Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Cryptographic Controls (ISO 10.1)
Overview
The art of secret writing underpins many of the controls used in computer and communication systems to achieve the various requirements for data and communication security and privacy; confidentiality, integrity, and availability. Cryptographic protocol usually require the use of cryptographic keys which may be shared, and are used in encryption protocols to encrypt data and or communication channels, and also to decrypt encrypted data or communication channels.
Cryptographic protocols are typically measured by the effective length of the cryptographic keys. Prior to the early 1980s and the widespread use of public key cryptography, the same cryptographic key is usually used for both encryption and decryption of data. This creates challenge for key exchange necessary for practical applications from military use to banking. With the advent of public key cryptography, and the elegant solution of key exchange using RSA, and later various other protocols, secure data communication has become tremendously easier, benefiting the explosive growth of the internet and its application in many industry including in higher education. However, as cryptographic protocols gain more currency, defeating them has become more lucrative for attackers who will benefit from gaining unauthorized access to information ranging from personal PHIs, PHIs and other private data, as well as organization and government secret.
The strength of cryptographic protocols, defined in terms of the equivalent synchronous cryptography protocol key strength is a measure of the level of difficulty in deciphering an encrypted text, without first gaining access to the key. The most common approach to breaking cryptographic protocols, or cryptanalysis is by use of brute force. This technique relies on the number of trials that can be conducted in a given amount of time, and the sample space of the key, which is a measure of the number of bits of the equivalent synchronous key. Today, given the advances in computing and cryptanalysis techniques, 128 bit is considered a floor for cryptographic key strengths and 256 bits is usually considered acceptable.
Cryptographic standards are designed to optimize encryption, while making brute force attack the only likely attack that can break an encryption system, also making sure that brute force attack is expensive, in terms of how long it will take to exhaust a given key space. For example, AES-128 has a key space of 2^(128) bits or 3.4x10^(14).
Cryptography covers encryption, digital signature, and decryption. It is usually defined as the art and or science of secret (code) writing. Applied properly, cryptography can provide protection for the confidentiality, integrity, and privacy of data or information at rest or in transit. Encryption can be synchronous or asynchronous. Synchronous cryptography is mostly used for data at rest, and also for digital signature. Asynchronous cryptography is usually used for data in transit and in cases where encryption and decryption keys need to be shared or exchanged.
Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest.Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure.
Encryption based transport protocols such as SSL and IPSec can be used for securing virtual private networks. Encryption is also used in DNSSEC to protect the integrity of DNS and DNS handshake. SSL and TLS certificates are used to protect email in transit.
#Top of page
Standards
27002:2013 Information Security Management |
800-111: Guide to Storage Encryption Technologies for End User Devices |
DS5.8 |
Req 3 |
|
45 CFR 164.312(e)(1) |
#Top of page
Getting Started
Introductory material for the Topic.
#Top of page
Cryptographic Controls (ISO 10.1)
Objective: To describe considerations for an encryption policy in order to protect information confidentiality, integrity, and authenticity.
Certain data, by their nature, require particular confidentiality protection that can be provided by encryption techniques. Additionally, there may be contractual or other legal penalties for failure to maintain proper confidentiality - when Social Security Numbers are involved, for example. Parties who may acquire unauthorized access to the data but who do not have access to the encryption key - the "password" that encrypted the data - cannot feasibly decipher the data.
Data exist in one of three states: at rest; in transit; or undergoing processing. Data are particularly vulnerable to unauthorized access when in transit or at rest. Portable computers (holding data at rest) are a common target for physical theft, and data in transit over a network may be intercepted. Unauthorized access may also occur while data are being processed, but here the security system may rely on the processing application to control, and report on, such access attempts. When used appropriately, encryption is a powerful tool to prevent unauthorized access to data at rest or in transit.
The following campus case studies are included in Encryption 101, a basic guide to encryption concepts.
Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech
Full disk encryption (FDE) can be used to mitigate the risk of data exposure, but the security is only in place when the computer is turned off. FDE may be most effective when used on laptops that, when stolen or lost, are often powered off. See Introduction to Full Disk Encryption (FDE) for an overview of FDE.
PGP is an email encryption and signature algorithm based on public key cryptography. PGP is based on a web of trust model and like other certificate based public key cryptography, it requires a central authority or key repository. PGP now exists in two main versions, the open source version (openPGP) and the version supported by Symantec. Note that Symantec now uses the PGP name to refer to most of its encryption solutions, including its Whole Disk encryption as well as its email encryption solution.
#Top of page
Resources
Campus Case Studies On This Page
Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech
EDUCAUSE Resources
- Encryption 101
- Encryption, EDUCAUSE Resource page
- Introduction to Full Disk Encryption (FDE)
Initiatives, Collaborations, & Other Resources
- Link 1
- Link 2
- Link 3
References
- Schneir, B. 1996. Applied Cryptography. Wiley.
- Menezes, vanOorschot, Vanstone. Handbook of Applied Cryptography. CRC.
#Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).