Data security and Encryption
Data security refers to protection of data, such as a database, from destructive forces and from the unwanted actions of unauthorized users. Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. The sata, often referred to as plaintext, is encrypted using an encryption algorithm and an encryption key. This process generates ciphertext that can only be viewed in its original form if decrypted with the correct key. Decryption is simply the inverse of encryption, following the same steps but reversing the order in which the keys are applied. The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Encryption algorithms play a critical role in the security assurance of IT systems and communications as they can provide not only confidentiality, but also the following key elements of security:
- Authentication: the origin of a message can be verified.
- Integrity: proof that the contents of a message have not been changed since it was sent.
- Non-repudiation: the sender of a message cannot deny sending the message.
Symmetric encryption uses the same key to encrypt and decrypt data. The most widely used symmetric algorithms are AES and TDES. The first one was created to protect government classified information and the second one is used in the financial banking and payment industries. Symmetric encryption is much faster than asymmetric encryption, but the sender must exchange the key used to encrypt the data with the recipient prior to the decryption – (i.e. communicating parties must have the same key before they can achieve secure communication). To securely distribute and manage large numbers of keys, most cryptographic processes use a symmetric algorithm to efficiently encrypt data, but use an asymmetric algorithm to exchange the secret key.
Asymmetric cryptography, also known as public-key cryptography, uses two different but mathematically linked keys, one public and one private. The public key can be published for anyone to use and encrypt messages, whereas the private key must be kept secret (i.e. only the receiving party to have access to the decryption key that enables messages to be read). RSA is the most widely used asymmetric algorithm, partly because both the public and the private keys can encrypt a message. Th opposite key from the one used to encrypt a message is used to decrypt it. This attribute provides a method of assuring not only confidentiality, but also the integrity, authenticity and non-reputability of electronic communications and data at rest through the use of digital signatures.
Key management is the management of cryptographic keys in a cryptosystem. It deals with the generation, exchange, storage, use, and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols. Strong key management is critical to the security of a cryptosystem. It is generally the most difficult aspect of cryptography as it involves system policy, user training, organizational and departmental interactions, and coordination between all of these elements. Widely used is the Public Key Infrastructure(PKI) type of key management system, which uses hierarchical digital certificates to provide authentication, and public keys to provide encryption. PKIs are used for securing internet traffic, commonly in the form of SSL and TLS.
Key management compliance is the oversight, assurance and capability of being able to demonstrate that cryptographic keys are securely managed. This includes the following individual compliance domains:
- Physical security – the most visible form of compliance, which may include locked doors to secure system equipment and surveillance cameras. These safeguards can prevent unauthorized access to printed copies of key material and computer systems that run key management software.
- Logical security – protects the organization against the theft or unauthorized access of information. This is where the use of cryptographic keys comes in by encrypting data, which is then rendered useless to those who do not have the key to decrypt it.
- Personnel security – this involves assigning specific roles or privileges to personnel to access information on a strict need-to-know basis. Background checks should be performed on new employees along with periodic role changes to ensure security.
For any encryption, the most basic and common method of attack is brute force – trying each key until the right one is found. The length of the key determines the number of possible keys, and the feasibility of this type of attack. Encryption strength is directly tied to key size, but as the key size increases so too do the resources required to perform the calculation. Alternative methods of breaking an encryption are side-channel attacks, which don’t attack the actual cipher but its implementation. A flaw in system design or execution can allow such attacks to succeed.
Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message -e.g. verification of a message authentication code (MAC) or a digital signature.