Conventional, perimeter-based security has become obsolete in today’s Internet era. Enterprise data lies scattered across the cloud. And most enterprise data is outside the company’s perimeter.

With data moving around in cyberspace, encryption has become a basic requirement for data security. But is encryption the holy grail of data security? Is it as impenetrable as it is made out to be?

What is Encryption?

Encryption converts normal human generated documents or other data into unreadable ciphertext. Only the intended recipient gets the key to decrypt the ciphertext back into normal plaintext. 

Data always remain vulnerable to attackers when stored in connected networks such as the cloud, and when in transit. Encryption protects both the data in-rest (storage) and data in-motion (transit) from unauthorised access.

But encryption is only as strong as the key that unlocks the ciphertext into plaintext. If hackers get their hands on the key, they can decode the ciphertext and compromise the data.

The Effectiveness of Encryption Algorithms

There are different types of encryption methods, depending on the strength and security of the key and the method of encryption.

The key strength depends on:

1. Generating a true random number.
2. The length of the key being large enough that it takes multiple years to decrypt it, even by using the most advanced computing power available.

Until not too long ago, the DES standard, with a 56-bit key length, was very popular and widely used. Today, even small-scale hackers have access to computing power to crack open such small key lengths using brute force attacks.

Threat attacks today launch sophisticated AI-powered cryptanalysis techniques to crack encryption keys. Many legacy systems that have outdated encryption algorithms cannot withstand such attacks. 

Even the modern AES and RSA standards are not completely safe. AES standards with shorter key lengths, such as 128-bit, remain susceptible to brute force attacks. A 256-key standard is now regarded as the bare minimum to withstand brute-force attacks. Even such standards face obsolescence with the imminent mainstreaming of quantum computing. Quantum algorithms, such as Shor’s algorithm, could break both AES and RSA encryption. But accessible quantum computers are still some years away. Cyber security has time to devise and adopt newer standards that can withstand quantum-based attacks.

Key rotation, or changing encryption keys frequently, adds an extra layer of security. With the keys rotated, hackers will have only a limited time to crack them.

The Dangers of Key Management

Advanced encryption standards such as AES-256 GCM or ChaCha20-Poly1305 offer high security. These standards remain virtually impenetrable in today’s tech ecosystem.

But it does not matter how strong the encryption key is if hackers can access the key itself. The integrity of the encryption rests on the overall network security.

Many users and even IT teams store encryption keys in plain text or accessible locations. Attackers can access these keys by breaching the network and decrypting the data legitimately.  Weak links in the code create vulnerabilities. Examples include incorrect initialisation vectors or padding errors. Improper key handling is another common vulnerability that attackers exploit.

Likewise, if attackers can gain entry to the network through phishing or some other methods, they can steal the encryption key. Hackers today deploy advanced social engineering attacks for the purpose. Even senior personnel and aware users have clicked such malicious links! Once they gain access to the user’s network using such malware, they can steal the keys and decrypt the files.

The Risks Posed by Vulnerabilities

Well-established algorithms, such as AES and RSA, are very secure and rarely carry bugs. But problems can surface at implementation.  Software or hardware bugs can create backdoors and weaken the encryption.

Vendors release patch updates to address known vulnerabilities, including vulnerabilities related to encryption. It is often a race between users downloading the patch updates or hackers exploiting the vulnerability first.

Examples of attackers targeting network vulnerabilities to compromise encryption abound. In 2012, hackers started to exploit a vulnerability in OpenSSL, the widely used cryptographic library. Hackers targeted a flaw in the implementation of an extension to steal private keys and SSL certificates. They could use the compromised private keys to decrypt the stored sensitive files. The attack, which became known as the Heartbleed bug, went undetected for around two years. Once discovered, security teams had to scramble and patch OpenSSL. Security teams also have to revoke and reissue SSL certificates, and change theri security keys and passwords.

Does E2EE Really Offer Fool-Proof Security?

One form of encryption that is gaining huge popularity these days is end-to-end encryption (E2EE). Popular messaging platforms such as Whatsapp use E2EE to ensure data stored by users in theri servers remain secure. 

In E2EE, the files get encrypted on the user’s device and are sent to the cloud storage in encrypted form. The encryption key remains on the user’s device. No one else, not even the cloud service provider, can get their hands on the key to decrypt the information.

E2EE offers a high level of safety. But hackers have launched successful attacks to crack E2EE. A common modus-operandi adopted by the hackers is to hack the encrypted hosting servers and send new encryption keys to users. From that point, hackers can decrypt any data sent by unsuspecting users to the compromised server.

Hackers may also set up servers that mimic the genuine servers. They then manipulate the routers along the client-to-server path and divert traffic.

Protocols such as TLS for websites and the Signal protocol for instant messengers make E2EE encryption very strong and more-or-less immune from the above exploits. The cryptographic community has subjected these standards to extensive testing.

The Solutions

The most secure form of storage is local file encryption. Storing files in an encrypted container file or an archive with a strong password offers foolproof security. Uploading an already encrypted archive to the cloud hosting service enables foolproof transfers.

Once the user hands over control to a cloud provider, the security depends on the integrity and robustness of provider systems.

But in today’s digital era, business competitiveness depends on seamless collaboration and easy access to data. Local data storage is not always practical, and using cloud storage becomes indispensable.

The solution is to deploy comprehensive protection, such as Kaspersky. Security providers such as Kaspersky offer complete protection without degrading system performance. Kaspersky’s centralised key management ensures the robust encryption key safety. It also simplifies key rotation. Granular access controls limit access only to legitimate, authorised users.