Cryptography rationale

Welcome to Simone Giustetti's wiki pages.


Languages: English - Italiano


Reasons to Adopt Encryption

Introducing a new technology in an organization requires an analysis of the related benefits and costs. In the following article I will attempt to elaborate some rational reasons pushing for the introduction of encrypted data in organizations, companies, workshops and firms.

Encryption in the Recent Past

Encrypting data and files became a hot topic in present times, but it is not a novelty in information technology. Encryption software and tools were introduced in the early nineties last century. The technology evolved over time attaining high standards of security and stability. With the massive diffusion of Internet and cell phones the need to protect information from prying eyes increased over time; sadly the adoption of security best practices, data encryption included, has not had the same luck. Even nowadays cryptography is relegated to well defined groups and categories of specialized users.

Many concurring reasons can explain the limited diffusion of encryption software among them:

  • The demand for computational resources. Complex algorithms and procedures used to obfuscate data require for up to the task CPUs. Unfortunately processors used during the late nineties and the first part of the century were not powerful enough or could support only short length keys, keys ill suited to appropriately protect data.
  • The added burden tied to encryption support: The need for an increased number of passwords and new control policies by both administrators and common users. The adoption of complex software or chaotic procedures often resulted in a bad reception of encryption by users wary of any practice that unnecessarily complicate your life.
  • The hidden gain of security practices. For a number of reasons risks were relatively contained for small to medium sized organizations.

As a consequence everything related to security was perceived as a waste of money and time.

Encryption Today

In the past 10 to 15 years a radical change to computer networks took place. Bandwidth availability increased a thousandfold. The number of Devices able to connect to the net increased too and as a consequence grew the offer of net services. The technology got better and better taking root in every day life.

The private sector saw a steady growth of devices requiring to save sensitive information: names, addresses, photos, contacts, address books, bank accounts and more. Given their nature, mobile or tablet devices are vulnerable to cyber attacks and difficult to protect. They can be accessed more easily than a personal computer and are frequently lost or stolen.

Companies, workshops, firms and organizations saw an exponential raise in cyber attacks and their sometime small size is not a defense anymore. Every month tens of thousands of brute force attacks originate from hundreds of IP addresses through the world to hit their servers. Those attacks aim to find an access to their networks to steal their commercial information, price books, customer contacts or best practices, documentation, product blueprints, patents and intellectual property.

Encrypting data is becoming mandatory to:

  • Protect your intellectual property and your job.
  • Limit somehow sensitive data theft reducing the risk for identity theft and the constant spam bombing we are all subject.

The evolution in CPUS and the birth of multi-core architectures resolved the processing power problems; processors are now more than capable to manage 2048 bit or longer encryption keys. Meanwhile encryption software made a significant leap forward in usability and ease of use. 15 years ago you could not avoid to use command line tools, nowadays the great deal of work can be accomplished with an intuitive and well documented graphical user interface. Programs were ported to many architectures and run now on a great number of different operating systems and mobile platforms often sharing a standardized interface.

Standard Encryption Tools are not Enough

Many of the protocols used in telecommunications by devices use "light" encryption algorithms to secure data therefore one could wonder what is there to gain from the use of additional software layers. It would seem a redundant duplication, but that's not the case because standard encryption tools are usually insufficient. Let's analyze the status of the GSM and Wi-Fi protocols to explain the reasons behind my previous statement.

The GSM protocol used by mobile phones worldwide encrypts traffic between the device and the connected cell only; all of the traffic incurring inside the provider network is "readable". It is proven that encryption can be circumvented because it only intervenes when a conversation is started: a never resolved bug in the GSM protocol. It is proven that the used algorithms A5/1 (in Europe) and A5/2 (elsewhere) are affected by errors. The A5/3 protocol meant to replace the previous ones is itself affected by critical errors and its evolution, A5/4, has been in development for years, but it is not ready for adoption yet. The protocols use 64 bit, later 128 bit, long keys that are considered insufficient by many security researchers. In short the security model is vulnerable to numerous attacks and even if real time conversation eavesdropping is excluded by the GSM Consortium the offered security level is lower than optimal.

The many versions of the Wi-Fi protocols used by wireless devices suffer from many known problems. The WEP protocol, the very first security standard for wireless communications, is error prone and generally regarded insecure, but it is also the only one supported by all of the existing devices and the only one usable for specific configurations like the "Ad Hoc" one for client to client direct connection. It uses 64 (40) bit or 128 (104) bit long encryption keys. Its replacement protocol WPA is surely an improvement over WEP, but it is affected by errors too. Moreover many access point do not support it because of the increased computational power it requires. The longer keys: 152 (104) or 256 (208) bit are still regarded toot short. The WPA 2 standard seem to solve all of its predecessor errors, but a lot of access points and cards do not support it because of the added calculations it requires. Configuring a pass-phrase with a length shorter of 20 characters puts at risk from brute force attacks.

Al in all standard tools exist, but do not guarantee high security levels. In some cases they appear to play a formal role rather than an effective one.


Conclusions

As previously stated a gain versus disadvantage estimate is required to successfully adopt a new technology in any organization. You better consider some factors regarding data encryption:

  • The strength of the encryption algorithm and the resulting required CPUs.
  • Ease of use.

Then balance them with the data sensitivity level and how much the information is relevant to the organization. Above I argued that technical disadvantages are essentially nonexistent nowadays therefore only the organizational aspect requires a deep analysis. The economic aspect should not be a burden either as free and open source software is available for the great majority of existing platforms. In conclusion, I recommend the use of encryption for corporate data.


To contact me or leave me your feedback, Please e-mail at studiosg [at] giustetti [dot] net.


External links





Languages: English - Italiano