Preparing for encryption: new threats, legal requirements boost need for encrypted data.
In 1977 the Data Encryption Standard (DES and later Triple DES) was adopted in the United States as the first federal standard. DES applies a 56-bit key to each 64-bit block of data. Other encryption algorithms in use include Secure Sockets Layer (SSL) for Internet transactions, Pretty Good Privacy (PGP), and Secure Hypertext Transfer Protocol (S-HTTP). DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small as DES keys have been broken in less than 24 hours or less as microprocessor speeds increase. Computer chips currently exist for under $10 that can test 200 million DES keys/second. Since there was growing concern over the viability DES encryption algorithm, NIST (National Institutes of Standards and Technology) indicated DES would not be recertified as a standard and submissions for its replacement to become the encryption standard were accepted.
The second encryption standard to be adopted was known as the Advanced Encryption Standard (AES). Advanced Encryption Standard is a symmetric (Secret or Private Key) 128-bit block data encryption technique developed by Belgian cryptographers Joan Daemen and Vincent Rijmen. The U.S government adopted the algorithm as its encryption technique in October 2000 after a long standardization process, replacing the DES encryption algorithm. On December 6, 2001, the Secretary of Commerce officially approved (FIPS) Federal Information Processing Standard 197. It is expected to be used extensively worldwide as was the case with its predecessor DES. AES is more secure than DES as it offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. The AES algorithm can specify variable key lengths of 128-bit key (the default), a 192-bit key, or a 256-bit key. AES is a mutually acceptable algorithm that effectively protects sensitive government information. AES was initially used on a selective basis and is backwards compatible with DES. Symmetric standards such as DES and AES provide very high levels of security. Symmetric standards require that both the sender and the receiver must share the same key and also keep it secret from anyone else. Top Secret information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect US national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use. As of 2005, no successful attacks against AES have been recognized.
Asymmetric Encryption differs from symmetric encryption in that uses two keys: a public key known to everyone and a private key, or secret key, known only to the recipient of the message. Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When users want to send a secure message to another user, they use the recipient's public key to encrypt the message. The recipient then uses a private key to decrypt it. An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to determine the private key if you know the public key.
There are a number of asymmetric key encryption systems but the best known and most widely used is RSA, named for its three co-inventors Rivest, Shamir and Adleman. The Secure Sockets Layer used for secure communications on the Internet uses RSA (the https protocol is simply http over SSL). Asymmetric encryption is based on algorithms that are more complex and its performance overhead is more significant making it unsuitable for encrypting very large amounts of data. It is possible to take advantage of the strengths of both key methods by encrypting data with a symmetric key, and then protecting this key with asymmetric encryption though this area of encryption is in its early stages.
Keys are the Key
The basic idea of key-based encryption means that a block, file or other unit of data is scrambled in a way so that the original information is hidden within a level of encryption. The scrambled data is called cyphertext. In theory, only the person or machine doing the scrambling and the recipient of the cyphertext know how to decrypt or unscramble the data since it will have been encrypted using an agreed-upon set of keys. The difficulty of cracking an encrypted message is a function of the key length. For example, an 8-bit key allows for only 256 possible keys (28) and could be cracked quickly. A 128-bit key (which equates to searching 2128 keys) might take decades to crack. The same computer power that yields strong encryption can be used to break weak encryption schemes. Encryption keys and passwords should be stored in escrow with a secure third party. It is important to establish an effective key management plan. Key management is the key to successful use of encryption.
A third category of cryptology is called Hashing (One-Way) Encryption. A hash is a cryptographic algorithm that takes data input of any length and produces an output of a fixed length. The hash output is called a digital signature and is used for data integrity. Some hash algorithms such as MD5 (Message Digest 5) have the possibility of producing the same signature making it vulnerable to attack as a duplicate key can be produced. Digital signatures typically range from 128 bits using the MD5 algorithm to 160 bits in size using the more secure SHA1 (Secure Hash Algorithm 1) algorithm. The larger the signature, the more secure the hash though performance degrades as hash size increases.
Data exposure grows
For years the storage industry focused its high availability developments on protecting data from technology failures such as disk crashes or tapes that couldn't be read. Technology failures were addressed with concepts such RAID, clustering, component redundancy, and replication software, and vastly improved intelligent error recovery capabilities for both disk and tape. With the use of vulnerable IP storage networks in full swing by 2000, a new threat to data loss appeared called intrusion and it became the next big data exposure issue for the IT industry to address.
Malicious attacks on company networks are nearly doubling each year and the biggest source is now believed to be employees. Worms, viruses, spyware and spam have contaminated porous IP networks causing significant business losses and an estimated 80% of the e-mail content being transmitted on the Internet is estimated to be useless. This is a growing threat to the future of data protection since over 50% of all disk data is now network-attached via NAS or SAN. This threat is growing as computers and systems become increasingly connected, not only through the Internet but through business partnerships that establish connections and interfaces. Viruses, worms, Trojan horses, zombies, distributed denial-of-service attacks, hacking, blended threats are all out there, and many can hitch rides with e-mails, downloads and electronic transmissions, including instant messages. There are an estimated 60,000 different viruses currently being transmitted via the Internet.
Even network routers have become vulnerable to attack. Router products running certain versions of specially written IP Version 6 packets can be affected by the IP design flaw as malicious hackers can compromise routers to stop, redirect and scramble network traffic.
An increasing number of companies are deploying encryption appliances for data that is stored on its SANs. Network encryption appliances help fill a growing security gap, securing data both at rest in storage devices and on the SAN itself. Having spent a huge amount of time and money shoring up their physical security, many enterprises are beginning to guard their stored data against insider attacks, disgruntled employees, and unprincipled contractors and visiting clients. Another reason for the heightened interest in encryption is the advent of government regulations like HIPAA, Sarbanes-Oxley and PHIPA in Canada.
Total claims filed in the US in 2004 for damages caused by worms and viruses totaled $17.5B, according to a survey released by the Computer Economics Impact of Malicious Code Study. The Love-bug attack in 2004 cost an estimated $8.8B in damages alone. Intrusion is being addressed by anti-virus protection software but this remains a catch-up game for now as the exposure to data loss mounts. Viruses and worms are more aggressively targeting handheld devices, cell phones and embedded computers in cars this year, according to a report released by IBM. Security jobs are on the rise and estimates are for 2.1 million information security professionals in 2008, up from 1.3 million in 2005. Data security may well be on its way to becoming the most important storage management discipline.
The second part of this article will explore some recent examples of data loss and vulnerability, how data encryption is being implemented today and discuss which data should be encrypted.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Storage Networking|
|Publication:||Computer Technology Review|
|Date:||Aug 1, 2005|
|Previous Article:||Mid-range market heats up: competition, new levels of functionality drive enhanced mid-range TCO.|
|Next Article:||Avamar defuses data explosion: company tackles data growth disease, not symptoms.|