CTR080.doc

• 1. Data Encryption StrategiesBy: Fred Moore, President Horison, Inc. http://www.horison.com Introduction to Encryption As the amount of digital data grows, so does the exposure to data loss. It is difficult to find a day when there hasnt been a high-profile data security incident. The risk has reached such a level that data encryption is being implemented for stored data and mobile data, in addition to the traditional use of encrypting data in transit via the network. Data encryption is defined as the process of scrambling transmitted or stored information making it unintelligible until it is unscrambled by the intended recipient. With regard to computing, data encryption has historically been used primarily to protect mission critical data, government records and military secrets from foreign governments. Encryption has been increasingly used over the past 10 years by the financial industry to protect money transfers, by businesses to protect credit-card information, for electronic commerce, and by corporations to secure sensitive network transmission of proprietary information. Most of the encryption focus had been on data transmission prior to 2000 but the events of Sept. 11th, 2001, the rise of compliance, and the tremendous amount of data being stored on mobile personal appliances are moving the topic of encrypting stored data much higher on the priority list of leading-edge data protection strategies today. The enciphering and deciphering of messages in secret code or cipher is called cryptology and has now become a topic of serious interest to the storage industry.DES the first standard In 1977 the Data Encryption Standard (DES and later Triple DES) was adopted in the United States as the first federal encryption standard. DES applies a 56-bit key to each 64-bit block of data. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small as DES keys have been broken in less than 24 hours or less as microprocessor speeds increase. Since there was growing concern over the viability DES encryption algorithm, NIST (National Institutes of Standards and Technology) indicated DES would not be recertified as a standard and submissions for its 1

2. replacement to become the encryption standard were accepted. Other encryption algorithms have been in use for years and include Secure Sockets Layer (SSL) for Internet transactions, Pretty Good Privacy (PGP), and Secure Hypertext Transfer Protocol (S-HTTP).AES the second standard The second encryption standard to be adopted was known as the Advanced Encryption Standard (AES). AES, like DES, is a symmetric (Secret or Private Key) 128-bit block data encryption technique developed by Belgian cryptographers Joan Daemen and Vincent Rijmen. Symmetric standards require that both the sender and the receiver must share the same key and also keep it secret from anyone else. The U.S government adopted the algorithm as its encryption technique in October 2000 after a long standardization process finally replacing the DES encryption algorithm. On December 6, 2001, the Secretary of Commerce officially approved AES as FIPS (Federal Information Processing Standard) 197. It was expected to be used extensively worldwide as was the case with its predecessor DES. AES is more secure than DES as it offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. The AES algorithm can specify variable key lengths of 128-bit key (the default), a 192-bit key, or a 256-bit key. AES was initially used on a selective basis and is backwards compatible with DES. Top Secret, classified and government information normally requires use of either the 192 or 256 key lengths. The implementation of AES is intended to protect US national security systems and secret information and it must be reviewed and certified by NSA (National Security Agency) prior to its acquisition and use. As of 2006, no successful attacks against AES had been recognized.From Symmetric to Asymmetric Encryption public and private keys Symmetric standards require that both the sender and the receiver must share the same key and also keep it secret from anyone else. Asymmetric Encryption differs from symmetric encryption in that it uses two keys; a public key known to everyone and a private key, or secret key, known only to the recipient of the message. Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When users want to send a secure message to another user, they use the recipient's public key to encrypt the message. The recipient then uses a private key to decrypt it. An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to determine the private key if you know the public key.There are a number of asymmetric key encryption systems but the best known and most widely used is RSA, a public key algorithm named for its three co-inventors Rivest, Shamir and Adleman. The Secure Sockets Layer used for secure communications on the Internet uses RSA (the popular https protocol is simply http over SSL). Asymmetric encryption is based on algorithms that are complex and its performance overhead is more significant making it unsuitable for encrypting very large amounts of data or response time sensitive data. Asymmetric encryption is considered one level more secure than2 3. symmetric encryption, because the decryption key can be kept private. Public key encryption is more computationally intensive and requires a longer key than a symmetric key algorithm to achieve the same level of security.Keys are the Key - for successful encryption The basic idea of key-based encryption means that a block, file or other unit of data is scrambled by an encryption algorithm so that the original information is hidden within a level of encryption. The scrambled data is called cyphertext. A unique key must be generated for each data element, device, LUN or other entity that needs to be encrypted. Keys must be stored and maintained for the life of the data. This can mean over 100 years for some compliance and archival data applications. In theory, only the person or machine doing the scrambling and the recipient of the cyphertext knows how to decrypt or unscramble the data since it will have been encrypted using an agreed-upon set of keys. Standard format Encryption algorithm CyphertextKey This is missionEncryption critical data engine =Encryption -------------------------------------------------------------------------------------------------------------------------->