Based on the science of cryptography, encryption is the process of coding and decoding messages to keep them secure, and is often touted as the silver bullet for cybersecurity woes. But is it really the cure-all?
The classic model of information security starts with the triad of Confidentiality, Integrity, and Availability. Cryptography is critical to providing confidentiality and integrity to all modern computer systems.
When performing online purchasing or online banking, cryptography is used to prevent network eavesdroppers from viewing the transaction, to prevent tampering with, or modifying, the transaction, and also to allow the user and browser to verify that the server actually belongs to the intended bank or merchant.
Cryptography is also used in many other scenarios. When a Windows user receives a security update from Microsoft, cryptography is used to validate that the server providing the update really is a Microsoft server, and once the update is downloaded to the machine, cryptography is used once again to verify that the code was written by Microsoft.
Merchants that you provide your credit card number to are supposed to use cryptography to encrypt the credit card number while it is stored in the merchants database. This is done with the intent that even if an attacker can gain access to the server, the attacker should not be able to decrypt and recover the credit card numbers and associated data.
Best practices also mandate the use of encrypted backups, so that if an attacker obtains a copy of a backup, no information is disclosed.
However, cryptography is not a magic bullet for securing computer systems. Many other controls are needed, including limiting communications between computers to their intended and authorized uses, configuring systems securely, and patching systems for all known vulnerabilities.
Firewalls are a common method for limiting inter-computer communications to their intended and authorized uses. However, one side effect of firewalls, is that many software applications are now designed to run on ports 80 and 443, the same ports used by web servers browsers, in order to easily traverse the firewall. Attackers quickly learned that their tools should be written to use the same ports, so that they could easily get through a firewall. One of the responses to that threat, is the use of deep packet inspection.
Deep packet inspection is used to examine and analyze the data traversing the network. It attempts to determine what traffic is legitimate, and what traffic contains malware, intrusions, unauthorized file transfers, and other undesirable activities. Of course, if the transmission is encrypted, deep packet inspection doesn’t work very well; instead access to unencrypted data is required. Many companies will architect their networks in such a manner that encryption is terminated near the perimeter, so that deep packet inspection or analysis tools can examine the unencrypted data transmissions. The downside is that in a poorly designed or implemented system an attacker might gain access to the deep packet inspection system, thereby invalidating the confidentiality of the data.
There are many ways that cryptographic controls can be defeated. For example, using the wrong type of encryption for a given use case can cause the data to be less secure than intended. Proper key management is critical; if an attacker can gain access to the cryptographic keys then the confidentiality and integrity of the data can no longer be guaranteed.
When using encrypted drives, a simple drive failure can lead to complete loss of the data. Tools designed to recover data from damaged disks typically cannot recover encrypted data. Cryptography can also interfere with other types of data recovery operations and this can be viewed as either a positive or negative consequence depending on one’s perspective.
Encryption can also impact performance. This is less critical on current systems, but was a leading reason for not using strong encryption in past decades. However, while cryptography will usually account for less than one percent of overhead on modern systems, using redundant encryption can still lead to performance problems. It is important to architects systems and application to use cryptography where appropriate, but avoid using encryption at every layer, creating unnecessary redundancies and poor performance.
In short, cryptography is fundamental to cybersecurity. Placing backdoors into systems to bypass security for “legitimate” uses is a bad strategy can be exploited by attackers as well as authorized users. Implementing and deploying cryptography to maintain confidentiality and integrity without creating performance bottlenecks or impeding other security and operational efforts is not trivial.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.