Welcome to another part of our series Security 101. In previous articles, we discussed encryption and the algorithms used. In this one we take a look at their practical application. Encryption can be used to provide both confidentiality and integrity. Confidentiality comes when the file is encrypted in such a way that only authorized users have access to the key. Integrity comes from hashing the file so any change, no matter how minute, can be instantly detected. We can apply both concepts to data in transit or at rest. But what do those phrases mean?
Data in transit is data being accessed over the network, and therefore could be intercepted by someone else on the network or with access to the physical media the network uses. On an ethernet network, that could be someone with the ability to tap a cable, configure a switch to mirror traffic, or fool your client or a router into directing traffic to them before it moves on to the final destination. On a wireless network, all they need is to be within range. Wireless networks can be protected from unauthorized snooping by encrypting all traffic. Strong enterprise networks can use WPA2 Enterprise, but weaker networks may have to use pre-shared keys to establish session keys, like in WPA Personal, or worse, shared keys among all clients as in WEP. For purposes of this post, consider an open network to be like the one you’d use at a coffee shop or hotel.
When you use a clear text protocol like TELNET, HTTP, FTP, SMTP, POP, IMAP, or LDAP, that traffic is “in the clear” and if someone has access to your network traffic and a readily available tool like Wireshark, they can intercept your traffic and read your email, copy your credentials, or even duplicate files. You need to protect your data’s confidentiality and your own privacy by encrypting this traffic using SSL/TLS, or switching to an encrypted equivalent. TELNET can be replaced by SSH. FTP can be replaced by SFTP. The rest can use encrypted transport with SSL or TLS. When data is encrypted in transit, it can only be compromised if the session key can be compromised.
Some encryption in transit will use symmetric encryption and a set session key, but most will use a certificate and asymmetric encryption to securely exchange a session key and then use that session key for symmetric encryption to provide the fastest encryption/decryption. Any protocol that uses either SSL or TLS, uses certificates to exchange Public Keys, and then the Public Keys are used to securely exchange Private Keys, it becomes very difficult for an attacker to defeat.
Most encrypted protocols include a hashing algorithm to ensure no data was altered in transit. This can also help defeat “Man in the Middle (MitM)” attacks, because by decrypting and re-encrypting data, the attacker will alter the signature even if they don’t change any of the key data.
If an attacker can fool you into using them as your proxy, or can convince you to click past the certificate warning dialogue box so that you will trust their certificates, they can run a MitM attack where they will establish an encrypted session with you, and another with your destination, and be able to intercept your traffic as it passes through their system. That is why it is critical to always use certificates from a third-party Certificate Authority, to never accept a certificate when your client software warns you about an untrusted certificate. You should also train your users to do the same.
Encryption in transit should be mandatory for any network traffic that requires authentication, or includes data that is not publicly accessible. You don’t need to encrypt your public facing website, but if you want customers to logon to view things, then you should use encryption to protect both the logon data, and their privacy while they access your site.
Encryption of data stored on media is used to protect the data from unauthorized access should the media ever be stolen. Physical access can get past file system permissions, but if the data is stored in encrypted form and the attacker does not have the decryption key, they have no more than a useful paperweight or a drive they can format and use for something else.
Most encryption at rest uses a symmetric algorithm so that data can be very quickly encrypted and decrypted. You don’t want encryption to slow down system performance. However, since the symmetric key itself needs to be protected, they can use a PIN, password, or even a PKI certificate on a smart card to secure the symmetric key, making it very difficult for an attacker to compromise.
Hashing algorithms can be used on files at rest to calculate their value and compare it later to quickly and easily detect any changes to the data. Checksums or hashes are commonly run to validate that a file you have downloaded from the Internet is in fact the authentic file the creator intended, but investigators can hash entire hard drives to validate that any copies made are exact.
Encryption at rest should be mandatory for any media that can possibly leave the physical boundaries of your infrastructure. USB keys, external drives, backup tapes, and the hard drives of all laptops should be encrypted without exception. To further enhance the security of your servers and to protect against malicious users or vendors, you should encrypt the hard drives of all your servers too. That way, even if a failed drive is replaced, you don’t have to worry about ensuring its physical destruction to ensure your customers’ and company’s data is secure.
Examples of encryption at rest include the AES-encrypted portable media, some of which include a fingerprint reader for two-factor authentication, and Bitlocker in Windows operating systems to secure both the system drives and external media.
With encryption in use both in transit and at rest, data can be protected from prying eyes, and users are assured that the data has not been modified in any way. With the prevalence of unencrypted Internet access, and the loss and theft of IT assets today, using encryption should be mandatory for all users and all businesses.