Peter Carlisle, Vice President, nCipher Security considers the importance of securing your crypto keys.
Encryption is the best way to keep private data secure. It prevents attackers from intercepting and reading commercially sensitive data. And it prevents data leakage from any corporate devices that get lost or stolen. But before you take full comfort in having encrypted data, ask yourself where you keep your crypto key. Could it be stolen? Would it be visible to hackers if you had a data breach? Here we look at how your key can be vulnerable, how hackers approach key theft and what you can do about it.
Hackers won’t try to brute force a cryptographic key. Today’s popular cryptographic algorithms like ECC, AES, 3DES and RSA generate keys in a way that makes them too complicated to guess. For example, a key created using the Advanced Encryption Standard (AES) has 1.15×1077 possible combinations. (AES is a symmetric block cipher chosen by the US government to protect classified information). That’s 115 with 75 zeros. With our existing computing power, the time required to decrypt protected data is measured in millions of years. It doesn’t matter if you understand the complex mathematical equation that makes data unreadable, you cannot guess the unique key generated.
So instead of guessing a key, hackers will try to steal it. If a key is stored in software on your system (the digital equivalent of the key under the mat) then this is relatively easy to do. This is because of the way a key ‘looks.’ A cryptographic key is a string of random characters, which are used within the encryption algorithm to alter data. A crypto key stored in software has a randomised pattern like snow that can be identified in a binary data scan. If a hacker finds this type of random data they can be confident that they have found some type of crypto key – the jackpot – and they will get to work trying the key against your data.
A company is likely to have only a few thousand keys, a number low enough for a hacker to work through. Based on a number of studies, the time between a hacker’s penetration and detection is between 160 and 260 days. Even at the low end, that’s a large number of hours. At the corporate hacking level, it’s likely that your attack will come from a group of hackers, multiplying the time available to match your keys to your data. So the threat is real.
Theoretically, if quantum computing was available to hackers, then they could brute force crypto keys. As the National Institute of Standards and Technology (NIST) said in a recent report, “when that day comes, all secret and private keys that are protected using the current public-key algorithms—and all available information protected under those keys—will be subject to exposure.” Our industry is already working on larger signatures and key sizes (for example using message segmentation) to meet that challenge.
Back to the here and now, one way to keep your crypto key safe is to store it separately. A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys and performs other cryptographic functions. A HSM is designed using strict standards developed by NIST precisely to provide the final layer of security in data encryption. If an intruder enters your network, the HSM is not visible to them, and therefore the crypto key can’t be stolen.
Encryption is one of the world’s oldest technologies. For thousands of years, and until relatively recently, the method of encryption was considered as secret as the key itself and the opposing side would work on breaking both. One of today’s data protection challenges is that while most security professionals understand the strength of standardized encryption through peer vetting, they are not so aware of the singular importance of keeping the key protected. And that’s a problem because now that our encryption processes are so complex as to be effectively unbreakable, the bad guys focus only on getting the keys.
It’s the smart thing to do. Just like in the physical world, a burglar will do a sweep of likely hiding places for a key, in the digital world a hacker will check if your crypto key is stored in software. The key is your most valuable security asset and requires special protection, don’t leave it laying around.