1.4 - Encryption

Learning Objectives

Explain the importance of using appropriate cryptographic solutions.

• Encryption
  • Level:
    • Full-disk
    • Partition
    • File
    • Volume
    • Database
    • Record
• Transport/communication encryption
• Asymmetric encryption
• Symmetric encryption
• Algorithms

What Is Encryption?

Encryption is the process of converting readable data, known as plaintext, into an unreadable format called ciphertext, which can then only be deciphered by individuals possessing the corresponding decryption key. This transformation ensures the confidentiality, integrity, and availability of the information, providing a vital layer of security in the digital world.

It is employed to secure both data at rest (stored data) and data in transit (data traveling across networks).

Types of Encryption

There are two main types of encryption based on the encryption algorithms & cryptographic keys being used:

1. Symmetric Encryption

Symmetric encryption uses the same cryptographic key for both encryption and decryption. It is faster and less computationally intensive than Asymmetric Encryption, making it suitable for encrypting large volumes of data at rest, such as files, databases, and hard drives.

However, the challenge lies in securely distributing and managing the single key. Due to everyone involved in either the encryption or decryption process needing access to the key, it doesn't scale very well. The more the key is shared, the more risk there is for it to be leaked to someone who is unauthorised, which would compromise everything that has been encrypted.

2. Asymmetric Encryption

Asymmetric encryption, also known as public-key encryption, uses a pair of mathematically related keys: a public key to encrypt and a private key to decrypt. The public key can be shared freely, while the private key must remain... private.

Asymmetric encryption is generally more computationally intensive and slower than symmetric encryption. However, it is more mathematically secure and arguably more operationally secure due to the separation of duties between the private and public key.

It is often used to encrypt data in transit, such as in HTTPS, VPNs and secure emails. It is also used to securely exchange symmetric keys and to provide digital signatures.

Encryption Algorithms

Encryption algorithms are the mathematical formulas that allow for the secure encryption and decryption data. Selecting an algorithm involves trade-offs between security strength, processing speed, and implementation complexity. However, the process of choosing which algorithm to use is often hidden from the end user.

There are many different algorithms to encrypt data, however the same algorithm used to encrypt must also be used to decrypt the data. Therefore both sides that are involved in the exchange of encrypted information must decide on which encryption algorithm to use beforehand. For example, ciphertext created by the AES algorithm cannot be unencrypted by following a different algorithm.

Examples of encryption algorithms include:

Symmetric Algorithms

• AES (Advanced Encryption Standard) - AES is a widely used symmetric encryption algorithm that uses a single key with lengths of either 128, 192, or 256 bit. It is commonly used for rapidly encrypting large amounts of information at rest.
• DES (Data Encryption Standard) - DES is an older symmetric encryption algorithm that uses a 56-bit key, historically used for securing data but now largely considered insecure due to its short key length.

Asymmetric Algorithms

• RSA (Rivest–Shamir–Adleman): RSA is a popular asymmetric encryption algorithm used for secure data transmission and digital signatures. Its security is based on the computational difficulty of factoring the product of two large prime numbers. RSA uses much larger key lengths, commonly between 1024 and 4096 bits.
• ECC (Elliptic Curve Cryptography): ECC is an asymmetric encryption technique that employs elliptic curves for smaller, more efficient keys, and faster performance compared to systems like RSA.

Levels of Encryption

Different types and levels of encryption address varying security needs by applying encryption at the appropriate layers based on the data's format and storage method. Understanding these various types and levels is critical for implementing the right cryptographic solutions.

Full-Disk Encryption (FDE)

Full-disk encryption encrypts the entire contents of a storage device or "disk", protecting all files, programs, and operating system data. This ensures that if a device is lost, stolen or compromised, its data cannot be accessed without the proper decryption key.

Tools like BitLocker for Windows and FileVault for macOS can be used to implement Full-Disk Encryption.

Partition Encryption

Partition encryption focuses on encrypting a specific partition (or section) of a storage device rather than the entire disk. This allows for a more targeted approach to encryption, where sensitive and non-sensitive data can be separated and correctly protected within a single device.

This is ideal when you want to protect sensitive data while leaving other parts of the system unencrypted for faster access.

File Encryption

File encryption secures individual files rather than entire disks or partitions. This is ideal if you do not have control over the lesser secured systems that your sensitive files may end up being transmitted or stored on.

This can be achieved through solutions like the Windows Encrypting File System (EFS) and various third-party applications such as GPG or PGP.

Volume Encryption

This may seem similar to partition encryption, however there are a few key differences to understand. While a partition is a single subsection within a physical storage drive, logical volumes can spans multiple partitions or even multiple physical drives, all while appearing as a single volume. Therefore, volume encryption encrypts the entire logical volume, regardless of how much or little the volume encompasses.

It is typically used in cloud environments and virtual machines to protect data stored on large storage volumes.

Database Encryption

Database encryption applies encryption to the entire database, in many modern databases this is known as Transparent Data Encryption.

Transparent Data Encryption (TDE) is a technology found in databases such as Microsoft SQL Server & Oracle Database, that encrypts the entire database with symmetric keys. It is important to note that this has the downside of having to decrypt the entire database every time you need to access a single piece of information.

Record Encryption

This encrypts individual records within a database such as columns or rows, while the rest of the database remains stored in plaintext. This often uses separate symmetric keys for each encrypted record, providing fine-grained control for sensitive database fields. This is useful when specific records need extra protection, such as personal data under GDPR regulations.

Transport & Communication Encryption

Transport & Communication encryption protects data as it moves across networks, so attackers would not be able to read the data if they manage to capture it in transit. Two of the most common methods are:

• Transport Layer Security (TLS)/Secure Sockets Layer (SSL): Typically a form of encryption used within an application, such as web browsers communicating with HTTPS to encrypt data between browsers and servers.(You're likely using this right now)
• Virtual Private Network (VPN): Encrypts all data transmitted over a network by using an encrypted tunnel, regardless of the application being used. This provides secure communication channels over potentially insecure networks.
  • Client-based VPNs typically use TLS, while site-to-site VPNs often employ IPsec protocols.