Chapter 9 - Data Security

Data security, among all the aspects of IT security, has the distinction of having a history that is thousands of years old. Hiding the true meaning of written messages pre-dates all information technology. But, as an industry, encryption is much younger. Before the internet, encryption devices were the realm of defense and intelligence agencies. The commercial industry came about after Whitfield Diffie invented non-symmetric key exchange, paving the way for the first vendor of modern encryption tools, RSA. Data security, as an industry, has a different set of drivers. Data security is foundational to all security.

In a layered model it is the last, best defense against an attack. But data security is based on math and the attacks are against the algorithms and the way they are implemented. At any point in time the underlying cryptography is bulletproof, but all it takes is for a single demonstration of an attack methodology to render all the defenses ineffective and set off a rush of innovation to improve the algorithms and replace them wherever they are used. Attackers include the intelligence agencies that have waged a continuous battle to be able to decrypt captured data and communications of their adversaries.

Another major class of attackers is cryptanalysts, researchers who have an academic interest in finding ways to break the latest cryptography. Their frequent publication of these techniques drives the industry as a whole to constantly improve. So, to understand the history of data security some understanding of the history of cryptography is required. Just as Check Point Software ushered in the era of commercial network security, RSA and Verisign were the pioneers of commercial data security

When Whitfield Diffie had his eureka moment that led to the invention of asymmetric key exchange, there were already many encryption algorithms, including DES, RC1, 2, 3, 4, etc. These were block cyphers that performed various operations on a block of clear text to create cypher text based on the input of a secret key. Simplifying the concept to its basic functionality: imagine a string of 1s and 0s that represent the clear text of a message. Take a secret key, another string of 1s and 0s, and munge it with the clear text in such a way that you can only reverse the process (decrypt) if you know the secret key. That is the basic concept of symmetric key encryption. But how, over the internet, do you let someone know what the secret key is without exposing it to attackers?

During World War II, secret key distribution required an out-of-band communications method. It could be embedded in the typewriter-like devices used on German U-boats. Or a spy behind enemy lines would have a code book he carried on his or her missions. On the internet, how do you let the recipient of an encrypted email or document know what the secret key is?

Order now (bulk rates available): https://bit.ly/3sPC5Wb

“Security Yearbook 2021” is available only at the IT-Harvest site https://lnkd.in/gh889sR