Encryption: The answer to all security! NOT

image

Christopher Gorog

Although the title of this article is intended to get your attention, it is largely sarcastic. My sarcasm stems from years as a security professional interfacing with people who determined encryption was the answer to all their security. This has become magnified as cloud service offerings are starting to pop up with more regularity. If I had a dollar for every time I heard “the data is encrypted so it is safe,” I would be rich.

The best way to shed some light on this subject is to describe what security is offered by encryption, but also to address the concerns one should have about the encryption process.

First, let’s take a look at what it means for the data to be encrypted. Encryption is better described as a property of data than security of data. Whether the data is encrypted (cypher text) at a given time or not encrypted (plain text) — which is how most people use it — is similar to  being blue in color, bold, underlined, or Ariel font. The security of the data is in the process of getting it from plain text to cypher and back to plain text.

The encryption process

To understand the security strength for a given encryption process requires knowing the “who,” “what,” “when,” and “where” of the conversion process itself. Who has access to the process? What systems and resources are used in the processes? When is this process being done? Where are components of the process stored?

If I had a dollar for every time I heard “the data is encrypted so it is safe,” I would be rich.

The “encryption process” as I called it above could be seen as number crunching machine. In general, it is a mathematical equation (algorithm). Granted, it is a very large equation, but that’s ok since you don’t need to know how it works to use it. This algorithm processes text as it is represented to a computer, in numerical format. The process is literally “number in” and different “number out”. This sounds simple enough on the surface. In the most basic functionality this equation has four components: 1). The plain text 2). encryption equation (algorithm) 3). a key 4). the cipher text. The process can start with plain text and make cypher text or start with cypher text and make plain text. Both “cipher text” and “plain text” are just a number to the machine, however the plain text happens to be something a human understands

There are a few types, algorithms, and several combinations of how keys and algorithms are used. As a general rule, you can assume that the algorithm and process of using the algorithm is common knowledge and everyone that wanted to spend some time could make it work. In that case the key portion is what needs to be kept secret to ultimately protect this process. The protection of this cryptographic key is actually where most of the challenges arise with the encryption process. Let’s look at some reasons why, and some of the challenges involved in protection of the key.

Cryptographic key protection

To a human, the key is difficult to decipher. It is a long string of random looking bits of data. However, to a machine is just another couple blocks of data and the storage of it is simple. To use a key, the machine is required only to know which particular amount of bits should be considered the key, and where the bits are stored. Now if the machine or the computer that is using the key knows where these bits are stored, how difficult would it be for someone or something that shouldn’t know where they are stored to get ahold of them. Because a key much like a good password should have the qualities of uniqueness and randomness, finding them in storage memory is often not as difficult as one would think. Shown in figure below are ordinary files which contain recognizable patterns. These could be Word, PDF or executable files. The file outlined in red has a perfectly randomized bit distribution. Stronger keys contain a higher level of randomization so with this knowledge the attackers target these patterns to mount key extraction attacks.

Where

Where are your keys stored? This is a question that most application makers don’t want to come up and don’t want to answer because it could render a vulnerability that hackers would then know where to attack. Yet you should be concerned about this. If you have microprocessor systems performing encryption in remote locations where someone could take them offline and extract the firmware, you may want to think about what happens if someone extracts your keys.

When exploring corporate security solutions you want to know if keys are centrally located, stored on distributed systems, and where they can be accessed from. Many solutions are popping up for cloud systems which are storing files. You should be aware of this risk and should understand the details about the solutions key storage. Most cloud providers advertise encrypted file storage, informing us that our files are protected and nobody can get to them. For some reason this makes people to feel comfortable and they upload much of their business operations and personal data into these cloud sites, trusting the service provider to receive their plain text data, randomly generate an encryption key, encrypted the data, and only store it in cipher text. In truth, no process really occurs without storing temporary data. This means that the plain text is stored somewhere if only while working on the process to encrypt the data. The keys which they create and the association of the keys to a user have to be stored on data storage systems. The process of linking keys to users’ needs to be readily available, so they can link back to the data when the user needs to retrieve it. When you give a provider your plain text data expecting them to encrypt it, think of it as giving them your data and asking them create a password, then store the data and password. When you want the data back they should find your password retrieve the data from storage and send it back to you.

The more you know about a provider the better, and when it comes to security you can’t just dump it into somebody else’s hands without a second thought.

Another area of concern is the generation of the key. Many key generation methods create keys using a process which require less work to predict, or recreate (hack). Key creation is an entire science in its own right but the truth is, you as a human are not going to be able to create a high quality random key.

Where is the encryption process itself is happening? In the cloud? If so then the cloud has your plain text data and your key. This is a case of user beware, and a person should only use this type of service if you trust the provider to have access to all of your plain text data. As food for thought let’s consider  if you put your plain text data in the cloud and receive it in plain text trusting that somebody else encrypted it, what assurance do you have that it was even encrypted at all? 

Who

Who has access to the process? Knowing who has access to performing encryption process is often is very difficult, as once again this is something companies don’t want you to know for their own protection against hackers. One thing is for certain though, if the encryption process and storage of keys are processed entirely out of your control and off your computer, then you have given that company full access along with anybody they grant permission. One option consumers use repeatedly (which makes me cringe) which is offered by many service providers is password recovery.

This means that whoever is doing the process and storing the key has entirely designed a back door into the process. So in all actuality this circumvents any security offered, as access to the process used to recover passwords can empower anyone at the company to retrieve plaintext data. Once again you have to know and trust your service provider more than trust the encrypted status of your files.

When local machines or systems on a pole at a substation are performing encryption processes, access to the entire system becomes something which should be a concern. Most systems and application software is designed to be hardened to outside network intrusion. IT security focus on software defenses, however if the same equipment is physically in the hands of someone trying to extract information, it becomes a much different story.

When

When is this process being done? Bandwidth is often a limited commodity and may be frail or fragmented due to momentary outages or spotty transmissions. Cloud providers will upload your data and store it in temporary places while waiting to perform the encryption process. This generally happens at another time when it’s more advantageous to the business organization. Likewise when downloading the data encryption process takes time to perform.  You may be requesting data that’s decrypted and stored in a queue waiting to be downloaded. There are many other reasons for storing data at various times in the process. Most are to reduce the effects on the user caused by the added time requirement to encrypt and decrypt data. Once again knowing your provider, trusting your provider, and being aware of what is required to follow up with them are important.

What

What systems and resources are used in the processes? In the world of cloud computing who knows what systems are used to actually do the processing work. The pretense of the cloud is that it doesn’t matter, resources are commodities bought and sold as needed. So now on top of your keys being stored in the cloud, and the encryption process done in the cloud, cloud providers cannot tell you where this is happening. What it comes down to is that the only time you can ensure the process is protected and the keys are stored securely, is when it’s done in your control on your trusted machine. Unfortunately this takes a lot of processing power and will extremely bog down your machine, which is why most providers perform this on high power cloud systems. What you should take from this is to find out where the process is being done. If you want high assurance that keys and processes are protected use a service that does the process on your machine. A word of warning though, this requires you to completely control the keys to your data. Should you lose your data or your computer be corrupted without a backup, you will have no way to retrieve your data whatsoever.

Other considerations

What are the countries that house the servers which store your sensitive material? Who are they, and where are they located? What legal requirements does that nation have for IT systems? What political agenda in various parts of the world would support things that we would consider malicious activity? Many cloud providers operate in countries where the laws are “open to interpretation” because they are friendlier to certain business models.

Encryption is better described as a property of data than security of data.

So, basically, what we see is that the encryption status of data gives you only as much protection as the trust you have in the service or systems that you are using. Users need to ask the: who, what, when and, where questions for the products they choose. Knowing how the pieces of the process are handled, stored and utilized is as important as knowing which data needs to be protected. Users can not just expect that someone else is handling their data and protecting their privacy because they say they are encrypted.

When selecting service providers, you need to trust the company that provides their service as though they have full access to their unencrypted data. Trust the employees and management of that company to do the right thing and follow procedures that they have outlined. Additionally, there must be trust that they have architected adequate levels of security into their infrastructure to prevent your information from being stolen. Overall, the more you know about a provider the better, and when it comes to security you can’t just dump it into somebody else’s hands without a second thought.

By Jarrett Neil Ridlinghafer 
Chief Technology Analyst & Consultant
Compass Solutions, LLC 
Atheneum-Partners 
Hadoop Magazine 
Cloud Consulting International 
Synapse Synergy Group
CTO – 4D Healthware

Advertisements