Preparing for encryption: new threats, legal requirements boost need for encrypted data.As the amount of network-based data storage grows, so does the exposure to data loss. Unless you are using a mainframe computer, the level of risk to data loss and theft from unauthorized access is growing daily. The risk has reached a level that data encryption is being implemented for stored data in addition to the traditional use of encrypting data in transit. Data encryption is defined as the process of scrambling transmitted or stored information making it unintelligible until it is unscrambled by the intended recipient. With regard to computing, data encryption has historically been used primarily to protect mission critical data, government records and military secrets from foreign governments. It has been used increasingly over the past 10 years by the financial industry to protect money transfers, by businesses to protect credit-card information, for electronic commerce, and by corporations to secure sensitive transmission of proprietary information. Most of the encryption focus had been on data transmission prior to 2000 but the events of Sept. 11th, 2001 and the rise of compliance are moving the topic of encrypting data at rest, or stored data, much higher on the priority list of leading-edge data protection strategies today. The enciphering and deciphering of messages in secret code or cipher cipher: see cryptography.
(1) The core algorithm used to encrypt data. A cipher transforms regular data (plaintext) into a coded set of data (ciphertext) that is not reversible without a key. is called cryptology The science of developing secret codes and/or the use of those codes in encryption systems. See cryptography.
cryptology - The study of cryptography and cryptanalysis. .
In 1977 the Data Encryption Standard See DES.
Data Encryption Standard - (DES) The NBS's popular, standard encryption algorithm. It is a product cipher that operates on 64-bit blocks of data, using a 56-bit key. It is defined in FIPS 46-1 (1988) (which supersedes FIPS 46 (1977)). (DES and later Triple DES) was adopted in the United States as the first federal standard. DES applies a 56-bit key to each 64-bit block of data. Other encryption algorithms in use include Secure Sockets Layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) for Internet transactions, Pretty Good Privacy (PGP (Pretty Good Privacy) A data encryption program from PGP Corporation, Palo Alto, CA (www.pgp.com). Published as freeware in 1991 and widely used around the world for encrypting e-mail messages and securing files, PGP is available for commercial use and as freeware for ), and Secure Hypertext Transfer Protocol 'Secure hypertext transfer protocol' (S-HTTP) is an alternative mechanism to the https URI scheme for encrypting web communications carried over HTTP. S-HTTP is defined in RFC 2660. (S-HTTP S-HTTP Secure Hyper Text Transport Protocol ). DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small as DES keys have been broken in less than 24 hours or less as microprocessor speeds increase. Computer chips currently exist for under $10 that can test 200 million DES keys/second. Since there was growing concern over the viability DES encryption algorithm, NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. (National Institutes of Standards and Technology) indicated DES would not be recertified as a standard and submissions for its replacement to become the encryption standard were accepted.
The second encryption standard to be adopted was known as the Advanced Encryption Standard (cryptography, algorithm) Advanced Encryption Standard - (AES) The NIST's replacement for the Data Encryption Standard (DES). The Rijndael /rayn-dahl/ symmetric block cipher, designed by Joan Daemen and Vincent Rijmen, was chosen by a NIST contest to be AES. (AES). Advanced Encryption Standard is a symmetric (Secret or Private Key) 128-bit block data encryption technique developed by Belgian cryptographers Joan Daemen and Vincent Rijmen. The U.S government adopted the algorithm as its encryption technique in October 2000 after a long standardization process, replacing the DES encryption algorithm. On December 6, 2001, the Secretary of Commerce officially approved (FIPS (Federal Information Processing Standards) A series of publications issed by the U.S. National Institute of Standards and Technology (NIST) that specifies information security guidelines for federal government departments and agencies. ) Federal Information Processing Standard Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all non-military government agencies and by government contractors. 197. It is expected to be used extensively worldwide as was the case with its predecessor DES. AES is more secure than DES as it offers a larger key size, while ensuring that the only known approach to decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. a message is for an intruder to try every possible key. The AES algorithm can specify variable key lengths of 128-bit key (the default), a 192-bit key, or a 256-bit key. AES is a mutually acceptable algorithm that effectively protects sensitive government information. AES was initially used on a selective basis and is backwards compatible with DES. Symmetric standards such as DES and AES provide very high levels of security. Symmetric standards require that both the sender and the receiver must share the same key and also keep it secret from anyone else. Top Secret information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect US national security systems and/or information must be reviewed and certified by NSA NSA
National Security Agency
Noun 1. NSA - the United States cryptologic organization that coordinates and directs highly specialized activities to protect United States information systems and to produce foreign prior to their acquisition and use. As of 2005, no successful attacks against AES have been recognized.
Asymmetric Encryption differs from symmetric encryption in that uses two keys: a public key known to everyone and a private key, or secret key, known only to the recipient of the message. Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When users want to send a secure message to another user, they use the recipient's public key to encrypt the message. The recipient then uses a private key to decrypt it. An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to determine the private key if you know the public key.
There are a number of asymmetric key encryption systems but the best known and most widely used is RSA (1) (Rural Service Area) See MSA.
(2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. , named for its three co-inventors Rivest, Shamir and Adleman. The Secure Sockets Layer used for secure communications on the Internet uses RSA (the https protocol is simply http over SSL). Asymmetric encryption is based on algorithms that are more complex and its performance overhead is more significant making it unsuitable for encrypting very large amounts of data. It is possible to take advantage of the strengths of both key methods by encrypting data with a symmetric key, and then protecting this key with asymmetric encryption though this area of encryption is in its early stages.
Keys are the Key
The basic idea of key-based encryption means that a block, file or other unit of data is scrambled in a way so that the original information is hidden within a level of encryption. The scrambled data is called cyphertext. In theory, only the person or machine doing the scrambling and the recipient of the cyphertext know how to decrypt or unscramble Same as decrypt. See scramble. the data since it will have been encrypted using an agreed-upon set of keys. The difficulty of cracking an encrypted message is a function of the key length. For example, an 8-bit key allows for only 256 possible keys (28) and could be cracked quickly. A 128-bit key (which equates to searching 2128 keys) might take decades to crack. The same computer power that yields strong encryption can be used to break weak encryption schemes. Encryption keys and passwords should be stored in escrow with a secure third party. It is important to establish an effective key management plan. Key management is the key to successful use of encryption.
A third category of cryptology is called Hashing (One-Way) Encryption. A hash is a cryptographic algorithm that takes data input of any length and produces an output of a fixed length. The hash output is called a digital signature and is used for data integrity. Some hash algorithms such as MD5 (Message Digest 5) have the possibility of producing the same signature making it vulnerable to attack as a duplicate key can be produced. Digital signatures typically range from 128 bits using the MD5 algorithm to 160 bits in size using the more secure SHA SHA - Secure Hash Algorithm 1 (Secure Hash Algorithm (algorithm, cryptography) Secure Hash Algorithm - (SHA) A one-way hash function developped by NIST and defined in standard FIPS 180. SHA-1 is a revision published in 1994; it is also described in ANSI standard X9.30 (part 2). 1) algorithm. The larger the signature, the more secure the hash though performance degrades as hash size increases.
Data exposure grows
For years the storage industry focused its high availability developments on protecting data from technology failures such as disk crashes or tapes that couldn't be read. Technology failures were addressed with concepts such RAID, clustering, component redundancy, and replication software, and vastly improved intelligent error recovery capabilities for both disk and tape. With the use of vulnerable IP storage networks in full swing by 2000, a new threat to data loss appeared called intrusion and it became the next big data exposure issue for the IT industry to address.
Malicious attacks on company networks are nearly doubling each year and the biggest source is now believed to be employees. Worms, viruses, spyware and spam have contaminated contaminated,
v 1. made radioactive by the addition of small quantities of radioactive material.
2. made contaminated by adding infective or radiographic materials.
3. an infective surface or object. porous IP networks causing significant business losses and an estimated 80% of the e-mail content being transmitted on the Internet is estimated to be useless. This is a growing threat to the future of data protection since over 50% of all disk data is now network-attached via NAS (1) See network access server.
(2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular or SAN. This threat is growing as computers and systems become increasingly connected, not only through the Internet but through business partnerships that establish connections and interfaces. Viruses, worms, Trojan horses, zombies, distributed denial-of-service attacks, hacking, blended threats are all out there, and many can hitch rides with e-mails, downloads and electronic transmissions, including instant messages. There are an estimated 60,000 different viruses currently being transmitted via the Internet.
Even network routers have become vulnerable to attack. Router products running certain versions of specially written IP Version 6 packets can be affected by the IP design flaw as malicious hackers can compromise routers to stop, redirect and scramble network traffic.
An increasing number of companies are deploying encryption appliances for data that is stored on its SANs. Network encryption appliances help fill a growing security gap, securing data both at rest in storage devices and on the SAN itself. Having spent a huge amount of time and money shoring up their physical security, many enterprises are beginning to guard their stored data against insider attacks, disgruntled dis·grun·tle
tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles
To make discontented.
[dis- + gruntle, to grumble (from Middle English gruntelen; see employees, and unprincipled contractors and visiting clients. Another reason for the heightened interest in encryption is the advent of government regulations like HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , Sarbanes-Oxley and PHIPA PHIPA Personal Health Information Protection Act of 2004 in Canada.
Total claims filed in the US in 2004 for damages caused by worms and viruses totaled $17.5B, according to a survey released by the Computer Economics Impact of Malicious Code Study. The Love-bug attack in 2004 cost an estimated $8.8B in damages alone. Intrusion is being addressed by anti-virus protection software but this remains a catch-up game for now as the exposure to data loss mounts. Viruses and worms are more aggressively targeting handheld devices, cell phones and embedded computers in cars this year, according to a report released by IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) . Security jobs are on the rise and estimates are for 2.1 million information security professionals in 2008, up from 1.3 million in 2005. Data security may well be on its way to becoming the most important storage management discipline.
The second part of this article will explore some recent examples of data loss and vulnerability, how data encryption is being implemented today and discuss which data should be encrypted.