that is demonstrably more secure than RSA with much shorter key lengths. Certicom is a supplier of ECC technology.

“You’re talking to a biased source, but we certainly believe ECC will be the future of cryptography,” Lattin said.

ECC can provide the equivalent protection of a 3,072-bit RSA key with just 256 bits and the equivalent of a 15,360-bit RSA key with 512 bits. Such improvements are making it easier to get strong security on small devices. Encryption company PGP supports the Research In Motion BlackBerry and Microsoft Windows Mobile devices, providing the same look and feel for the user as for the desktop system.

“Mobile devices are becoming another endpoint within the enterprise infrastructure,” said Doris Yang, PGP's mobile products manager. The BlackBerry is the top enterprise tool, with Windows Mobile devices a close second, she said. But the approach PGP takes to these two types of devices are different.

Because the BlackBerry is primarily an e-mail tool, PGP supports e-mail encryption. Windows Mobile is an operating system for a more full-featured computer, so PGP focuses on disk and file encryption for it.

Agencies generally are required to encrypt sensitive data that residies on mobile devices, from laptop PCs to handheld devices, and there are a variety of techniques to choose from, including full-disk encryption, virtual disk or volume encryption, and file and folder encryption.

“They use the same cryptographic algorithms and the same strength keys,” Scarfone said, but they serve different purposes. Choosing the proper technique with the right algorithm and the right strength key requires a standardized way of comparing them.

“NIST has made standardization of encryption their business,” Nigriny said.

The standards are required only for government users, but they also are available for the private sector. NIST provides guidance on choosing the appropriate kind of cryptography in Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices.”

“The appropriate encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated,” the guidance states.

“We’re not trying to tell you how to secure a particular operating system or type of device,” Scarfone said. “The difference in the technologies is the type of threat they protect against.”

Types of encryption

Full-disk encryption, as its name implies, encrypts an entire drive so that a device cannot be booted without a credential to access the key to decrypt the disk. Because it is decrypted when booted, “it will only provide protection when the device has been powered off,” so it protects primarily against theft or loss of a device, Scarfone said. This is more important for mobile devices than desktop PCs.

Virtual disk encryption or volume encryption encrypts most of the drive but not all of it. An encrypted device can be booted without decrypting, but authentication is needed to access data.

“It helps to protect against things like malware,” which cannot see the encrypted data, and any data stolen from the device is not usable to a third party. It also gives protection in case of theft or loss.

File and folder encryption is more granular, allowing the encryption of specific files or folders. This method can be convenient because it allows a user to encrypt only data that is sensitive but can be less convenient because it can mean decrypting multiple files to access them.

“You want to choose the cryptographic method that is going to protect against the threat you want protection from,” Scarfone said. But regardless of the type of encryption used, the bias should be toward stronger rather than weaker keys. “In most cases, there is no reason not to use the strongest encryption you can,” she said.

Overkill is not a problem, because the strength of the attacks you are protecting against inevitably will grow over time, so strong encryption can help prepare systems and devices for future attacks. And although decryption requires an extra step in accessing data, the difference in performance varies little between weak and strong.

Of her own experience with full-disk encryption, Scarfone said, “it takes a little longer to boot up and shut down, but it is a matter of seconds, and I don’t notice any difference in performance.”

NEXT STORY: Microsoft's April security patch

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.