Data Encryption: 101

This blog is part of the series where we discuss 101 concepts from Ground Zero for an audience with limited starting knowledge. This article comes in the Basic-Level Series since it involves understanding the basics of Data Encryption and its importance as the backbone of customer information security.

Some of the earlier blogs in the 101 Series are as follows:

Content Delivery Network 101
Database Replication 101
Database Sharding 101
Caching Strategy 101
Kubernetes Deployment 101
Async Communication 101

What Is Data Encryption?

Data Encryption is a method of converting sensitive information from plain text to ciphertext with the help of public/private keys. The process of converting back to plain text is referred to as decryption. Different algorithms such as AES-256, DES, RSA etc. are used, varying based on the length of the key and iterations in the overall encryption process,

Encryption paired with other security controls such as Network Firewalls, User Access Roles & Permissions forms the backbone of Data Security needs, mandated by Security Policies such as PCI, HIPAA etc.

Symmetric Encryption

In Symmetric Encryption, both the sender and the receiver have the same pair of private keys to encrypt/decrypt the sensitive data. It is referred to as the private key encryption method.

Given its speed and cryptographic processing strength, it’s primarily used to secure large batches of data. However, at the same time, key distribution and rotation between parties is the major limitation of using this method to secure data.

Algorithms

• DES — Built by the US Defense, Data Encryption Standard is a widely used encryption algorithm. It uses keys which are 64-bit long and encrypts text blocks of 64 bits into a ciphertext of corresponding sizes. However, recent attacks of breaking DES encryption in less than 24 hours, have made it an outdated method to secure data.
• AES — Advanced Encryption Standard is an advanced version of the DES algorithm, using key sizes of 128,192 and 256 bits. To break this pattern, 2.61*1⁰¹² years to 2.29*1⁰³² years would be needed, depending on the size of the key used.

Asymmetric Encryption

Asymmetric Encryption uses two different sets of keys for the overall process — a public key to encrypt the data and a private key to decrypt the data back. While the public key is shared with all the clients, the private key is access-secured only by the server.

One example is the TLS handshake for HTTPS traffic which used asymmetric keys for validating the identity between server-client using the public and private keys in a website’s certificate.

Algorithms

• RSA — It stands for Rivest-Shamir-Adleman. The main encryption logic is based on the factorisation of the product of two large primes. It is faster in encryption, but slower in decryption as compared to other asymmetric algorithms.
• DSA — It stands for Digital signature algorithm, mainly used for signature validation. The encryption principle uses modular exponentiation and discrete logarithm. It is slower in encryption and faster in decryption as compared to an RSA algorithm.

Differences

Encryption at Rest vs Transit

• Given the limited radius of exposure, Data at Rest is less vulnerable to an attack than data-in-transit. However, to protect stored data, some techniques are full-encryption of the data disk, storing the encryption keys offline, Two-factor Access controls etc.
• Data in Transit is more vulnerable to network interceptions from attackers and hence requires more controls to avoid Customer Data Breach. Some methods are the use of secure network protocols such as SSL, HTTPS, mutual-TLS; Authenticated API endpoints; validating identity using client certificates etc.

Summary

Encryption protects sensitive and highly-sensitive customer data using modern-day symmetric and asymmetric algorithms. However, the decision to encrypt data has to be balanced with non-functional requirements of performance/latency of the customer flows.

Most cloud vendors (AWS/Azure/GCP) currently provide pre-enabled solutions to encrypt the data at rest using either Vendor/Self-Managed keys to optimise the developer productivity of writing application/library code to encrypt/decrypt data.

For feedback, please drop a message to amit[dot]894[at]gmail[dot]com or reach out to any of the links at https://about.me/amit_raj.