Encryption-A Matter of Trust?

The protection of the cryptographic key and data is based on trust.
Published: Thu 10 Apr 2014

Many see the encryption process as the safest way to safeguard data. However, the protection of the cryptographic key is actually where the real security lies and where most of the challenges arise with the encryption process.

Cryptographic key protection

To the human eye, keys (a long string of random bits of data) are difficult to decipher. However, a computer views it simply as blocks of data and the storage thereof is simple. To use a key, the computer is required to know which particular amount of bits should be considered the key, and where the bits are stored.

Now if the machine or the computer that is using the key knows where this data is stored, it can’t be very difficult for a hacker to access this information. While a key, much like a good password, should be unique and random, finding them in storage memory is often not as difficult as one would think. Stronger keys contain a higher level of randomization. With this knowledge, attackers target these patterns to initiate key extraction attacks.

Christopher Gorog, a business consultant, suggests that the following be carefully considered before relying too much on encryption:

 

Key storage

Key storage is critical. When exploring corporate security solutions you want to know if keys are centrally located, stored on distributed systems, and where they can be accessed from. Many solutions are popping up for cloud systems which are storing files and these can be potentially risky since they will have access to the plain text data before the data is encrypted.

Key generation

Many key generation methods create keys using a process which require less work to predict, or recreate (hack). Key creation is an entire science in its own right. One needs to ask where the encryption process is occurring. If it’s in the cloud, the cloud will have access to the plain text data and key. This service should only be used if the provider can be trusted. It is also important to check that the data was actually encrypted from the plain text.

Who has access to the process

Knowing who has access to performing encryption process is often very difficult since this is something companies don't want to reveal for their own protection against hackers.

If the encryption process and storage of keys are processed entirely out of your control and off your computer, then you have given that company full access to your data. A major cause for concern is when service providers offer password recovery.

This means that whoever is carrying out the process and storing the key has designed a back door into the process. So basically this circumvents any security offered, as access to the process used to recover passwords can empower anyone at the company to retrieve plaintext data.

When is the process being carried out

Bandwidth is often a limited commodity and may be frail or fragmented due to momentary outages or spotty transmissions. Cloud providers will upload your data and store it in temporary places while waiting to perform the encryption process. This generally happens at a time when it's more advantageous to the business organization.

It is obviously important to trust your provider, and to be aware of what is required to follow up with them.

What systems and resources are being used

In the world of cloud computing, very few know exactly what systems are being used to carry out the processing work. Cloud providers often cannot tell you where the encryption process and storage is taking place.

Basically, the only time you can ensure the process is protected and the keys are stored securely, is when it's done by yourself on a trusted machine. Unfortunately this takes a lot of processing power. This why most providers perform this on high power cloud systems.

Therefore, it is critical to find out where the process is being carried out. If you want high assurance that keys and processes are protected, use a service that does the process on your machine.

However, personal control does have its own risks-if the key is lost, you will have no way to retrieve the data whatsoever.

Other points to consider

What are the countries that house the servers which store your sensitive material? Who are they, and where are they located? What legal requirements does that nation have for IT systems? What political agenda in various parts of the world would support things that we would consider malicious activity? Many cloud providers operate in countries where the laws are "open to interpretation" because they are friendlier to certain business models.


Therefore, it is clear that the encryption status of data gives you only as much protection as the trust you have in the service or systems that you are using.