Data is constantly flowing back and forth across wired and wireless networks between desktop and mobile devices. Data is also constantly being stored, copied and backed up – onsite and in the cloud – by individual users and organizations. These devices, networks and storage platforms are under constant attack by relentless, highly sophisticated cyber criminals who want to steal that data and sell it to the highest bidder.
A number of security tools are used to protect corporate data, but encryption must be implemented properly to minimize the risk of data loss when other tools fail. Encryption protects data by using an algorithm to convert plaintext into ciphertext, making that data unreadable without an encryption key. In addition to keeping your data confidential, encryption authenticates the origin of data, identifies the sender of data, and determines whether or not that data has been altered.
More specifically, the Advanced Encryption Standard (AES) is a symmetric block cipher that is capable of encrypting sensitive data in both hardware and software, as well as restricted environments such as smart cards. AES became a federal government standard in 2002 and has been used to protect top-secret information since 2003. Since then, the AES algorithm has been widely used across industries in symmetric key cryptography.
AES uses 128-bit, 192-bit and 256-bit cryptographic keys to encrypt and decrypt data. Symmetric-key encryption uses the same secret key for both encryption and decryption, so the sender has to share the key with the receiver before it can be decrypted. Plaintext goes through a number of rounds of processing (10 for 128-bit, 12 for 192-bit and 14 to 256-bit) to transform the data into ciphertext.
Security breaches are often the result of weak encryption keys. The older Data Encryption Standard (DES) has been proven highly vulnerable to attack because it uses a 64-bit key, which is actually 56-bit because eight bits are used for parity checks. Most security experts agree that 56-bit keys are inadequate because, in a matter of hours, a hacker could try every combination until the right key is found. Similarly, older Secure-Socket Layer (SSL) encryption code that used 40-bit cryptography is still found in many web servers and browsers, making millions of websites vulnerable to attack. AES uses much longer, more complex encryption keys that are virtually impossible to crack.
Breaches also result from poor encryption implementation and management. Organizations need to make sure keys are properly protected. For example, keys should never be stored in the same location as the corresponding data. A keystore is a file created specifically for storing encryption keys. This should be used instead of hardcoding keys into source code. Use strong passwords and other access controls to protect your keystores. Also, avoid using the same keys for multiple functions and files. Some databases may even require separate keys for each column or field.
Rather than using outdated or non-standard encryption algorithms, use the highest level of AES symmetric encryption to protect your sensitive data. Have your code reviewed by an encryption expert, and keep your algorithm library current to reduce the risk of a breach.
In the next post, we’ll discuss security issues with SSL and OpenSSL and why you need to keep OpenSSL patched.