You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

Table of Contents

Overview

The art of secret writing underpins many of the controls used in computer and communication systems to achieve the various requirements for data and communication security and privacy; confidentiality, integrity, and availability. Cryptographic protocol usually require the use of cryptographic keys which may be shared, and are used in encryption protocols to encrypt data and or communication channels, and also to decrypt encrypted data or communication channels.

Cryptographic protocols are typically measured by the effective length of the cryptographic keys. Prior to the early 1980s and the widespread use of public key cryptography, the same cryptographic key is usually used for both encryption and decryption of data. This creates challenge for key exchange necessary for practical applications from military use to banking. With the advent of public key cryptography, and the elegant solution of key exchange using RSA, and later various other protocols, secure data communication has become tremendously easier, benefiting the explosive growth of the internet and its application in many industry including in higher education. However, as cryptographic protocols gain more currency, defeating them has become more lucrative for  attackers who will benefit from gaining unauthorized access to information ranging from personal PHIs, PHIs and other private data, as well as organization and government secret.

The strength of cryptographic protocols, defined in terms of the equivalent synchronous cryptography protocol key strength is a measure of the level of difficulty in deciphering an encrypted text, without first gaining access to the key. The most common approach to breaking cryptographic protocols, or cryptanalysis is by use of brute force. This technique relies on the number of trials that can be conducted in a given amount of time, and the sample space of the key, which is a measure of the number of bits of the equivalent synchronous key. Today, given the advances in computing and cryptanalysis techniques, 128 bit is considered a floor for cryptographic key strengths and 256 bits is usually considered acceptable.

Cryptographic standards are designed to optimize encryption, while making brute force attack the only likely attack that can break an encryption system, also making sure that brute force attack is expensive, in terms of how long it will take to exhaust a given key space. For example, AES-128 has a key space of 2^(128) bits or 3.4x10^(14).

Cryptography covers encryption, digital signature, and decryption. It is usually defined as the art and or science of secret (code) writing. Applied properly, cryptography can provide protection for the confidentiality, integrity, and privacy of data or information at rest or in transit. Encryption can be synchronous or asynchronous.  Synchronous cryptography is mostly used for data at rest, and also for digital signature. Asynchronous cryptography is usually used for data in transit and in cases where encryption and decryption keys need to be shared or exchanged.

Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest.Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure.

Encryption based transport protocols such as SSL and IPSec can be used for securing virtual private networks. Encryption is also used in DNSSEC to protect the integrity of DNS and DNS handshake. SSL and TLS certificates are used to protect email in transit.

#Top of page

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 10: Cryptography
ISO/IEC 9796-2:2010
ISO/IEC 9797-1:2011
ISO/IEC 9798-2:2008
ISO/IEC 11770-1:2010
ISO/IEC 14888-1:2008
ISO/IEC 18033-1:2005

800-111
800-56A
FIPS 180-4

DS5.8
APO11.02
APO11.05
BAI03.03
DSS01.01
DSS01.02
DSS01.04
DSS01.05
DSS05.01
DSS05.02
DSS05.03
DSS05.06
DSS06.05

Req 3
Req 4

PR.DS-1: Data-at-rest is protected
R.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

45 CFR 164.312(e)(1)
45 CFR 164.312(a)(1)

#Top of page

Getting Started

In order to utilize encryption effectively throughout an institution of higher education, a strategy should be developed that incorporates risk management, compliance requirements, data protection, policies and standards:

  1. The following Guide Chapters can assist with developing requirements as part of an overall institutional encryption strategy:
    1. Chapter 8, Asset Management, discusses the need to identify and categorize/classify all your information assets. Understanding/knowing where confidential information resides (ex. SSNs, PII) is a critical component in establishing an encryption strategy.
    2. Chapter 9, Access Control, addresses the need to ensure authorized access to information resources. Confidential information needs to be protected throughout its lifecycle (access, process, transmit, store).
    3. Chapter 18, Compliance, provides information in relation to various legal and information security requirements that stipulate the need to protect specific types of information. These types of requirements (ex. PCI DSS, HIPAA) discuss the need to encrypt specific types of data (card holder data, electronic protected health information).
    4. The Risk Management chapter emphasizes the importance of analyzing risks to information. Risk treatment activities may include deploying encryption solutions to protect confidential information.
    5. Chapter 5, Information Security Policies, stresses that policies provide the direction institutional leadership wants to take in regards to information security goals and objectives. In order to develop an institutional strategy for encryption that will be widely supported and adopted, it's necessary to gain support of institutional leadership.
  2. There are many different ways to use encryption as a security tool and there are many variations on how passcodes or keys are created and used. It can be challenging to ensure that your encryption keys are sufficiently complex making it hard to break the code, and at the same time simple enough so that authorized users can access the protected data when needed.
  3. Additional considerations for developing an encryption strategy to protect information are as follows:
    1. Seek to protect data at rest and in motion.
    2. Provide a means for institutional staff to process confidential data while it is encrypted.
    3. Protect encryption keys.
    4. Develop a key management process that automates the process of verifying identity and access rights.
    5. Encryption can often be a computationally intensive process and may degrade performance of IT applications or infrastructure if not implemented in an optimal way---in other words, don't cut corners. Develop a strategy, gather requirements, execute test plans, deploy following best practices and effectively manage encryption solutions.

#Top of page

Cryptographic Controls (ISO 10.1)

Objective: To describe considerations for an encryption policy in order to protect information confidentiality, integrity, and authenticity.

Certain data, by their nature, require particular confidentiality protection that can be provided by encryption techniques. Additionally, there may be contractual or other legal penalties for failure to maintain proper confidentiality - when Social Security Numbers are involved, for example. Parties who may acquire unauthorized access to the data but who do not have access to the encryption key - the "password" that encrypted the data - cannot feasibly decipher the data.

Data exist in one of three states: at rest; in transit; or undergoing processing. Data are particularly vulnerable to unauthorized access when in transit or at rest. Portable computers (holding data at rest) are a common target for physical theft, and data in transit over a network may be intercepted. Unauthorized access may also occur while data are being processed, but here the security system may rely on the processing application to control, and report on, such access attempts. When used appropriately, encryption is a powerful tool to prevent unauthorized access to data at rest or in transit.

The following campus case studies are included in Encryption 101, a basic guide to encryption concepts.
(lightbulb) Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
(lightbulb) Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
(lightbulb) Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech

Full disk encryption (FDE) can be used to mitigate the risk of data exposure, but the security is only in place when the computer is turned off. FDE may be most effective when used on laptops that, when stolen or lost, are often powered off. See Introduction to Full Disk Encryption (FDE) for an overview of FDE.

PGP is an email encryption and signature algorithm based on public key cryptography. PGP is based on a web of trust model and like other certificate based public key cryptography, it requires a central authority or key repository. PGP now exists in two main versions, the open source version (openPGP) and the version supported by Symantec. Note that Symantec now uses the PGP name to refer to most of its encryption solutions, including its Whole Disk encryption as well as its email encryption solution. 

#Top of page

Resources

Campus Case Studies On This Page
(lightbulb) Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
(lightbulb) Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
(lightbulb) Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

References

  • Schneir, B. 1996. Applied Cryptography. Wiley.
  • Menezes, vanOorschot, Vanstone. 1996. Handbook of Applied Cryptography. CRC.
  • Kaufman, Perlman, Speciner. 1995. Network Security, PRIVATE Communication in a PUBLIC World. Prentice Hall PTR.
  • Akpose, W. 2004. Application of Elliptic Curve Cryptography. Master's Thesis, Morgan State University.

#Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels