Encryption can be used to provide both confidentiality and integrity. Confidentiality comes when the file is encrypted in such a way that only authorized users have access to the key. Integrity comes from hashing the file so any change, no matter how minute, can be instantly detected. We can apply both concepts to data in transit or at rest. But what do those phrases mean?
Data In Transit
Data in transit is defined as any data being accessed over the network, and therefore could be intercepted by someone else on the network or with access to the physical media the network uses. I will be writing up a little piece on physical security of your data soon. Be sure to check back on that! On an ethernet network, that could be someone with the ability to access your cabled infrastructure, configure a switch to mirror traffic, or fool your client or a router into directing traffic to them before it moves on to the final destination. On a wireless network, all they need is to be within range. Wireless networks can and should be protected from unauthorized snooping by encrypting all traffic. Strong enterprise networks can use WPA2 Enterprise, but weaker networks may have to use pre-shared keys to establish session keys, like in WPA Personal, or worse, shared keys among all clients as in WEP. For purposes of this post, consider an open network to be like the one you’d use at a coffee shop or hotel.
When you use a clear text protocol like TELNET, HTTP, FTP, SMTP, POP, IMAP, or LDAP, that traffic is referred to as “in the clear”. Anyone that has access to your network traffic and a readily available tool like Wireshark, they can intercept your traffic, giving them access to read your email, copy your credentials, or even make copies of your files. You need to protect your data’s confidentiality and your own privacy by encrypting this traffic using SSL/TLS, or switching to another encrypted equivalent protocol. TELNET can be replaced by SSH. FTP can be replaced by SFTP. The rest can use encrypted transport with SSL or TLS. When data is encrypted in transit, it can only be compromised if the session key can be compromised. It is worth mentioning that this is where keeping your network infrastructure up-to-date. Many older models of switches, routers and network appliances may not support SFTP or SSH for connectivity.
Even though some encryption in transit will use symmetric encryption and a set session key, most will use a certificate and asymmetric encryption to securely exchange a session key and then use that session key for symmetric encryption to provide the fastest encryption/decryption. Any protocol that uses either SSL or TLS, uses certificates to exchange Public Keys, and then the Public Keys are used to securely exchange Private Keys, it becomes very difficult for an attacker to defeat. Most encrypted protocols include a hashing algorithm to ensure no data was altered in transit. This can also help defeat “Man in the Middle” attacks. It defeats MitM attacks by decrypting and re-encrypting data, which forces the attacker to alter the signature even if they don’t change any of the key data.
If an attacker can fool you into using them as your proxy, or can convince you to click past the certificate warning dialogue box so that you will trust their certificates, this will enable them to run a MitM attack. The attacker will establish an encrypted session with you, and another with your destination, and be able to intercept your traffic as it passes through their system. That is why it is critical to always use certificates from a third-party Certificate Authority, to never accept a certificate when your client software warns you about an untrusted certificate. Even though it is a big challenge, your users should be trained to never accept certificates that fail and show a warning in their browser. Encryption in transit should be mandatory for any network traffic that requires authentication, or includes data that is not publicly accessible. You don’t need to encrypt your public facing website, but if you want customers to logon to view things, then it is imperative that you use encryption to protect both the logon data, and their privacy while they access your site.
Data At Rest
Encryption of data stored on media is used to protect the data from unauthorized access should the media ever be stolen. Physical access can get past file system permissions, but if the data is stored in encrypted form and the attacker does not have the decryption key, they have no more than a useful paperweight or a drive they can format and use for something else.
Most encryption at rest uses a symmetric algorithm so that data can be very quickly encrypted and decrypted. You don’t want encryption to slow down system performance. However, since the symmetric key itself needs to be protected, they can use a PIN, password, or even a PKI certificate on a smart card to secure the symmetric key, making it very difficult for an attacker to compromise.
Hashing algorithms can be used on files at rest to calculate their value and compare it later to quickly and easily detect any changes to the data. Checksums or hashes are commonly run to validate that a file you have downloaded from the Internet is in fact the authentic file the creator intended, but investigators can hash entire hard drives to validate that any copies made are exact.
Encryption at rest should be mandatory for any media that can possibly leave the physical boundaries of your infrastructure. USB keys, external drives, backup tapes, and the hard drives of all laptops that hold any organizational data should be encrypted without exception. To further enhance the security of your servers and to protect against malicious users or vendors, you should encrypt the hard drives of all your servers too. That way, even if a failed drive is replaced, you don’t have to worry about ensuring its physical destruction to ensure your customers’ and company’s data is secure.
Examples of encryption at rest include the AES-encrypted portable media, some of which include a fingerprint reader for two-factor authentication, and Vault in OS X or Bitlocker in Windows operating systems to secure both the system drives and external media. With encryption in use both in transit and at rest, data can be protected from prying eyes, and users are assured that the data has not been modified in any way. With the prevalence of unencrypted Internet access, and the loss and theft of IT assets today, using encryption should be mandatory for all users and all businesses.
For more information on my upcoming digital forensics textbook, Learn the Basics of Digital Forensics, visit my website -- http://www.bruceasarte.com.
Bruce holds a degree in Computer Science from Temple University, a Graduate Certificate in Biblical History from Liberty University and is working a Master Degree in American History at American Public University. He has worked in educational and technology for over 18 years, specializes in building infrastructures for schools that work to support the mission of technology in education in the classroom. He also has served as a classroom teacher in Computer Science, History and English classes.
Bruce is the author of five books: Sands of Time, Towering Pines Volume One:Room 509, The Star of Christmas, Philadelphia Story: A Lance Carter Detective Novel and The Insider's Story: A Lance Carter Detective Novel -- with a new book, Learn the Basics: Digital Forensics, due soon.
Follow Bruce's Novel releases by subscribing to his FREE newsletter!
Be sure to check out Bruce's Allentown Education Examiner Page, his Twitter and his Facebook!