SoftRoots - Security Challenges Part IV

Home > Library > Security Challenges Part 4

Protecting Your Data in Today's World

Part 4 - Encryption and the Internet

Is there a need for data encryption within my environment? What dangers does the Internet pose? What is required to encrypt data? What data should be encrypted and why? Can hackers access encrypted data? Is one method of encryption better than another? Since securing data is becoming more important today than ever before, let's consider the subject of encryption and the Internet.

This is Part 4 of the series Protecting Your Data in Today's World. The following articles discuss related topics on how to protect your data in today's world:

Part 1 - Secure Systems and their Architecture
Part 2 - Authentication Methods
Part 3 - Application Data and its Value

With more organizations exchanging information over the Web, the need to protect confidential data is obvious. As e-business and e-commerce grow in popularity, the amount of sensitive data that is transmitted via the Internet will increase. This provides a huge potential for criminal activity if proper measures are not taken. One of the easiest and widely accepted methods of providing the first step in security is using the SSL (Secure Sockets Layer) protocol for encryption.

The Internet is an open network, which means that the connection between you and any other point can be routed through dozens of independent systems. Various Internet eavesdropping techniques such as snooping, spoofing and others, can "open the door" to unauthorized people. They can steal account names, passwords, credit card numbers, PIN numbers, personal data, and other confidential information, without you ever knowing it. This kind of theft occurs every day, all over the world. The level of sophistication of these attacks varies widely; it is generally believed that most break-ins to systems succeed due to weak passwords, whereas theft of transmitted data on the Internet can always occur when information is sent unencrypted.

Encryption itself is just one facet of practical security strategy. If you encrypt all your network traffic, but have poor physical security at your place of business, someone may circumvent your strong network encryption by stealing your hard disks. If your office is physically secure, but you don't encrypt your network traffic or use weak encryption, a hacker doesn't even have to visit your location. The hacker simply has to sniff your packets to steal every plaintext password that you use, not to mention the rest of your unencrypted data.

It's important to understand that even though encrypted transmission of information acts somewhat like a steel pipe to prevent tampering en route, it does not address the identity or trustworthiness of the individual at the other end of the pipe. In addition, modern cryptography can make it virtually impossible to decipher documents without the cryptographic key, thus making the availability of the contents of those documents depend on the availability of the key.

Various forms of cryptography using different algorithms exist today. Some are stronger than others. The strength of an algorithm is determined by: the secrecy of the key, the length of the key, the level of difficulty in reverse engineering the key with the cipher text (or in other words a plaintext attack), if any "back doors" exist to decrypt messages without a key, and the level of difficulty in breaking the encryption algorithm itself.

Symmetric key encryption, also known as private key encryption, is a system where two or more parties share the same secret key. Encryption and decryption of messages are based on that shared secret key. There are many common cryptographic algorithms that employ this design such as DES, Triple DES, RC5, IDEA, Blowfish and, AES.

Asymmetric key encryption, better known as public key encryption, eliminates some of the problems inherent to a symmetric key design. Public key encryption allows you to send encrypted messages to anyone, regardless if they have a secret key or not. It uses a public key to encrypt messages and a private key to decrypt them, preventing any compromise of security with the message or the decryption (private) key itself.

Many cryptographic systems use a type symmetrical key called a session key. Session key encryption is a hybrid system utilizing both private and public key infrastructures. In these systems slower and more complex public key cryptographic algorithms are used to encrypt the session key, which is then used in a symmetrical algorithm. In this system the session key is only used in one encryption session prior to being discarded, never to be used again.

Digital signatures employ a similar process to that of public key encryption. However, instead of using a public key to encrypt messages and a private key to decrypt them, digital signatures use the private key to encrypt data (creating a personal digital signature as it were), and the public key to decrypt data. The data is then associated with the sender's public key. Since only one key pair of private and public keys exist, the authentication of the sender is guaranteed.

Additional methods for encrypting data include one-way hash systems, message authentication codes, and message digests. Vendors of DBMS software have often used some kind of encryption scheme to prevent access to sensitive information. There are also methods that have little effect on system performance, and may contain other benefits (such as data compression) built in. One of the simplest methods, the 'translation table', can easily be implemented through software, but is not so easily decrypted when either the original or its encrypted data stream are unavailable. There are many variations of the 'translation table' method that include the use of multiple tables, data repositioning, XOR bit masking, 'flipping bits', bit rotation, word/byte rotation, and encrypting some kind of 'checksum' into the data stream itself, which can help you to detect whether data has been tampered with.

With more and more organizations sharing and moving data on the Internet and the increase in Web-based applications, the need to protect sensitive information has never been so great. Data encryption provides needed security for exchanging sensitive information over open networks. By combining data encryption with an effective authentication method and implementation of a security policy, you can reduce security threats and protect your data in today's world of e-commerce.