Ask an Expert
Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.
Ask an ExpertEncryption is a method of scrambling data so that it can’t be read by anyone except for authorised parties. The process of encryption converts plain text to cipher text using a cryptographic key. A cryptographic key is a set of mathematical values known and agreed by the both sender and recipient.
Decryption, or translation, of the encrypted data is possible for anyone in possession of the right key. That’s why cryptography specialists are constantly developing more sophisticated and complex keys. More secure encryption uses keys of sufficient complexity that hackers will find the process of exhaustive decryption (also known as ‘brute force’) to be functionally impossible.
Data can be encrypted when ‘at rest’ (in storage) or ‘in transit’ (while being transmitted). There are two major classifications of encryption: symmetric and asymmetric.
Privacy: only the owner and recipient of the data can read it, preventing attackers, ISPs and even governments from intercepting sensitive data.
Security: encryption helps prevent data breaches; if a corporate device is lost or stolen but its contents are encrypted, the data will still be secure.
Data integrity: encryption also prevents malicious behaviour like on-path attacks (intercepting information in transmission), as encrypted data cannot be viewed or tampered with along the way.
Regulations: many industry and government regulations require companies to encrypt user data, such as HIPAA, PCI-DSS and the GDPR. US government agencies and contractors must use the FIPS (Federal Information Processing Standards).
An encryption algorithm is how data is converted to cipher text. The encryption key is used by the algorithm to consistently alter the data so that even though it looks random, the decryption key can easily convert it back to plain text. Common encryption algorithms include AES, 3-DES, SNOW (all symmetric), and elliptic curve cryptography and RSA (both asymmetric).
Like all asymmetric encryption, RSA uses prime factorisation (multiplying two very large prime numbers together). Cracking it is very difficult because the original prime numbers must be determined, which is mathematically taxing. Brute force cracking an RSA key is next to impossible.
When a computer makes millions or even billions of attempts to crack a password or decryption key, it is called a brute force attack. Modern computers can go through these possible permutations incredibly rapidly. Modern encryption needs to be resilient to this kind of attack. The field of cryptography is a constant arms race between those developing faster ways to crack encryption, and those developing more sophisticated encryption methods.
Cloud storage encryption: data or text is transformed via encryption algorithms then put in cloud storage. Similar to in-house encryption, except the customer needs to figure out how the provider’s different levels of encryption match up to their needs in terms of security/data sensitivity.
Deniable encryption: encryption with multiple possible means of encryption, used for misinformation purposes if data is likely to or intended to be intercepted in transit.
FDE (Full-Disk Encryption): hardware-level encryption. Data on a hard drive is automatically encrypted and illegible to anyone without the proper authentication key. The hard drive is useless in any computer without the key.
BYOE (Bring Your Own Encryption): a cloud computing security model that allows customers to display a virtual instance of their own encryption software alongside their cloud-hosted application. Also known as BYOK.
EaaS (Encryption as a Service): a subscription service for cloud customers who can’t manage their own encryption. Includes FDE, database encryption or file encryption.
E2EE (End-to-End Encryption): protects data in transit. Messages such as WhatsApp are encrypted by client software, passed to a web client, then decrypted by the recipient.
Field-level encryption: encryption of data in specific webpage fields (e.g. NI numbers, credit card numbers, health-related/financial data). All data in a chosen field will automatically be encrypted.
Column-level encryption: an approach where all cells in the same column have the same password for access and read/writing.
Link-level encryption: encrypts data when it leaves the host, decrypts at the next link, then re-encrypts it when it is sent on again. It doesn’t have to be the same key/algorithm at every link.
Network-level encryption: cryptoservices at network transfer level; implemented through Internet Protocol Security (IPSec), which creates a private framework for communication over IP networks.
Homomorphic encryption: the conversion of data into cipher text that still permits analysis and work as if it were not encrypted. Useful for mathematical work that can be done without breaking the encryption.
HTTPS: allows website encryption by running HTTP over the TLS protocol. For a web server to encrypt the content it sends, a public key must be installed.
Quantum cryptography: depends on quantum mechanics to protect data. Quantum-encoded data cannot be measured without changing the values of these properties (location and momentum). Any attempt to copy or access the data will also change the data, alerting authorised parties that an attack occurred.
Cybersecurity strategies need to incorporate data encryption, especially as more businesses take up cloud computing. There are multiple ways that encryption can support company operations.
Email encryption: since email is fundamental in organisation-wide communication and business operations, bad actors target it for attack or inadvertent disclosures. Industries such as financial services or healthcare are highly regulated but enforcement can be hard, especially with email where end-users often resist change to standard operating procedures. It is possible to augment operating systems and common email clients with encryption software so that sending an encrypted email is as easy as sending one unencrypted.
Big data: continuous data protection for privacy compliance, secure cloud analytics, encryption and tokenisation tech for cloud transfers; encryption can streamline multi-cloud operations by centralising data-centric protection. Whenever sensitive data traverses multi-cloud environments, it will be encrypted by these technologies.
Payment security: merchants, payment processors and enterprises alike have big challenges securing high-value sensitive data e.g. payment cardholder data so that they can comply with PCI DSS (Payment Card Industry Data Security Standard) and data privacy laws. However, encryption software can protect retail POS, web and mobile ecommerce transactions.
In addition to the above services and protections offered by encryption, it provides confidentiality (encoding a message’s content), authentication (verifies a message’s origin), nonrepudiation (prevents credible denial of an encrypted message’s dispatch) and integrity (proves message contents are untampered).
Encryption is designed to lock unauthorised entities out of comprehending ill-acquired data. However, in some situations it can also lock out the data owner. Key management is tricky for enterprises because they need to live somewhere and attackers are often savvy about looking for them. Key management adds additional complexity to backup and restoration as, in the event of disaster, key retrieval and addition to backup servers is time-consuming. Admins must have a plan for key management system protection e.g. a separate backup that is easy to retrieve if a large-scale disaster occurs.
Software exists to streamline key management, such as key wrapping. This encrypts an organisation’s encryption keys, individually or in bulk. They can be unwrapped when needed, usually with symmetric encryption.
While brute force attacks can be ineffective against high-bit keys, vulnerabilities do exist. Many attempts focus on gaining unauthorised access to keys via social engineering methods. That is to say, attacking not the system but the humans that maintain and interact with it. Phishing, malware, BadUSB attacks: there are many methods by which hackers can circumvent the security measures put in place to shield networks from external attacks by exploiting the fallibility of humans.
Software-based encryption is also considered to be less secure than hardware-based encryption. Software-based encryption is called ‘removable encryption’ by some, as it can potentially be circumvented by bad actors making physical attacks. Hardware-based encryption is often thought to be more secure, as it includes physical defences to prevent tampering.
#KingstonIsWithYou #KingstonIronKey
Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.
Ask an Expert