As all CIOs and IT managers know, data security is a continual process. As your security changes, so does the threat. For example, if you have encrypted your corporate data then your business secrets can’t be intercepted. Lost devices containing sensitive information are unreadable. Now, the threat has moved to your crypto key. Is it as safe as it needs to be? Here we explain the importance of protecting your key by looking at the methods that hackers use to circumvent encryption.
Businesses encrypt data for a number of reasons: to protect corporate secrets, to safeguard customers’ personal information to comply with regulations, and to maintain customer trust and goodwill. IT pros are all too aware that their data is vulnerable to attack and that encryption is one of the best security and data protection tools available. It’s listed within Article 32 of the GDPR as an appropriate technical and organizational measure to ensure data security, depending on the nature and risks of your processing activities. The Information Commissioner’s Office (ICO) advises its use when storing or transmitting personal data and certain sector-specific regulations go further and actually require encryption. For example, the banking industry’s Payment Card Industry Data Security Standard (PCI DSS) requires businesses accepting card payments to use certain TLS (Transport Layer Security) cryptographic handshake protocols for data in transit.
While the cost of losing business secrets is harder to quantify – and may be immeasurably large, even fatal to a business – financial penalties for customer data breaches can be estimated. Although the GDPR contains no explicit fine associated with not implementing encryption, encryption may protect organizations from fines related to data breach. In one of the largest fines handed out to date, Marriott International Hotels was ordered to pay 110.3M Euros to the ICO in the UK after a hack of its systems exposed sensitive personal information including credit card details, passport numbers, as well as dates of birth belonging to over 300 million clients of which 30 million were EU residents.
Moving into the quantum age
While regulations and headline fines have convinced businesses of the need for encryption, the message on key security hasn’t been as loud. One of today’s data protection challenges is that while most security professionals understand the strength of standardized encryption through peer vetting, they are not so aware of the singular importance of keeping the key protected. Today’s popular cryptographic algorithms like ECC, AES, 3DES and RSA are well documented and well tested. They work because of the unique and complex keys that they generate. A 256 bit AES key – the standard used by the US government – has 1.15×1077 possible combinations. That’s 115 with 75 zeros. With current computing power, the time needed to decrypt protected data is measured in millions of years. Looked at another way, encryption processes are now so strong that they make the key the Achilles heel.
Even considering future computing power, the key will be the vulnerable part of encryption. As we move to a quantum computing age, the first post-quantum cryptography standard will close the door to hackers using quantum computing to strong-arm encrypted data. There is a risk that when quantum computing becomes available to hackers all data encrypted with current keys will be unprotected. As the National Institute of Standards and Technology (NIST) says in a recent report, “when that day comes, all secret and private keys that are protected using the current public-key algorithms—and all available information protected under those keys—will be subject to exposure.” Our industry is already working on larger signatures and key sizes (for example using message segmentation) to meet the challenge.
Storing keys securely
Assuming then that hackers will make stealing a crypto key a priority, how could they do it? One known way is finding the key stored in software on your network. If a key is stored in this way then it is vulnerable to theft. A crypto key can be recognized in a binary scan, using relatively unsophisticated programs. It will appear as a randomized pattern that the intruder will know means they have hit the jackpot. While they don’t have millions of years to brute force encrypted data, they will have the time it takes to test keys against your data. Based on a number of studies, the time between a hacker’s penetration and detection is between 160 and 260 days. Even at the low end, that’s a large number of hours. A company is likely to have only a few thousand keys, a number low enough for a hacker to work through.
The way to protect the key, and therefore your data, is to store it in a secure way. A hardware security module (HSM) is a physical computing device to do just that. Its function is to safeguard and manage digital keys and perform other cryptographic functions. A HSM is designed using strict standards developed by NIST precisely to provide the final layer of security in data encryption. Unlike storing a key in software, which isn’t subject to any standards, and where it could be copied or stolen, the HSM gives you control over key access. It stays in the HSM. For some industries like the payment card industry a HSM is a way for businesses to comply with the data security standards they need to meet in order to operate. For other businesses, using a HSM shows that they are serious about customer and corporate data.
To encrypt without protecting your key is to fail at the final and most important hurdle of data security. It’s the digital world version of locking your doors and then leaving your key under a plant pot. A smart burglar will look there, and a hacker who sees encrypted data will look in every possible hiding place on your system for your keys. The rewards will be worth it for them. Until your crypto key is safe, your data isn’t safe.
Peter Carlisle, Vice President, nCipher Security