In our fundamentals of security series, we introduce common concepts in security. The last segment looked at DNS security. In this segment, we discuss encryption: What it is, how effective it is, and how to use it.
Encryption is essential, and can be extremely effective, but it’s important to make sure it is used correctly. There are misconceptions with encryption that even experts get wrong sometimes.
Why do we Encrypt?
Because our data is occupying space we can’t fully control or secure, like a flash drive, the internet, or a server. Because there is no such thing as perfect security. Encrypting data stymies successful attacks, leaving hackers unable to read the data they came for.
The only data that shouldn’t be encrypted is in your head.
Unfortunately, that’s not a reality for most organizations. Sometimes poorly implemented systems require the transmission of unencrypted or poorly encrypted data. It’s still important to do as much as possible, within the confines of practicality.
The only data that shouldn’t be encrypted is in your head.
Unfortunately, that’s not a reality for most organizations. Sometimes poorly implemented systems require the transmission of unencrypted or poorly encrypted data. It’s still important to do as much as possible, within the confines of practicality.
Symmetric vs. Asymmetric-key Algorithms
In general, cryptography requires a key or a password to retrieve data. Symmetric-key algorithms use the same key to encrypt and decrypt data. Asymmetric-key algorithms use different keys for encryption and decryption.
Algorithms like AES and 3DES are symmetric. They provide high speed and security at relatively low key lengths. They’re used to store files that one party needs access to and to encrypt high volumes of data, for example, web traffic.
But how can server and client securely share the same key?
That brings us to asymmetric-key algorithms like RSA, which work with two keys: A public key to encrypt sensitive information and a private key that decrypts. This is an effective way to send small amounts of sensitive data without requiring trust.
Asymmetric-key algorithms require longer key lengths and are slower than symmetric-key algorithms. It would be impractical to use them to encrypt web traffic. But they do play a role.
Algorithms like AES and 3DES are symmetric. They provide high speed and security at relatively low key lengths. They’re used to store files that one party needs access to and to encrypt high volumes of data, for example, web traffic.
But how can server and client securely share the same key?
That brings us to asymmetric-key algorithms like RSA, which work with two keys: A public key to encrypt sensitive information and a private key that decrypts. This is an effective way to send small amounts of sensitive data without requiring trust.
Asymmetric-key algorithms require longer key lengths and are slower than symmetric-key algorithms. It would be impractical to use them to encrypt web traffic. But they do play a role.
Problems with Encryption
Encryption algorithms are considered secure when first introduced, but problems arise later on. Sometimes bugs emerge in libraries, and other times advancements in technology obsolete old algorithms.
Take DES, which has a short key length of 56 bits. It was once secure, but now can easily be cracked. 3DES improved its security by performing the DES algorithm 3 times. While it is more secure, it isn't totally secure. Since Sweet32 came out, it’s not recommended for high volumes of data.
Take DES, which has a short key length of 56 bits. It was once secure, but now can easily be cracked. 3DES improved its security by performing the DES algorithm 3 times. While it is more secure, it isn't totally secure. Since Sweet32 came out, it’s not recommended for high volumes of data.
The Real Problem with Encryption
Not enough organizations use it. The impact of many of the large breaches in the past decade could have been minimized if the data stolen had been encrypted.
Encrypting data does not ensure its security forever. Technology will continue to evolve, bugs will emerge, and new attacks come out every year. Despite this, encryption is an essential layer of security. One that everyone should use, from hotels to the government.
As Alfred Lord Tennyson so famously said* - “‘Tis better to have encrypted and lost than never to have encrypted at all.”
Come back soon to learn more about securing your network, and check out our research on TP-Link routers, where we encountered DES in the wild.
*He didn’t, but we think it’s an accurate statement.
Encrypting data does not ensure its security forever. Technology will continue to evolve, bugs will emerge, and new attacks come out every year. Despite this, encryption is an essential layer of security. One that everyone should use, from hotels to the government.
As Alfred Lord Tennyson so famously said* - “‘Tis better to have encrypted and lost than never to have encrypted at all.”
Come back soon to learn more about securing your network, and check out our research on TP-Link routers, where we encountered DES in the wild.
*He didn’t, but we think it’s an accurate statement.
RSS Feed