Encryption is not equal to encryption, but who has the keys?

Encryption is not equal to encryption, but who has the keys?

Encryption is not equal to encryption, but who has the keys?

Tools for encrypted communication, resource encryption, are becoming more and more popular. This is due to the growing awareness of cyber threats, the increase in their number, many publicly available examples of leaks or data theft, including the latest generations of ransomware. More and more people realize that to feel safe, it is worth to encrypt one’s valuable data, send it in a safe manner, store it in a way that prevents it from being read by unauthorized persons, hackers, competition, economic intelligence, and special services of other countries.

When storing data in the cloud using many popular services such as Google Drive or Dropbox, we must be aware that they are secured only with a login and password and sometimes two-factor authentication if we enable such a service. Data is not encrypted. The service operator has access to the data, as well as anyone who obtains our login details or breaks security.

Encryption as a cure for all evil

One of the recommendations of security experts, which is even legally grounded (e.g., in GDPR, Article 32), is data encryption. Many of us, however, do not realize that encryption is not equal to encryption (and it is not even a matter of algorithms or key lengths used). The most important questions are what keys are used for encryption (public or private), where and how the keys are secured, and a very important issue – whether the private key is really a private key and not a dummy that ends up on the service provider’s server.
We must be aware that the physical security in the form of the best armored door with a multi-latch lock will not be effective if the keys are kept under the doormat.

Analogy

During my presentations, I often use the analogy of data storage services with more popular (especially in larger cities) “self-storage” services, i.e., self-service storage rooms that can be rented for some time to store various unnecessary things or during a move or renovation.

Photo by Bit Cloud on Unsplash

The receptionist verifies

Imagine a warehouse with a reception desk, where an employee is responsible for authenticating customers and issuing keys to individual storage rooms rented to a given person. A customer comes to the warehouse building and, at the receptionist’s request, must confirm his identity by showing an identity card, by reading the code sent by the receptionist to the phone number provided when signing the contract, or by confirming the customer’s identity based on verification of the 4 digits provided, e.g., from Social Security Number (SSN). If you think carefully, you can say that each of these methods is not entirely safe: you can forge proof, you can steal a phone or get a duplicate SIM card, and with obtaining SSN, even a moderately smart person, using white intelligence (OSINT) methods such data will be found … somewhere. There is one weak point here.

The second problem – the keys

After correct verification of the identity of a given customer, the receptionist issues keys that can be used to open an individual storage. We must be aware that the keys that are in the possession of the reception desk (or their duplicate, if the client had an IDENTICAL one) are exposed to several risks: the keys may be stolen, replaced (also a problem), the receptionist may be blackmailed, feel threatened or be bribed. It may happen that representatives of various organizations will come and illegally try to obtain the keys (“and why should you have problems, Mr. Receptionist?”). There may be a situation where the owner of a warehouse can live and earn money based on what is in these hiding places (e.g., because of information that someone stores oil paintings in them, he may offer special services for storing them or directing his own activity business in this direction).

The private key gives “certainty”

In the above example, the best solution for the customer would be to have his own only key (or the duplicate of which he keeps in some super safe place), with which the customer could open and close his individual magazine. Access to the place of this individual by the receptionist or the owner of the warehouse is possible by removing the indestructible magazine from the module in which the warehouse was located.

Web services

We should always be vigilant when using web services allowing us to store or send data. The use of the service on which we log in means that the data can also be accessed by the service provider, even if the data is encrypted (the service provider has public keys and knows our credentials, including a password or password hash and/or similar password and hash of the password with which the key is encrypted).

Asymmetric encryption

Let’s pay attention to solutions based on asymmetric encryption. What is that? Well, this is a way of securing data: for example, we want to send a secret file from user A (sender) to user B (recipient). Encryption is performed with the public key of user B, while decryption with the private key of user B, and only with this key it is possible to decrypt the file. If the private key is only in the possession of the recipient, then only he can decrypt the transmitted cryptogram.

Another type of encryption is symmetric encryption, which uses the same key for both encryption and decryption. In this case, the encryption keys must be in a place where two parties of communication have access. Most often it is the service provider. So, the service provider itself can decrypt the data – that is, it becomes the third party. If there can be a third, then a fourth and a fifth, and so on.

Data in currency or gold

It is not without coincidence that data is becoming the currency or gold of the 21st century. Therefore, let’s protect it. Similarly, the digital transformation is taking place in the economy, and crime is subject to similar changes. Let’s protect your data – by encrypting it. Remember, however, that encryption is not equal to encryption, and this is not only about the algorithms used – only by getting the answer: who has the keys? If someone talks about “end-to-end” encryption, where is the “end” and how many “ends” are there?

Author: Przemysław Kucharzewski
https://www.linkedin.com/in/przemyslawkucharzewski/


About Przemek Kucharzewski

Co-founder and VP Sales in Cypherdog Security Inc. – a vendor of solutions for encrypted communication. Przemek has 26 years of experience in building sales channels, marketing, and commercialization of IT solutions. In recent years, he has been focusing on cybersecurity and cloud solutions. In the past, he mainly worked for the largest IT distributors in the CEE region. He worked as Interim Manager for IT system integrators and vendors in advanced solutions selling​​. He is the author of many articles in the IT & business media, speaker, lecturer, and podcaster.