Skip to content

Page127

Data at Rest and Data in Motion

Cryptography can protect both data at rest and data in motion (aka data in transit). Full disk encryption (also called whole disk encryption) of a magnetic disk drive using software such as TrueCrypt or PGP Whole Disk Encryption is an example of encrypting data at rest. An SSL or IPsec VPN is an example of encrypting data in motion.

Protocol Governance

Cryptographic Protocol Governance describes the process of selecting the right method (cipher) and implementation for the right job, typically at an organization-wide scale. For example: as we will learn later this chapter, a digital signature provides authentication and integrity, but not confidentiality. Symmetric ciphers are primarily used for confidentiality, and AES is preferable over DES due to strength and performance reasons (which we will also discuss later).

Organizations must understand the requirements of a specific control, select the proper cryptographic solution, and ensure factors such as speed, strength, cost, complexity (and others) are properly weighed.

Types of Cryptography

There are three primary types of modern encryption: symmetric, asymmetric, and hashing. Symmetric encryption uses one key: the same key encrypts and decrypts. Asymmetric cryptography uses two keys: if you encrypt with one key, you may decrypt with the other. Hashing is a one-way cryptographic transformation using an algorithm (and no key).

Symmetric Encryption

Symmetric encryption uses one key to encrypt and decrypt. If you encrypt a zip file, and then decrypt with the same key, you are using symmetric encryption. Symmetric encryption is also called “Secret key” encryption: the key must be kept secret from third parties. Strengths include speed and cryptographic strength per bit of key. The major weakness is that the key must be securely shared before two parties may communicate securely. Symmetric keys are often shared via an out-of-band method, such as face-to-face discussion.

The key is usually converted into a subkey, which changes for each block of data that is encrypted.

Stream and Block Ciphers

Symmetric encryption may have stream and block modes. Stream mode means each bit is independently encrypted in a “stream.” Block mode ciphers encrypt blocks of data in each round: 64 bits for the Data Encryption Standard (DES) and 128 bits for AES, for example. Some block ciphers can emulate stream ciphers by setting the block size to 1 bit; they are still considered block ciphers.