Encryption Explained

From WikiPedia: encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

While the process of encrypting information is nothing new, encryption technologies are a hot topic in IT recently — with good reason. This article hopes to explain the various types of encryption as used regularly by IT pros.

At rest vs. in transit

Data can be encrypted two ways: at rest and in transit.

At rest

Refers to data storage — either in a database, on a disk, or on some other form of media.

Note: Indiana law realizes the value of disk encryption — such that a lost/stolen laptop or storage media is not considered a breach IF that media was encrypted (and the encryption key was not available with the device).

Examples of at rest encryption

In transit

Refers to data which is encrypted as it traverses a network — including via web applications, smart phone apps, chats, etc. In-transit basically refers to the point at which the data leaves the storage drive or database until it's re-saved or delivered to its destination.  Protecting information in transit essentially ensures protection from others attempting to snoop or eavesdrop on information as it traverses the network.

Examples of in transit encryption

Please note: employing these two types of encryption safeguards must occur in tandem; it's not automatic. Data encrypted at rest does not guarantee it remains encrypted as it traverses a network. Conversely, data encrypted "over the wire" does not offer any safeguard that the content remains encrypted after it has reached its destination.

top

Encryption methods and protocols

The actual process and algorithms by which encryption technologies and software use differ. The current standard specification for encrypting electronic data is the Advanced Encryption Standard (AES). Almost all known attacks against AES' underlying algorithm are computationally infeasible -- in part due to lengthier key sizes (128, 192, or 256 bits). If this argument sounds familiar, see: Passphrases.

Symmetric vs. asymmetric key algorithms

Symmetric key algorithms use related, often identical keys to both encrypt and then decrypt information. In practice, this is known mostly as a shared secret — between two or more parties.

Asymmetric key algorithms, however, use different keys to encrypt and decrypt information; one key encrypts (or locks) while the other decrypts (or unlocks). In practice, this is known mostly as a public/private key; the public key can be shared openly, the private key should not. In most cryptographic systems, it is extremely difficult to determine the private key values based on the public key.

How this encryption works

Using public/private keys, the lock/unlock algorithm can go two ways. Alice can encrypt some bit of information with Bob's public key, and then send it to Bob. Only the holder of Bob's private key should be able to decrypt and read the message. Conversely, Alice could encrypt some bit of information with her own private key — and while anyone else in the world could read the message, they would have to use Alice's public key to do so, meaning that the message must have come from Alice.

Common technologies that rely on public key cryptography include TLS/SSL and PGP.

Read more about public key cryptography.

top

Security & Policy Blog Posts

  • May 17, 2013 at 12:52 PM

    • Critical Linux Kernel Security Update
    A local, unprivileged user can use a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel. Technical details, as well as exploit code, have been publically released.
  • April 10, 2013 at 4:07 PM

    • S/MIME certificates available
    S/MIME certificates are now available to all IU personnel at no cost.
  • March 13, 2013 at 4:00 PM

    • Policy Draft IT-28 Provisioning of IT Services
    IU VP for IT and Chief Information Officer, Brad Wheeler, spoke at a town hall meeting on March 8th on the subject of, “Mitigating Cyber Risks,” including the current risk environment, and the development of IT-28.
  • March 1, 2013 at 5:06 PM

    • Domain 12: Compliance
    As Jacqueline Simmons explains, IU operates in a complex legal, regulatory, & contractual environment, with responsibilities to comply with applicable legal, regulatory, & contractual requirements regarding safeguards over information and information assets. Doing so protects the university's reputation & minimizes the risk of negative financial consequences associated with noncompliance.

    Recent Security Bulletins

  • February 12, 2013 at 11:03 AM

    • Vulnerabilities in Adobe ColdFusion
    This bulletin details four recently published, critical rated, vulnerabillies in Adobe ColdFusion and ways to mitigate the risk of them being exploited including the hotfix for supported versions.
  • January 22, 2013 at 9:02 AM

    • Java Security Recommendations
    As the use of Java applets on websites continues to diminish and in light of the rash of recent vulnerability exploits, the implications of installing Java for use in web browsers should be considered carefully.
  • January 10, 2013 at 1:59 PM

    • Zero Day Java 7 Vulnerability
    On January 10, 2013, security researchers reported a zeroday vulnerability in Oracle Java 1.7u10.
  • November 8, 2012 at 3:50 PM

    • Vulnerability in Symantec Endpoint Protection
    On November 5th, 2012, the United States Computer Emergency Readiness Team (US-CERT) website announced their researcher had discovered a vulnerability in the way some versions of Symantec Endpoint Protections handle CAB files. This vulnerability may allow an unauthenticated remote or local attacker to execute arbitrary code with SYSTEM privileges on a targeted computer.