Data Encryption

Data encryption translates data into another form, or code, so that only people with access to a decryption key or password can read it. Today, encryption is widely used on the internal networks and internet to ensure the sanctity of user information (such as payment data or personal information) that’s sent between a browser and a server. Strong encryption solutions combined with effective key management protect sensitive data from unauthorized access, modification, disclosure or theft, and are thus a critical component of any security program.

Data protection solutions for data encryption can provide encryption of devices, email, and data itself. Data encryption is best data loss prevention solution prevent data theft and the introduction of malware from removable and external devices as well as web and cloud applications.

Encrypted data is commonly referred to as cipher text, while unencrypted data is called plain-text. In fact, the cryptographic life cycle involves the following steps:

Plain-text
Encryption
Cipher-text
Decryption
Plain-text

A cryptographic key is used on the operation for encryption and decryption of a text.

Each encryption algorithm has a key-space that uses that space to generate the key. This space actually contains a large number of random values. Now, the larger the key space, algorithm can generates the more keys. For example, if an algorithm allows a key length of 2 bits, the key space for that algorithm would be 4, which indicates the total number of different keys that would be possible. The more random the keys are, the difficult it is for intruders to figure them out.

Today, using key sizes are 128, 256, 512, 1,024 bits and larger. So a key size of 512 bits would provide 2^512 possible combinations of the key space.

Source: digitalguardian.com and mcafee.com and en.wikipedia.org

All Types Data for Encryption

Data encryption can be employed both for “at rest” data and “in motion” data.

At rest Data (Static Data): These data are saved on servers, desktops, laptops, etc. Static data are encrypted either by the file, the folder, or the entire drive.

In motion Data (Dynamic Data): These data travel over a network or the internet. Email is the most common example. These data can be protected in two ways:

Using network encryption protocols, such as internet protocol security (IPsec) and transport layer security (TLS).
Encrypting the message and its payload.

Source: mcafee.com

Types of Data Encryption

Asymmetric (Public Key): This method uses two different keys, one to encrypt and the other to decrypt. One benefit of asymmetric encryption is that a more widely known public key can be used to encrypt data, but only those with the private key can decrypt and access the data.
Symmetric (Secret Key Cryptography): It uses a single and same key to encrypt and decrypt. This allows fast and efficient encryption and simpler key generation and management, but it is critical that the single key only be available to authorized users

Types of Symmetric Key Algorithm

First of all, you need to know a few concepts.

Block Cipher: Block ciphers operate on a single fixed block of plain text to produce the corresponding cipher text. Using a given key in a block cipher, the same plain text block always produces the same cipher text block.

Round: It is a transformation (permutations and substitutions) that an encryption algorithm performs on a block of plain text to convert (encrypt) it into cipher text.

And but algorithms:

Data Encryption Standard (DES): It is operates on 64-bit blocks, and uses 56-bit Key size that is too small to protect data consisting. This algorithm is consisting of 16 rounds processing the data with the 16 intermediary round keys of 48-bit generated from 56-bit cipher key by a Round Key Generator.
RC2: A block-mode cipher that encrypts 64-bit blocks of data by using a variable-length key.
RC4: A stream cipher that uses a variable length key (often 128 bit).
RC5: Similar to RC2, but includes a variable-length key (0 to 2,048 bits), variable block size (32, 64, or 128 bits), and a variable number of processing rounds (0 to 255).
RC6: Derived from RC5 and a finalist in the AES selection process. It uses a 128-bit block size and variable-length keys of 128, 192, or 256 bits.
Triple DES (3DES): This standard extended the life of the DES algorithm. In Triple DES implementations, a message is encrypted by using one key, encrypted by using the second key and then again encrypted by using either the first key or a third key.
International Data Encryption Algorithm (IDEA): This algorithm is a block cipher that operates on 64- bit plaintext blocks by using a 128-bit key. IDEA performs eight rounds on 16-bit subblocks and can operate in four distinct modes similar to DES. Of course, the IDEA isn’t not widely used today.
Rivest Cipher: The Rivest Ciphers are a series of symmetric algorithms that include RC2, RC4, RC5, and RC6.
Advanced Encryption Standard (AES): Advanced Encryption Standard (AES) is a 128-bit block cipher that employs 128, 192, or 256-bit keys. AES is official successor to DES.
BLOWFISH: This algorithm operates on 64-bit blocks, employs 16 rounds, and uses variable key lengths of up to 448 bits. To date, there are no known successful cryptanalytic attacks against this algorithm.
TWOFISH: This algorithm is a symmetric block cipher that operates on 128-bit blocks employing 16 rounds with variable key lengths up to 256 bits. To date, there are no known successful cryptanalytic attacks against this algorithm.

Asymmetric Cryptography

In this method, two keys are used:

Private Key: This key is only known by the owner itself.
Public key: This key is issued by using Public Key Infrastructure (PKI) where a trusted Certification Authority (CA) certifies the ownership of key pairs.

Only the private key can decrypt the message; thus, an attacker possessing only the public key can’t decrypt the message. A secure message guarantees the confidentiality of the message.

Everyone knows public key while one key is kept secret and is used to encrypt the data by the sender. Each sender uses its secret key (known as a private key) for encrypting its data before sending.

The receiver uses the respective public key of the sender to decrypt the data. When two parties want to exchange an encrypted message by using asymmetric key cryptography, they follow these steps:

The sender encrypts the plain text message with the intended recipient’s public key.
This produces a cipher text message that can then be transmitted to the intended recipient.
The recipient then decrypts the message with his private key, known only to him.

Types of Asymmetric Key Algorithm

Rivest, Shamir, and Adleman (RSA): This algorithm named after its inventors. It uses a variable size encryption block as well as a variable size key. The algorithm uses a product of two large prime numbers to derive the key pairs.
Diffie-Hellman: This method is used primarily for private-key exchange over an insecure medium.This method is vulnerable to Man-in-the-Middle Attacks.
ElGamel: It is similar to Diffie-Hellman but extends the functionality of Diffie-Hellman by including encryption and digital signatures.
Elliptic Curve Cryptography (ECC): This is an algorithm that generates keys from elliptical curves. A 160-bit EC key is equivalent to a 1,024-bit RSA key. EC is significantly faster and more efficient than other asymmetric algorithms and many symmetric algorithms.
Digital Signature Algorithm (DSA): This algorithm is primarily used for authentication purposes in digital signatures.

Key Features of a Data Encryption Software

Data encryption software must be convenient for employees to use.
Data encryption software must be scalable because organizations are usually growing.
This software must use strong encryption standards.
Data encryption software should be able to encrypt both “at-rest” and “in-motion” data.
The data encryption software should be able to encrypt differing levels of granularity and flexibility. It is include following options: 1- Encryption of specific folders, file types, or applications 2- Encryption of each of drives and also entire hard disk. 3- Encryption of laptops, tablets, and removable media.
The data encryption software should has key management capabilities, which include creating, distributing, destroying, storing, and backing up the keys. In this article, there is a special section for “key management”.
This software must enforce of encryption policies. These policies define how and when data is encrypted. For example, one policy might be that employees should not save work files on USB flash disk. So, if an employee wanted to violate this policy, this software should be able to alert him/her and even prevent him/her from doing so.

You can read these posts about encryption software:

BitLocker Drive Encryption

Introduction of Several Encryption Software

Key Management

The following are the major functions associated with managing encryption keys:

Key generation: Keys must be generated randomly on a secure system. The keys should not be displayed in the clear text.
Key distribution: Securely distributed is a major vulnerability in symmetric key systems. The solution is to use an asymmetric system.
Key installation: This process should ensure that the key isn’t compromised during installation, or incorrectly entered.
Key storage: Keys must be stored on protected or encrypted storage media.
Key change: Keys should regularly be changed, relative to the value of the information being protected and the frequency of use.
Key control: Different keys have different functions and may only be approved for certain levels of classification. You need to control how they are used.
Key disposal: There will come a time when we no longer need a specific key. So, this key must be destroyed accurately and completely so that it can never be recovered and ensure that its contents are never disclosed.