30 years ago, the characters Alice, Bob, and Eve were created to explain public key cryptography and the world took a massive step forward in enabling commerce and business to develop across the internet. For those not familiar with the trio they were used to explain how two people, Alice and Bob, could share a secret openly without it being lost to an eavesdropper, Eve. This important work was published by Ron Rivest, Adi Shamis and Leonard Adleman, who went on to create the RSA algorithms that are still used today. This was the basis of what we now know as the Public Key Cryptography that is used each time we access an HTTPS website, perform credit card transactions, connect to remote networks or sign contracts electronically.
Encryption is one of the most useful tools in cyber security as it enables people to keep information confidential so that only the intended person can reverse the encryption and read the original information; this is a very effective way of restricting access to the required users or systems.
In our view, encryption gives us three key capabilities:
Encryption is often used in databases to restrict sensitive columns which is particularly important when designing security into systems that need to store and process sensitive data within them. Designing this way also enables a strong audit trail of who and what systems had access to this in the event of a cyber security incident (something to consider for organisations trying to approach GDPR with a security by design methodology).
Digital signing of information can be used to provide audit trails and strong document custody when transferring information within an organisation and externally. The number of services that now enable the digital signing of important documents is rapidly increasing and organisations that embrace this reduce the cost of delivering, processing and storing paper documentation. Interestingly, this area has potential to be disrupted by blockchain technology which underpins Bitcoin and other cryptocurrencies, more on this in a future article.
Finally, this technology has given us the ability to mutually authenticate both ends of a connection. This allows us to guarantee that the receiving server hasn't been swapped with a malicious version and that the connecting client is who they are identified as. If correctly implemented, this ensures that traffic cannot be intercepted or sent to anyone other than the intended recipient. This is one of the key features that enables HTTPS to be so effective. Encryption alone doesn't ensure confidentiality as there is no value in sending a secret message to someone other than the intended recipient. This role is provided by certificate authorities (CA) whose job it is to validate the identity of services.
While Alice, Bob, and Eve have provided us with useful technologies, one of the key challenges with encryption is that it can be used to securely transmit both the good and the bad. As more communications utilise encryption network inspection for harmful traffic has become more challenging.
The lack of inspection of encrypted traffic has left some organisations with expensive security appliances that are offering less value than expected. Organisations have now moved to deploying security appliances that enable the inspection of this traffic by deploying a self-generated certificate that is then used to masquerade as the connecting site. This offers increased visibility but is restricted to managed devices that you can install the certificate on, causing challenges for environments that have a bring-your-own-device (BYOD) or large deployment of unmanaged devices, such as Education. In these circumstances, organisations should look to supplement these packet inspection systems with DNS-based filtering that uses the unencrypted header information to prevent access to malicious sites.
Encrypted traffic doesn't just affect outbound traffic visibility, it also impacts inbound connections to hosted services. The number of organisations I meet with who purchase next-generation firewalls or Intrusion Prevention/Detection Service appliances to protect their services only to pass encrypted traffic streams through them is surprising. Organisations should ensure they understand where traffic can be terminated to provide security and visibility along with a unified configuration and control point for all transport layer security traffic. Application Delivery Controllers, or Load Balancers as they used to be known, are ideal for this job if deployed and designed correctly.
Cryptography like all areas of cyber security is a rapidly changing area with vulnerabilities and errors being found in actual cryptographic algorithms and, more commonly, their implementations in software. We saw this recently with the SHA-1 deprecation and the move towards elliptic curve key exchanges that support perfect forward secrecy (which protects against the decryption of all historic traffic in the event the secret key is lost). This highlights the importance of centralising the termination of encrypted traffic to reduce the administrative burden of changing cipher schemes or protocols and improve the ability to inspect the traffic.
Alice, Bob and Eve have been pivotal to the industries we are all in, however, encryption is not without its challenges. Organisations need to know when to utilise these technologies but also understand the potential impact of them on their security environment. If you want to discuss the impact of encryption and how to best utilise it for the secure storage, transport or integrity of data then please contact your Softcat account manager or use the button below to get in touch.
We would love to hear any comments you have about this article!