Private and Public Keys:PKI uses these asymmetric keys to establish and secure an encrypted connection over the network using asymmetric encryption.
Public Key Certificates: These are issued by Certificate Authorities which prove the ownership of a public key. They state the authenticity of the keyholder.
Certificate Authority: Certificate Authorities, or CAs, are trusted entities which verify the organization and generate digital certificates which contain information about the organization, as well as the public key of that organization. The digital certificate is signed by the private key of the Certification Authority. This digital certificate can also serve as the identity of the organization and verify them as owners of the public key.
Certificate Repository: A location where all certificates are stored as well as their public keys, validity details, revocation lists, and root certificates. These locations are accessible through LDAP, FTP or web servers.
Automating PKI Operations: These help in issuing, revoking, and renewing certifications. They are done through certificate management software. A PKI is created for having robust security, and if these tasks aren’t automated, or if one invalid or revoked certificate is out there, bringing productivity or the network to a halt, then it may be catastrophic.
PKI is helping us create secure networks. It uses asymmetric encryption to secure data-in-transit. A PKI also issues certificates, which help in verifying the identity of computers, routers, IOT devices, and other devices in the network. This decreases the chance of Man in the Middle attacks (MITM) and other spoofing attacks. It can also be used to create digital certificates which can further strengthen someone’s identity and establish trust.
If PKI was not used, it may be difficult for one computer to trust the other, and there arises the possibility of MITM attacks. Today’s internet has tons of devices including mobile phones, smartwatches, and IOT devices, where privacy and security of transferring data might be a concern. Payment systems also need a seamless encrypted network with both endpoints being trusted, which is created with ease with the help of a PKI.
PKI can be used in:
Establishing Secure Networks and encrypted connections
When a user connects to a website via HTTPS, asymmetric encryption is used. For that to happen, the user uses the server’s public key to initiate the connection. To confirm the authenticity of that public key, certificates are used. The certificate will have details such as who does this certificate belong to, who issued it, a serial number, expiration date and the public key.
This can establish trust where the certificate and the key can be trusted and thereafter the communication between the user and the server is also trusted.
Companies in every sector must comply with standards and regulations, and one of the best ways to do this is to utilize encryption. Encryption takes data that can be clearly read, also known as plaintext, and runs it through an encryption algorithm. An encryption algorithm uses a key and mathematics to convert the plaintext into ciphertext, which is an undecipherable collection of letters and symbols. The process of encryption can be reversed using the same key, or the other key in a key pair, in a process called decryption. There are two different types of encryption: asymmetric and symmetric encryption.
Asymmetric vs Symmetric Encryption
Symmetric encryption involves the use of one key for both encryption and decryption. The plaintext is read into an encryption algorithm along with a key. The key works with the algorithm to turn the plaintext into ciphertext, thus encrypting the original sensitive data. This works well for data that is being stored and needs to be decrypted at a later date. The use of just one key for both encryption and decryption reveals an issue, as the compromise of the key would lead to a compromise of any data the key has encrypted. This also does not work for data-in-motion, which is where asymmetric encryption comes in.
Asymmetric encryption works with a pair of keys. The beginning of asymmetric encryption involves the creation of a pair of keys, one of which is a public key, and the other which is a private key. The public key is accessible by anyone, while the private key must be kept a secret from everyone but the creator of the key. This is because encryption occurs with the public key, while decryption occurs with the private key. The recipient of the sensitive data will provide the sender with their public key, which will be used to encrypt the data. This ensures that only the recipient can decrypt the data, with their own private key.
Uses for Asymmetric and Symmetric Encryption
Asymmetric and symmetric encryption are each better used for different situations. Symmetric encryption, with its use of a single key, is better used for data-at-rest. Data stored in databases needs to be encrypted to ensure it is not compromised or stolen. This data does not require two keys, just the one provided by symmetric encryption, as it only needs to be safe until it needs to be accessed in the future. Asymmetric encryption, on the other hand, should be used on data sent in emails to other people. If only symmetric encryption were used on data in emails, the attacker could take the key used for encryption and decryption and steal or compromise the data. With asymmetric encryption, the sender and recipient ensure only the recipient of the data can decrypt the data, because their public key was used to encrypt the data. Both types of encryption are used with other processes, like digital signing or compression, to provide even more security to the data.
Common Asymmetric and Symmetric Encryption Algorithms
A two-way function that takes in plaintext data, and turns it into undecipherable ciphertext. This process utilizes a public key for encryption and a private key for decryption.
A two-way function that takes in plaintext data, and turns it into undecipherable ciphertext. This process uses the same key for both encryption and decryption.
Digital Signing: Asymmetric encryption is much better for digital signing, compared to symmetric encryption. The use of both a public and private key means the identity of the signer of the data can easily be known. The signer uses their private key for encryption, while the recipient verifies their identity with their public key. As only the public key of the signer can decrypt data encrypted with the signer’s private key, the identity of the signer is verified when the data is decrypted.
Blockchain: Again, the identification of the user during cryptocurrency transactions is much easier done with asymmetric encryption.
Public Key Infrastructure (PKI): The identity of key owners is proven with certificates in PKI, and thus asymmetric encryption is the better choice in PKIs.
Banking: Encrypting sensitive customer data in banks is extremely important, as is decrypting that information as quickly as possible. For this reason, symmetric encryption is the preferred method of encryption in banks, as one key encryption is much swifter than two key encryption.
Data Storage: As with banking, data storage services and products tend to use symmetric encryption. This method is much swifter to encrypt and decrypt data needed in a timely manner.
The loss of the public key does not result in the compromise of data
More secure than symmetric encryption
Only the owner of the private key can decrypt the data sent to them
Simpler to implement
Faster than asymmetric encryption
Protects data from compromise
Slower than symmetric encryption
More complicated to implement than symmetric encryption
Loss of a key means any data encrypted with that key can be compromised
The Rivest-Shamir-Adleman (RSA) encryption algorithm is an asymmetric encryption algorithm that is widely used in many products and services. Asymmetric encryption uses a key pair that is mathematically linked to encrypt and decrypt data. A private and public key are created, with the public key being accessible to anyone and the private key being a secret known only by the key pair creator. With RSA, either the private or public key can encrypt the data, while the other key decrypts it. This is one of the reasons RSA is the most used asymmetric encryption algorithm.
How does RSA work?
The option to encrypt with either the private or public key provides a multitude of services to RSA users. If the public key is used for encryption, the private key must be used to decrypt the data. This is perfect for sending sensitive information across a network or Internet connection, where the recipient of the data sends the data sender their public key. The sender of the data then encrypts the sensitive information with the public key and sends it to the recipient. Since the public key encrypted the data, only the owner of the private key can decrypt the sensitive data. Thus, only the intended recipient of the data can decrypt it, even if the data were taken in transit.
The other method of asymmetric encryption with RSA is encrypting a message with a private key. In this example, the sender of the data encrypts the data with their private key and sends encrypted data and their public key along to the recipient of the data. The recipient of the data can then decrypt the data with the sender’s public key, thus verifying the sender is who they say they are. With this method, the data could be stolen and read in transit, but the true purpose of this type of encryption is to prove the identity of the sender. If the data were stolen and modified in transit, the public key would not be able to decrypt the new message, and so the recipient would know the data had been modified in transit.
The technical details of RSA work on the idea that it is easy to generate a number by multiplying two sufficiently large numbers together, but factorizing that number back into the original prime numbers is extremely difficult. The public and private key are created with two numbers, one of which is a product of two large prime numbers. Both use the same two prime numbers to compute their value. RSA keys tend to be 1024 or 2048 bits in length, making them extremely difficult to factorize, though 1024 bit keys are believed to breakable soon.
Who uses RSA encryption?
As previously described, RSA encryption has a number of different tasks that it is used for. One of these is digital signing for code and certificates. Certificates can be used to verify who a public key belongs to, by signing it with the private key of the key pair owner. This authenticates the key pair owner as a trusted source of information. Code signing is also done with the RSA algorithm. To ensure the owner is not sending dangerous or incorrect code to a buyer, the code is signed with the private key of the code creator. This verifies the code has not been edited maliciously in transit, and that the code creator verifies that the code does what they have said it does.
RSA was used with Transport Layer Security (TLS) to secure communications between two individuals. Other well-known products and algorithms, like the Pretty Good Privacy algorithm, use RSA either currently or in the past. Virtual Private Networks (VPNs), email services, web browsers, and other communication channels have used RSA as well. VPNs will use TLS to implement a handshake between the two parties in the information exchange. The TLS Handshake will use RSA as its encryption algorithm, to verify both parties are who they say who they are.
Though viable in many circumstances, there are still a number of vulnerabilities in RSA that can be exploited by attackers. One of these vulnerabilities is the implementation of a long key in the encryption algorithm. Algorithms like AES are unbreakable, while RSA relies on the size of its key to be difficult to break. The longer an RSA key, the more secure it is. Using prime factorization, researchers managed to crack a 768 bit key RSA algorithm, but it took them 2 years, thousands of man hours, and an absurd amount of computing power, so the currently used key lengths in RSA are still safe. The National Institute of Science and Technology (NIST) recommends a minimum key length of 2048 bits now, but many organizations have been using keys of length 4096 bits. Other ways RSA is vulnerable are:
Weak Random Number Generator: When organizations use weak random number generators, then the prime numbers created by them are much easier to factor, thus giving attackers an easier time of cracking the algorithm.
Weak Key Generation: RSA keys have certain requirements relating to their generation. If the prime numbers are too close, or if one of the numbers making up the private key is too small, then the key can be solved for much easier.
Side Channel Attacks: Side channel attacks are a method of attack that take advantage of the system running the encryption algorithm, as opposed to the algorithm itself. Attackers can analyze the power being used, use branch prediction analysis, or use timing attacks to find ways to ascertain the key used in the algorithm, thus compromising the data.
With cloud adoption soaring to whopping 96% in 2018 according to CIO, it’s no wonder that cloud security is a hot industry topic. In today’s dynamic world, many companies are accelerating their digital transformation by moving data and applications to the cloud; benefiting from scalability and reduced costs at the same time. With cloud becoming an integral part of any enterprise, the questions that many ask include:
How to ensure cloud data security?
Where and how to manage encryption keys in the cloud?
How to ensure your data is securely stored and protected in a multi-cloud environment?
How to ensure vendor independence in a multi-cloud environment?
Hardware Security Modules (HSMs) have been around for a long time and have over the years become synonymous with “security”. Many organizations that host their data and applications on-premise will use HSMs – physical security units that authenticate, generate and store cryptographic material to protect their most valuable assets. The HSM acts as the centralized Root of Trust providing the ultimate level of security that no software can offer. While this is a great option for on-premise scenarios, it becomes complicated if you’re in a multi-cloud environment.
Say you do decide to go with the Key Management Service (KMS) offered by your Cloud Service Provider (CSP), what happens if your environment is a combination of private, public, hybrid or multi-cloud? The important question to ask would be if your CSP’s KMS supports data and applications hosted outside of their own data environment. Every enterprise has a unique cloud environment and getting locked-in with one vendor in the name of data security is probably not the best option. What you want to be looking for is a solution that is CSP-agnostic meaning supportive of various cloud environments so you can make the most of the benefits and services offered by key providers like Google, Azure, and AWS.
Another consideration regarding your CSP’s KMS is the proximity of your valuable data assets and your encryption keys. Is it safer to keep your house key under the doormat or in a locked vault in a secure storage facility? At the end of the day, KMS is nothing more than software which undoubtedly lacks the stringent security protections of a dedicated unit like an HSM. As a best practice, it’s important to separate your encryption keys from your encrypted data assets to minimize the risk of a catastrophic data breach.
We are back at where we started. If HSM is the ultimate security solution, then wouldn’t it be ideal to be able to have access to HSM-level security for your cloud applications and workloads without taking on the expense and responsibility of managing your multi-cloud environment HSM? Today, solutions like HSM-as-a-Service or HSM-in-the-Cloud offer the best of both worlds combining the security of an HSM with a flexibility of a KMS. This might be the solution for you if you’re looking for:
Migration flexibility – no CSP and cloud lock-in
Reducing your capex
Innovate in the cloud – place your own firmware and custom code on the HSM
With the right strategy and solution, you can ensure your cloud security is treated like your on-premise security. Get in touch with Utimaco to learn more about CryptoServer Cloud and how you can secure your cloud data without limiting your agility and potential.