Encryption of Data at Rest and in Transit - OpenSSL and Disk Utility - Essay Example

Encryption of Data at rest and in Transit Encryption of Data at rest and in Transit Introduction The last two decades have seen a great deal of increase in the amount of information that has been uploaded online. The type of information that is present on the Internet ranges from private to professional. Furthermore access to these pieces of information has become more and more easy. To protect such information over the Internet and on a computer it is vital to adhere to the basics of computer security and implement the necessary security features that completely secure data present online. Encryption is one such method that is implemented to various security systems across the globe. Encryption in the field of computer security is a process that allows users to encode their data using a certain key or a certain algorithm. Through the use of encryption a user is able to enhance the security of his or her data. Even though encryption of data does not necessarily restrict the access of data it however does ensure that a hacker is not able to interpret encrypted data and hence use it for personal benefit. Encrypted text is usually referred to as cipher text whereas unencrypted text is referred to as plaintext. Encryption is usually made use of for two basic data types, data in transit and data at rest. Data in transit usually refers to data that is on the move, whereas data at rest refers to stored static data that is used on a few numbers of machines. Encryption as a security method Data in transit: Encrypting data in transit is usually carried out through the use of private and public keys. Private keys are usually made use of to encrypt the main data that is important to a particular organization or to a particular user. The sender usually makes of an encryption key that only the receiver is aware of. The receiver then makes use of the same key to decrypt the information that is provided by the sender (Salomaa, 1996). Public key on the other hand, is used to facilitate the exchange of the private key. Public key is made use of to encrypt the private key. The sender of the data asks the receiver to provide him or her for an encryption key. The key is then used by the sender to encrypt the message. Once the message is encrypted, its decryption can only be carried out by the receiver (Salomaa, 1996). Data at rest: When it comes to securing data at rest, there are two basic process that can be used, encryption and authentication. Encryption to data at rest can be applied at a small scale, such as to a sensitive file, or it can be applied at a large scale, for example to the complete contents of a device (Scarfone et al., 2007). The type of encryption technique that is applied to data at rest mainly depends upon four factors, the data that needs to be protected, the size of the data, environment in which the data is located and the main threats that are faced by the system. Appropriate encryption techniques require proper authentication from the user before data can be decrypted into plaintext. Some of the most common types of authentic procedures implemented by security systems across the globe are the use of user name and password, biometrics, Personal Identification Numbers (PIN) and smart cards. (Scarfone et al., 2007). Types of encryption IPSec: IPSec, also known as Internet protocol security, is a collection of different protocols that is used to encrypt each packet that is sent via the Internet protocol communication (Frankel et al., 2005). Protocols that are included within IPSec ensure that a compromise is reached between parties communicating on keys being used for cryptography and authentication procedures are implemented during the execution of a communication session. The three basic protocols that are used by IPSec to achieve desired results are authentication headers, encapsulating security payloads and security associations (Frankel et al., 2005). SSH: SSH also known as secure shell or secure socket shell is a protocol used to secure a communication line to gain access to a remote system (Barrett et al., 2005). Gaining access to a remote system allows the user to execute various commands over that particular machine. SSH also helps facilitate the transfer of files from one computer onto the other. SSH uses RSA for authentication purposes which ensures that the performance of the network is unaffected by an unsecure channel. Data and passwords on the other hand are encrypted using algorithms such as DES, Blowfish and IDEA (Barrett et al., 2005). SSL/TLS: SSL is another protocol that is used along with Hypertext transfer protocol (HTTP) as a means to provide secure communication between two parties; however, the use of SSL is not just restricted to HTTP. SSL is commonly used by e-commerce websites in an attempt to secure transactions that are conducted on the web. SSL provides a number of services that ensure the safety of transacted data (Northcutt, 2011). In order to protect the data that is being transferred between during communications of two different parties SSL makes use of certain cipher suites that help define functions that are to be used for cryptography. Organizations choose cipher suits with respect to their security needs. The most common cipher suits that are supported by SSL are Triple DES and AES (Northcutt, 2011). Full disk encryption: Full disk encryption is the process that ensures that data that is present on a hard drive and is essential to boot a particular system is properly encrypted. Full disk encryption makes use of a computer’s master boot record. Master boot record is an area on the bootable media that is especially reserved for software that are used during the boot process of a computer (Scarfone et al., 2007). Full disk encryption redirects the master boot record from the operating system of the computer to a pre-boot area. To decrypt the operating system and continue with the computer’s boot process an authentication process known as pre-boot authentication is performed. The successful execution of pre-boot authentication leads to the decryption of the boot sector after which the boot loader, present within the boot sector, gradually starts to load the operating system of the system (Scarfone et al., 2007). Virtual disk encryption and volume encryption: Virtual disk encryption is a process that handles encryption of a file known as a container. The container comprises of a number of data files and folders. Virtual disk encryption allows users access to files within the container after carrying out proper authentication procedures. Similarly volume encryption is a process that encrypts the logical volumes such as flash drives and external hard disks. Access to such devices is only possible after successful authentication is carried out (Scarfone et al., 2007). Proper authentication leads to the mounting of the encrypted data onto the main memory after which the user is allowed to alter it as needed. This process of authentication users usually increases the time of accessing a particular file or of altering it. Usually, users while accessing small files do not notice this delay; however, as the size of the file increases the delay starts to become more noticeable (Scarfone et al., 2007). File/Folder encryption: File encryption and folder encryption work on almost the same principles. Under file encryption, individual files are encrypted to which access is provided only after valid authentication is completed. Folder encryption on the other hand encrypts entire folders instead of focusing on individual files (Scarfone et al., 2007). Even though there are some similarities between virtual disk encryption and folder encryption there are some differences between the two processes. Virtual disk encryption focuses on encrypting a container and there is no way to view which files are present within a particular container. Folder encryption on the other hand focuses on encrypting entire folders in which a user can view the files that a folder contains (Scarfone et al., 2007). Applications that support encryption: Protocols used in operating systems: Windows makes use of Kerberos protocol that helps the operating system with the process of authentication over an unsecure network. The protocol makes use of a token known as tickets. These tickets allow each node on the network to recognize other nodes (Tung, 1999). The basic aim of Kerberos is to help the user become aware of the individual with whom they are communicating. Kerberos protocol is especially effective in repelling a replay attack and even prevents any third party from accessing the information that is shared between two users (Tung, 1999). PuTTY: PuTTY in basic terms is a terminal application that allows users to access a system remotely and even enables them to transfer files over a particular network. The application can support numerous protocols such as SSH, SCP and Telnet (Gibson, 2011). OpenSSL: OpenSSL is basically a library that comprises of cryptographic functions that are used to secure various web servers, which are involved in the transaction of sensitive information (Viega et al., 2002). The library was created using the programming language C and to a certain extent even assembly language. The software is an open-source version of SSL/TLS protocol, which tends to mean that the source code of OpenSSL is available for viewing and even modification purposes. OpenSSL has the ability to support numerous encryption algorithms (Viega et al., 2002). Mainly the OpenSSL has the ability to support ciphers (for example AES), hash functions (for example SHA-2) and Public-key cryptography (for example RSA). The ability of OpenSSL to support such a large variety of encryption algorithms and the fact that it is open source software make it one of the most popular software in the world (Viega et al., 2002). TrueCrypt: TrueCrypt is an application that helps the user create a virtual disk that can be encrypted to prevent unauthorized users from gaining access to the data present on the disk. The software has the ability to either encrypt a part of a file or could encrypt the entire disk. TrueCrypt also provides a feature known as plausible deniability. TrueCrypt is source-available software, which means that the source used for the code can be viewed by almost anyone and everyone (Carnavalet, 2013). Even with all these features there are certain security concerns regarding the use of TrueCrypt. One of the greatest security risks of using TrueCrypt is its vulnerability to attacks from software such as BitLocker. The software itself cannot do much to protect itself from such attacks; however, caution at the part of the user could prevent such attacks from occurring (Carnavalet, 2013). Disk utility: Disk Utility is a piece of software that has been provided by Apple Inc. in its Mac operating systems. Disk Utility is integrated into the OS X to help the system perform a number of actions and activities that help with the management of data and also up to a certain extent helps with the maintenance of a user’s Mac. One of the most useful uses of Disk Utility is to help with the creation of images of the data that is present on the hard drive of Mac (Stauffer & McElhearn, 2004). Once created Disk Utility ensures the protection of these images by encrypting the data that is present on these images. Disk Utility makes use of FileVault an encryption method that has been utilized by Apple Inc. for its Mac computers for quite some time now (Stauffer & McElhearn, 2004). GnuPG: GnuPG serves as a replacement for the data encryption software called Pretty Good Privacy. GnuPG can be used by individuals to protect data with the use of the process of encryption. The software in basic terms provides a command line interface to its users. However there have been different front ends that have a different interface to that of the basic version (Nguyen, 2004). The software encrypts a particular set of data by making use of keys that are generated by different users. The users through the use of a secure channel of communication then exchange keys. In certain cases GnuPG makes it also possible for the user to add cryptographic digital signature to the data that is being encrypted. The digital signature enables the receiver to verify if the data came from a reliable sender (Nguyen, 2004). Conclusion Security of online data is one of the main concerns of modern times. Hackers and crackers have with them different tools that allow them to easily penetrate firewalls and access sensitive information. Encryption is one tool that can be used to ensure that data is secured even after there is a security breach within a network. Encryption algorithms help in not only keeping data at rest safe but also ensures that the transfer of data is carried out safely as well. Encryption software and applications such as OpenSSL and Disk Utility encrypt data with complex keys in much smaller time making sure that deciphering texts is much more difficult for an unauthorized user. The advent of new and improved machines has however reduced the durability of encrypted data. Even with the use of sophisticated encryption software does not prevent hackers from obtaining information from their victims. It is therefore the best if computer users and organizations implement caution when transmitting or storing data. Strict protocols must be developed within an organization and implementation of these protocols must be ensured. A complete secure system does not just depend upon the software and hardware that is implemented but is also heavily dependent on the users that store or transfer sensitive data. List of References Barrett, D., Silverman, R. & Byrnes, R., 2005. SSH, The Secure Shell: The Definitive Guide. Sebastopol: OReilly Media, Inc. Carnavalet, X.C., 2013. How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries. [Online] Available at: [Accessed 28 January 2014]. Frankel, S. et al., 2005. Guide to IPsec VPNs. Gaithersburg: NIST NIST. Gibson, D., 2011. Microsoft Windows Networking Essentials. Indianapolis: John Wiley & Sons. Nguyen, P.Q., 2004. "Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3. In Eurocrypt 04 (May 2-6), C. Cachin (Ed.), Lecture Notes in Computer Science. Verlag, 2004. Springer. Northcutt, S., 2011. Security Laboratory: Cryptography in Business Series. [Online] Available at: [Accessed 28 January 2014]. Salomaa, A., 1996. Public-Key Cryptography. New York: Springer. Scarfone, K., Souppaya, M. & Sexton, M., 2007. Guide to Storage Encryption Technologies for End User Devices. Research. Gaithersburg: NIST NIST. Stauffer, T. & McElhearn, K., 2004. Mastering Mac OS X. New York: John Wiley & Sons. Tung, B., 1999. Kerberos: a network authentication system. New York: Addison Wesley Publishing Company Incorporated. Viega, J., Messier, M. & Chandra, P., 2002. Network Security with OpenSSL: Cryptography for Secure Communications. New York: OReilly Media, Inc. Read More