Encryption is essential for securing data, either in transit or stored on devices. It can provide piece of mind that communications will not be intercepted and that sensitive information stored on devices can't be exfiltrated in the event of loss or theft. The value of encryption extends beyond proactive safety, as many organizations are obligated to encrypt sensitive information, with steep penalties for damages resulting from regulatory noncompliance.
However, encryption is something of a cat-and-mouse game. Researchers and hackers are constantly looking for potentially exploitable vulnerabilities. Practices that were considered secure five or 10 years ago are now, more likely than not, outdated and insecure. Security expert Bruce Schneier called for the end of wide use of SHA-1 in 2004 and again in 2005, when researchers in China developed a method to find collisions that worked faster than brute force. The discovery of the HeartBleed vulnerability in 2014 showed that continued use of SHA-1 was a major security risk, but support for it was withdrawn by browsers only last year.
SEE: Encryption policy (Tech Pro Research)
Custom implementations of encryption are particularly troublesome, which is why security professionals advise against "rolling your own" encryption. That said, even professional implementations have fallen victim to oversights that resulted in encrypted data being decrypted.
Sony's implementation of Elliptic Curve Digital Signature Algorithm (ECDSA) in the PlayStation 3 used a static value as the random integer value, making the key solvable. This effectively gave hackers complete control over the console, opening the floodgates for both homebrew software—a feature Sony advertised and later removed—and piracy.
Similarly, the Java Cryptography Architecture in Jelly Bean and earlier versions of Android did not adequately provide cryptographically secure values. This allowed attackers to solve the private wallet key, enabling thieves to steal bitcoin from their rightful holders.
SEE: What is blockchain? Understanding the technology and the revolution (free TechRepublic PDF)
Full-disk encryption has existed for some time, with open source solutions like TrueCrypt and later VeraCrypt, as well as commercial solutions like BitLocker. Likewise, modern smartphones and tablets have encryption enabled by default. This has led to complaints from law enforcement organizations, claiming that the use of encryption has made it too difficult to perform investigations. Critics ranging from US deputy attorney general Rod Rosenstein to Australian prime minister Malcolm Turnbull have called for "responsible encryption," which is essentially a backdoor through which governments (and hackers) can access encrypted data.
"Responsible encryption" is a misnomer. Data can be either encrypted or not encrypted. Providing a backdoor for third parties to use renders encryption moot. While policymakers often mince words to make their position appear more palatable, the laws of mathematics prevent such proposals from being applicable in the real world without breaking security. Undaunted by this fact, Turnbull told ZDNet last year that "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
- Cyberwar and the Future of Cybersecurity (ZDNet/TechRepublic special feature)
- Video: Secure email provider ProtonMail launches encrypted contacts manager (TechRepublic)
- Security experts: Every business should have a security and encryption policy (TechRepublic)
- Encryption: You can't put the genie back in the bottle (TechRepublic)
- As devastating as KRACK: New vulnerability undermines RSA encryption keys (ZDNet)
Does your organization have an effective set of guidelines for encrypting your corporate data? What has worked best for you? Share your thoughts with fellow TechRepublic members.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.