The author dispels many myths about encryption, most importantly that encryption by itself only buys you time and does not provide any real security to your data, unfortunately that requires hard work and diligence...just like everything else in life.
By: Bill Mathews, Hurricane Labs, June 26, 2012 11:14 AM EDT
SSL, TLS, VPN, blah blah blah the terms all run together at this point. In every engagement I do, in every course I teach, and in more than a few articles I’ve written I have stressed the point to no end – encryption is not security. It’s a pretty simple and not terribly technical concept. Encryption is really just a masquerading technology, an illusion meant to provide temporary privacy for moving data. When data is at rest, given enough time, it is even less of a security technology (but we’ll save that for a different post). I know what you’re thinking, “I know that, of course encryption only protects privacy and in some cases integrity.” Awesome, I think it is great that you know that, would you mind helping me spread the word to marketing departments and management folks? Here’s why:
LinkedIn’s response to their recent breach was to add some encryption to their passwords. A really good move to be certain, why it wasn’t there already I don’t know. However I have seen no mention of actually proving these security measures. How did the attacker get the data in the first place? LinkedIn seems certain that, aside from passwords, no other data has been leaked out. But how do they know? They’re certainly not talking (which is a whole separate problem in handling an incident). Having conducted and/or run quite a number of penetration tests I can tell you if we get a SQL Injection and dump out the passwords table, it usually doesn’t take much to get the usernames too. So what is the real story? Again, they’re not talking but they’ve “added some encryption” so in case it leaks out again, it’ll be better.
You see it on websites all the time, “We use bank level encryption to secure your data” and my response to that is always, “so what?” My wife is probably quite sick of hearing about it and since no one else would listen I figured I’d write a blog post. When I read this, it is usually in reference to their website’s use of SSL and that’s great, everyone should use “bank level encryption” for their SSL connections. But what really matters is the meat of their protections, what are the other layers? If you’re just encrypting the traffic and nothing else then all you’ve done is insure that no one can snoop on the bad guys while they’re breaking into your stuff. That’s it (and these days even that it isn’t a certainty). We have to be smarter about the messages we send to customers. You are not protecting them because you’re encrypting their traffic – a slogan is simply not enough. You have to provide layers of protection and you should go into some detail about them so customers can really understand your precautions. This is much better than lying to them.
The bigger problem I have with encryption is that on a long enough timeline (shorter with more computers doing it) ALL encryption is breakable. Don’t believe me? Fujitsu Labs just broke 923-bit encryption which was thought to take thousands of years. With 21 computers (252 cores) they broke it in 148.2 days. That probably sounds like a long time if you’re only passingly familiar with cryptography, but really it was a land speed record. With computers getting faster, cheaper, and cloudier (couldn’t resist) cracking “bank level encryption” will become trivial within a few years. What does this mean? It means start getting serious and stop relying on encrypted voodoo and soothing marketing “power” words like “bank level encryption.” It is meaningless and makes me wonder what else you’re hiding.
|This message has been edited by cwc.mgmt on Jul 2, 2012 11:24 AM|