Importance of Encryption

Encryption represents one of the most important tools available to help counter potential exploits.

Definition

Encryption means taking sensitive data and scrambling it so thoroughly it would take more than the attacker's lifetime to decipher it. This act of scrambling the data is called creating a ciphertext (it does not have to literally be text, since all data is bytes; even images can be encrypted).

Goal

The goal is to use an encryption algorithm that is good enough that it would take someone years to brute?force their way into the data. For example, brute?force attacks are often used to crack weak passwords. An attacker tries every possible word to attempt to find the password. A weak password could be discovered in minutes. But if the attacker has to instead generate every possible word and number combination, then the process could take years.

Where to Perform

The Open Web Application Security Project (OWASP) created a handy cryptographic storage cheat sheet, which can be found on their website or in the references section of the table of contents.

The cheat sheet neatly summarizes that encryption can be performed on a number of levels in the application stack, such as:

• At the application level
• At the database level (e.g, SQL Server TDE)
• At the filesystem level (e.g, BitLocker or LUKS)
• At the hardware level (e.g, encrypted RAID cards or SSDs)

Which layer(s) are most appropriate will depend on the threat model. For example, hardware level encryption is effective at protecting against the physical theft of the server but will provide no protection if an attacker is able to compromise the server remotely.

Symmetric vs Asymmetric

There are two basic forms of encryption: symmetric and asymmetric.

Definitions and Differences

Symmetric uses a single key file that is shared between anyone who needs to decrypt data. It’s considered the older and less secure, form of encryption.

Asymmetric encryption, also called public key cryptography, uses a public and a private key file. The contents of these are usually highly mathematical and involve prime numbers, especially for the RSA algorithms (more on that later in this course). The user only shares the public key, and never ever gives away the private key file.

Here are a few additional differences between the two approaches:

Symmetric

• Uses one key (i.e. a password)
• Can transform the plaintext into smaller ciphertext
• Fast
• For large amounts of data
• Examples: 3DES, AES, DES, and RC4

Asymmetric

• Uses two keys: public & private (usually in two files)
• Can transform the plaintext into larger ciphertext
• Slow
• For small amounts of data
• Examples: Diffie?Hellman, ECC, El Gamal, DSA, and RSA

Algorithms

OWASP’s cryptography cheat sheet offers the following recommendations for symmetric and asymmetric algorithms:

The preferred algorithm for symmetric encryption is AES with a key that's at least 128 bits (ideally 256 bits) and a secure mode.

For asymmetric encryption, use elliptical curve cryptography (ECC) with a secure curve such as Curve25519 as a preferred algorithm. If ECC is not available and RSA must be used, then ensure that the key is at least 2048 bits.

Many other symmetric and asymmetric algorithms are available which have their own pros and cons, and they may be better or worse than AES or Curve25519 in specific use cases. When considering these, a number of factors should be taken into account, including:

• Key size
• Known attacks and weaknesses of the algorithm
• Maturity of the algorithm
• Approval by third parties such as NIST's algorithmic validation program
• Performance (both for encryption and decryption)
• Quality of the libraries available
• Portability of the algorithm (i.e, how widely supported it is)

Symmetric–key cryptography

Plaintext--> Encryption (Same Key)--> Ciphertext--> Decryption (Same Key)--> Plaintext

Asymmetric–key cryptography

Plaintext--> Encryption (Public Key)--> Ciphertext--> Decryption (Private Key)--> Plaintext

Three States of Data

The status of data is generally considered to be in one of three scenarios: at rest (such as a hard drive), in use (computer memory), or in transit (somewhere between the two).

At Rest

Data at rest refers to any data that is inactive and stored in spreadsheets, databases, cloud servers, hard drives, and so on. As OWASP notes, the first rule of sensitive data management is to avoid storing sensitive data whenever possible. But if you must store sensitive data, then it’s vital to ensure it’s encrypted to prevent unauthorized disclosure and modification.

Additionally, avoid storing all your data in one location. Keep data separate so that a compromised server doesn’t reveal all the data for the entire organization. For example, customer orders could be on one server while customer finance records could be kept on a different server with different security protocols.

In Use

It is inevitable that data in use, which refers to data stored in RAM or CPU cache, will eventually be accessed. Until that time, it should be encrypted. There are encryption APIs in some systems that can encrypt the memory in place. Some of the best ones don’t require a password and the API itself handles the encryption method and keys.

In Transit

Sometimes called data in motion, this tier represents the least secure of the three. OWASP recommends that when transmitting sensitive data over any network, end?to?end communications security (or encryption?in?transit) of some kind should be considered. TLS (transport layer security) is by far the most common and widely supported cryptographic protocol for communications security. It is used by many types of applications to communicate over a network in a secure fashion.

The primary benefit of transport layer security is the protection of web application data. TLS prevents unauthorized disclosure and modification of the data when it is transmitted between clients (web browsers) and the web application server, as well as between the web application server and non?browser based enterprise components.

Application Security Testing

Application security testing, or AST, represents an important process that helps identify and eliminate vulnerabilities in software. It’s vital that developers utilize AST and implement security as a default part of the development process. Here are a few AST best practices:

1. Test early and often
2. Use a combination of tools
3. Perform SAST
4. Implement penetration testing
5. Consider abuse cases
6. Mind third?party code
7. Attack Surface Analysis
8. Input Validation

Key Takeaways

1. Encryption is a vital part of security. Use it at multiple levels in the application stack.
2. Data must be protected regardless of if it’s at rest, in transit, or in use.
3. Application security testing should be done early and often.
4. Use a combination of tools to scan for vulnerabilities, including SAST.
5. Perform an attack surface analysis and reduce the surface wherever possible.
6. Use strong input validation standards that sanitize user input.

Conclusion

Proper data hygiene can be the difference between a secure, functional application and one that’s rife with security flaws. Encryption represents one of the most important tools available to help counter potential exploits, it means taking sensitive data and scrambling it so thoroughly it would take more than the attacker's lifetime to decipher it.

? 2022 The Security Awareness Company - KnowBe4. 
Inc. All rights reserved.