Why Encryption Is Essential and How to Address Potential Vulnerabilities

Transcription

1 CTO Corner September 2014 Why Encryption Is Essential and How to Address Potential Vulnerabilities Dan Schutzer, Senior Technology Consultant, BITS To meet the growing cyber threat it is important for financial institutions to increase their understanding of encryption, a complex subject based on mathematical theory and computer science practice. Although encryption is only one of a number of important and valuable security tools, it is one of the least understood, and as cyber defenses improve and encryption is deployed more widely, we should expect attackers to improve their ability to successfully attack encryption and expose sensitive information. This article provides an overview of encryption, including: Why encryption is essential and how it works Potential vulnerabilities to encryption technologies Regulatory expectations Recommendations on how to better address its current short-comings and vulnerabilities, and plan for responding to future vulnerabilities and attacks. Why Encryption Is Essential and How It Works As cybercrime and cyber espionage grow in sophistication, success and lethality, government and industry have moved to increase their use of encryption. Encryption, which has always been an indispensable tool for securing both cyber and physical space, is likely to increase in use and importance. For example, Google s recent change to have its search engine favor web sites that encrypt 1 and its system (Gmail) to offer users the ability to more easily encrypt . 2 In addition, credit card issuers and merchants are calling for end-to-end encryption to supplement efforts to safeguard payment card security including the use of chip-based cards. 3 Encryption involves the conversion of information from a readable state, plain text, to cipher text, unreadable to anyone but the originator and intended recipient of the message. The earliest form of encryption dates back at least to the times of ancient Egypt and Rome. The state and military were the earliest adopters of encryption, with financial institutions not very far behind. An early form of encryption was the Caesar cipher. 4 It was a substitution cipher that involves replacing each letter of the secret message with a different letter of the alphabet which is a fixed number of positions further in the alphabet. It was not terribly secure, especially if one were using today s cryptanalytic technology to break it. Because each letter in the message has a direct translation to another letter, frequency analysis can be used to decipher the message. For example, the letter E is the most commonly used letter in the 1

2 English language. Thus, if the most common letter in a secret message is K, it is likely that K represents E. Additionally, common word endings such as ING, LY, and ES also give clues. The rapid growth of the Internet in the 1990 s, and the subsequent growth of cybercrime that followed, has resulted in the widespread use of encryption. Today, encryption technology is used to protect stored data as well as data in transit. It is also used to verify the authenticity of users and whether the data has been inappropriately modified. In addition, encryption is used in a number of other applications including electronic money and digital rights management (DRM), which is a class of technologies that are used by hardware manufacturers, publishers, copyright holders, and individuals with the intent to control the use of digital content and devices after sale. Modern cryptography is based on computational hardness assumptions. In other words, it is not assumed that cryptography algorithms can t be broken, just that it is impractical to break. For example, it would take too long to break a specific encryption algorithm using currently available methods and affordable computational resources. Expected forecastable advances in computer technology can challenge this assumption for a given encryption algorithm. For example, this impacted the Data Encryption Standard (DES) 5, necessitating the need to move to new, more powerful encryption algorithms with longer keys, such as the Advanced Encryption Standard (AES) 6. However, significant breakthroughs in computer technology (e.g. quantum computers 7 ) and cryptanalytics breakthroughs (e.g. fundamental breakthrough in the integer factorization algorithm) can render even future encryption algorithms based on current modern cryptography approaches (e.g., public key cryptographic approaches based on the difficulty to find and test all prime numbers for a composite number, or pseudo-random generators that can produce a sequence of numbers that can t be predicted) inadequate to withstand attack, no matter how long the key. To learn more about how encryption works, I provide more details in the appendix. Potential Vulnerabilities to Encryption Technologies The need for encryption is growing. Unfortunately, encryption is not without its vulnerabilities and challenges. This means that financial institutions must continue to be diligent in discovering and fixing current encryption implementation weaknesses that pose possible attack vectors. Financial institutions must also prepare for the day when exponential improvements in the ability to attack an encryption algorithm increase to the point where they need to introduce new approaches to encryption, possibly a new encryption paradigm. There are a number of ways an attacker can defeat encryption. They fall into two categories - attacks that bypass the encryption and attacks on the encryption. Attacks that bypass the encryption include: Attacks that target the theft of credentials. Once someone steals a legitimate user's credentials, then he has access to the data regardless of encryption. Attacks on the certificate authorities. If the certificate authority is breached, the particular method of encryption won't matter. Attacks that target the endpoints of the communication system by breaking into or compromising the end point device containing the encryption key into revealing the key. Attacks that exploit key leakage or enable key substitution, such as: 2

3 o Forging or modifying the certificate or directory causing the sender to encrypt using the criminal s public key rather than the intended recipient. o Man-in-the-middle attacks where the criminal places themselves in the middle of the key exchange between the sender and receiver, replacing public keys and certificates with its own. Impersonating one of the users and taking over the user s systems that control access to the user s data, certificates and keys. Attacks against encryption include attempts to break an encryption algorithm by brute force (automated guessing). Since brute force generally takes too long to succeed using today s available computing power against the current crop of approved encryption algorithms, practical cryptanalytics involve taking advantage of a known or discovered weaknesses in the encryption algorithm implementation, or through purposefully planted weakness in the encryption standards and implementations 8 that enable the attacker to take short cuts. Examples include: Attacks that exploit side channel information, information that can be retrieved from the encryption device that is neither the plain text to be encrypted, nor the resulting cipher text (e.g., if a cryptanalyst has access to the amount of time the device took to encrypt a number of plain texts, he may be able to use a timing attack to break a cipher that is otherwise resistant to analysis). 9 Side channel information could also be used to provide information that could be used to exploit key leakage. 10 Attacks against the key generation and management systems (e.g., exploiting bad random number generators or sloppy password creation habits). Attacks against buggy implementations of the algorithm (e.g., Heartbleed which permit compromise of the encryption keys used in certain versions of SSL). 11 Cryptanalytic approaches that improve the process of code breaking over a pure brute force attack. These include techniques such as linear cryptanalysis (a general form of cryptanalysis based on finding affine 12 approximations to the action of a cipher) 13 and differential cryptanalysis (study of how differences in information input can affect the resultant difference at the output). In the case of a block cipher, differential cryptanalysis involves a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits non-random behavior, and exploiting this to recover the secret key. 14 Improvements in computing power available to the attacker can render previously existing encryption algorithms, even if implemented correctly, less secure against today s encryption attacks. 15 For example, because computers have become increasingly faster since the 1970s, security experts no longer consider DES secure. Although a 56-bit DES key offers more than 70 quadrillion possible combinations (70,000,000,000,000,000), a successful brute force attack (simply trying every possible combination in order to find the right key) was announced in Jan 19, 1999 that decrypted DES cipher text in 22 hours. Using 2006 computer technology, in the worse-case scenario, an attack would be successful in a little over ½ day, and under 7 hours on the average, costing a little over $15, Even faster decryptions are possible using specialized equipment such as Field Programmable Gate Arrays (FPGA), and cryptanalytic attacks such as linear cryptanalysis. This has led to requiring new encryption algorithms with longer keys over time (e.g., move from FIPS 46-3 Data Encryption Standard - DES to FIPS 197 Advanced Encryption Standard AES). 3

4 Future Threats: Advances in computer processing and memory, including breakthroughs such as quantum computing and special-purpose crypto machines, may enable practical brute force attacks to be performed within reasonable time and memory complexity against all current and future encryption algorithms. Mathematician Peter Shor proved in that a quantum computer could, in theory, be used to speed up integer factorization drastically, to the point where much of the existing Internet security infrastructure would be useless. Perhaps we may even see breakthroughs in the art of cryptanalytics that challenge current assumptions as to what constitutes a computationally hard problem, making even the underlying encryption approach itself vulnerable. Indeed, in 2013, there was some excitement in cryptographic circles when a pair of new papers reported the first significant progress in years in something called the "discrete logarithm problem". 18 The discrete logarithm problem is intimately related to the problem of prime factorization, which is relied upon by RSA public key encryption (see appendix). The advance in question was limited to a specialized subcategory of the problem, and the consensus seems to be that it does not, by itself, pose a threat to existing encryption protocols, but in mathematics success often builds on itself, suggesting new tactics for attacking a puzzle, and the scent of a hot topic can lure clever mathematicians with fresh ideas. Such breakthroughs and advances could require a fundamental rethinking of encryption, including how it is used and how it is implemented. This concern was recognized in the latest update to the Financial Services Sector Coordinating Council (FSSCC) R&D Agenda, which calls for new research on encryption. 19 Regulatory Expectations The Federal Financial Institutions Examination Council, which is the interagency group that develops supervisory guidance for depository institutions, encourages the use of encryption, but provides cautions and high level guidance on when and how best to deploy encryption. 20 The expectations referenced in the guidance include: Effective key management processes. Encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. Base decisions regarding what data to encrypt and at what points to encrypt the data on the risk of disclosure and the costs and risks of encryption. Encrypt authentication data, such as passwords and keys both when passing over a public network and within the institution. The regulators recognize several cautions, including: Encryption can weaken other security aspects (e.g., encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti-virus scanning and intrusion detection systems). Encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. Encryption cannot guarantee data security. A security breach at one of the endpoints can be used to steal data or give an intruder access to the system, even when the data is encrypted. 4

5 As the cyber threat continues to grow in sophistication and frequency, U.S. regulators may update their supervisory guidance and urge financial institutions to look more closely at their use of encryption. Encryption regulations vary by country which creates additional challenges for financial institutions that operate globally. For example, until 1999, France significantly restricted the use of cryptography domestically, though it has since relaxed many of these rules. In China and Iran, a license is still required to use cryptography. Many other countries have tight restrictions on the use of cryptography. Among the more restrictive are Belarus, Kazakhstan, Mongolia, Pakistan, Singapore, Tunisia, and Vietnam. Recommendations on How To Better Address Current Shortcomings And Plan For Future Attacks. Here are some steps that could be taken to strengthen encryption against a growing and increasingly sophisticated threat. As attacks that bypass the encryption algorithm increase in frequency and success it becomes imperative to take a number of steps to prevent these attacks from succeeding, such as: Avoid misapplication of encryption. o It is not enough to merely check the box by encrypting data on a back end system at the storage, file, or database layers. It is important to understand the differences between different levels of encryption, especially in the emerging cloud space. o As long as applications and privileged insiders still see plaintext data, there is exposure to threats like SQL injection, POS RAM scraping malware, or a rogue DBA. o Encryption is effective when applied properly at the application layer of the computing stack from end-to-end (user device to back-end, and all points in between). Patch existing encryption algorithms and processes, addressing all known vulnerabilities and improving the process for discovering weaknesses. Strengthen key handling/management practices throughout its lifecycle (from creation, storage, use and disposal). o Hold cryptographic keys in secure hardware (e.g., Hardware Security Module or HSM). Mitigate the theft of credentials and strengthen identity management, authentication and access control. o Introduce better ways distribute public keys and manage certificates (could include wider use of proposals such as DNS-based Authentication of Named Entities, DANE, discussed in the Appendix in the section entitled Linking a user to their public key) o Implement stronger mutual authentication of both parties, including use of biometrics and other advanced authentication technologies Minimize the points at which sensitive data can be compromised and who can access it. o Practice data consolidation strategies. o Employ data masking and tokenization (see discussion in the Appendix on linking user to public key and tokenization). o Utilize ways to use the data without decrypting it (see discussion in Appendix on homomorphic encryption). o Minimize harm by severely limiting who gets to see or access sensitive information. Improve existing encryption implementations. o Develop better methods of random number generation, perhaps harnessing the output of true random physical processes. o Develop the means for more rapidly designing, testing and deploying new encryption algorithms and implementations in response to discovered weaknesses. 5

6 o Investigate use of identity-based encryption systems 21 to simplify and strengthen key management. o Investigate the use of key splitting 22 technologies to strengthen encryption. Consider the use of.bank and.insure to house highly trusted financial service directories on dedicated highly resilient and trusted communications links and servers. To address the potential future disruptive threat there are several options worth investigating: Strengthen the actual encryption algorithms against brute force attacks, by including use of onetime key pads that involve using a different encryption key each time one encrypts a message. The one-time pad 23 is a theoretically secure scheme that cannot be broken even with unlimited computing power, but is much more difficult to implement than the best theoretically breakable but computationally secure mechanisms. Use stronger approaches to handle the key distribution function, such as use of quantum communications. This would also help with making one-time key pads practical. Research development of un-hackable quantum encryption technology. 24 Investigate new techniques, paradigms and approaches, such as steganography (hiding messages in documents and images). 25 Of course we need to securely exchange reference documents and images between sender and receiver, so the message hidden within can be extracted. Encrypt and store many different versions of a sensitive piece of data (e.g., millions of different account numbers for the same credit card), making it difficult for an attacker to know which decrypted credit card number to use. The trick would be to device a scheme to make it easy for an authorized entity to know which is the real number, and very hard for the attacker. Concluding remarks As our traditional cyber defenses grow in effectiveness and encryption gets more widely deployed, we can expect that attackers will also improve their attacks on encryption by leveraging computing and memory power and advances in cryptanalytics that could challenge the underpinnings of modern cryptography. This dictates that while we need to deploy encryption more widely, we must work harder at discovering and fixing current encryption implementation weaknesses that pose possible attack vectors, and prepare for the day when exponential improvements in the ability to attack an encryption algorithm increases to the point that we need to introduce new innovative approaches to encryption such as those discussed in this article, including use of one-time pads, quantum key distribution and encryption and steganography. 6

7 Appendix: More Details on How Encryption Works All modern forms of encryption performs the scrambling of some plain text to a form undecipherable to anyone but the intended recipient(s), by means of a publically known algorithm seeded by a secret key (experience has taught cryptographers not to rely on security by obscurity but to make the encryption algorithm public and well-tested, with only the key being kept secret). There are two basic types of encryption in use today - symmetric encryption and asymmetric encryption (also known as public key cryptography). Symmetric encryption is much faster to compute compared to asymmetric encryption, but since both parties need to know the key and they are usually remote from one another, it is important to have a secure way to remotely exchange the key between sender and intended recipient. If this exchange is done poorly it can increase the chances of the key being compromised. Symmetric encryption - In symmetric encryption, the same secret key is used to encrypt the message (convert to a cipher text), and to decrypt (recover the plain text from the cipher text). Only the key needs to be kept secret, protected, and safeguarded. It should be known only by the sender and the intended recipient(s). The longer the same key is used, the more likely that an attacker can eventually discover the key, so frequent updating of the secret key is required. Modern symmetric encryption algorithms are a lot harder to break than the Caesar cipher. A high level description of how the Advanced Encryption Standard (AES) 26 algorithm works is provided below. AES example - AES, is a symmetric block cipher meaning it operates on fixed-length blocks of data. It runs a sequence of loops where a complex set of transformations and operations are performed (e.g., shifts rows, mixes columns, performs a combination of addition, multiplication, rotations, substitutions, and exclusive ors 27 against a schedule of keys, called round keys to distinguish them from the original master symmetric encryption key from which they are generated). The same symmetric key is used to decrypt the resulting cipher text but the order of operations differs. It is important to generate the symmetric key so that the resulting cipher text appears random to cryptanalysis. This involves the use of a random number generator, which is a critical component of any encryption algorithm. 28 It is called a pseudo-random number generator because it is doesn t produce truly random numbers - its sequence is recoverable by anyone with knowledge of the symmetric key this is necessary in order to decrypt the message. It is important to use pseudo-random number generators, which are designed to be unpredictable even if the attacker had access to a very large set of random numbers it generates. More detail on how AES works can be found in the footnoted references. 29 Asymmetric Key encryption - Asymmetric key encryption (also known as public key encryption) involve a pair of keys, a public key (which as the name implies is known to the public), and a private key (known only to the owner of the private key). If the message is encrypted with one key, it can be decrypted with the other. Public key encryption enables message and data encryption, key distribution, and message authentication. To send a private message, one encrypts the message with the intended recipient s public key. To decrypt the message you need to know the recipient s private key, which is only known by the recipient, so only the intended recipient can read the encrypted message. Asymmetric encryption is generally more compute-intensive and much slower than symmetric encryption. 7

8 RSA Example - RSA is one of the first practicable public-key cryptosystems and is widely used for secure data transmission. 30 It is actually a set of two algorithms, a key generation algorithm and an encryption/decryption algorithm otherwise known as the RSA Function evaluation. Key Generation - The key generation algorithm is the most complex part of RSA. It generates both the public and the private RSA keys. This involves finding two large prime numbers and computing a function called the totient (the number of elements that have an inverse in a set of modulo integers) of a composite number (formed by the product of two prime numbers). The public key is a randomly selected prime number of this composite number, and the private key is its inverse with respect to the composite number s totient. The private key cannot easily be derived from knowledge of the public key and the composite without finding the original pair of prime numbers used to compute the totient. Weak key generation makes RSA very vulnerable to attack so it has to be done correctly. RSA's main security foundation relies upon the fact that given two large prime numbers, a composite number can very easily be deduced by multiplying the two primes together, but, given just the composite number, there is no known algorithm to efficiently determining its prime factors. It may seem a bit disturbing to base the security of one of the most used cryptographic algorithms on something that is not provably difficult. The only solace one can take is that throughout history, numerous people have tried, but have so far failed to find a solution to this. Encryption/Decryption - RSA uses modulo operations 31 to transform a plaintext message into ciphertext, and the ciphertext back into plaintext. The computation involves first converting the message into a numeric format where each letter is represented by an American Standard Code for Information Interchange (ASCII) character code. 32 For example, "attack at dawn" becomes The cipher is obtained by performing modulo division by a composite number, on the plaintext message raised to a power equal to the public key. The plaintext is recovered by performing modular division by the composite number, on the cipher text raised to the exponential power of the private key. More details about key generation and RSA encryption and decryption can be found in the references provided. 33 Other public key systems are based upon other hard numeric problems such as discrete logarithms 34 and elliptic curves. 35 Applications of Public Key Cryptography -Public Key Cryptography elegantly solves the message authentication, and symmetric key distribution problem previously discussed, as follows. Message Authentication - The sender of a message can digitally sign 36 a message by encrypting a message digest (hash 37 ) of the sent message with their private key. The recipient can then verify the authenticity of the message by using the sender s pubic key to decrypt both the message and the message digest and verifying that the message digest computed by performing the digest operation on the decrypted message, matches the decrypted message digest. This demonstrates that message was not tampered with (is unchanged from the original message sent by the sender). Because the message was successfully decrypted using the sender s public key it also verifies that the sender was the originator of the message. 8

9 Remote key distribution - Asymmetric encryption can be used to securely exchange symmetric keys. A user generates a symmetric key, encrypts it with the recipient s public key and sends it securely to the recipient, who is the only one, other than the sender, who can decrypt and use this symmetric key. Data at rest - There are important considerations to keep in mind when applying encryption to stored data. The downside to using encryption on a per-file, or more granular basis, is that users need to remember to encrypt every confidential file that they create. It's also burdensome if users regularly work with this confidential information. Many organizations supplement per-file encryption solutions with whole-disk encryption products that automatically encrypt all of the data stored on a hard drive in a manner completely transparent to the end user. Once a user logs into a computer with an authorized account and password, the disk-encryption drivers automatically decrypt data as it is requested. Because disk-based encryption only protects data while it is stored on the disk without an authorized user logged into the system, it provides great protection against theft of a mobile computer, but it provides no protection for files that are copied off of the computer or accessed while an authorized user is on the system. Every time we need to use encrypted data, we need to decrypt the data, exposing it to attack. Homomorphic encryption 38 reduces this threat by making it possible to analyze data without decrypting it. It encrypts the data in such a way that performing a mathematical operation on the encrypted information and then decrypting the result produces the same answer as performing an analogous operation on the unencrypted data. The correspondence between the operations on unencrypted data and the operations to be performed on encrypted data is known as a homomorphism. Homomorphic encryption has been successfully demonstrated but for most applications remains too compute-intensive to be practical today. Common communications protocols that use encryption - Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS), the successor to Secure Socket Layer (SSL) uses asymmetric encryption for authentication and distribution of the symmetric key, and symmetric encryption to protect the remainder of the communications session. TLS has been used to secure electronic banking and other transmissions between the institution and the customer, to secure , telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security, Linking a user to their public key - In order for asymmetric encryption to work a user needs to be able to associate a public key with the correct entity. This could be done a number of ways. Two parties who know each other well can directly share their public keys with each other as is done with Pretty Good Privacy (PGP). 39 For parties who don t know each other, the services of a trusted third party are needed. The most common ways for a third party to provide this service is to either digitally sign a certificate that contains the users identity attributes and their public key, thus vouching for the user s identity and ownership of the public key, or by maintaining a directory of users and their public keys. Because public keys can change over time, directories need to be updated and certificates need to be revoked. Another approach is to embed these linkages into the network. For example, DNS-based Authentication of Named Entities (DANE) 40 is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC). An important issue associated with these certificates and directories is the amount of due diligence the trusted third party goes through in verifying the user and the user s public key. 9

10 Tokenization - Tokenization has recently become a popular way to bolster the security of credit card and e-commerce transactions in lieu of full end-to-end encryption of the sensitive account data. While tokenization employs a number of encryption concepts and techniques in that it converts the actual data to a transformed data that is hard to reverse engineer to recover the account number, it is not the same thing as encryption. Tokenization converts account numbers into randomly-generated values (tokens) where the tokens take the place of sensitive account data. 41 In a credit card transaction, the token typically contains only the last four digits of the actual card number, hiding the full primary account number (PAN). The rest of the token consists of alphanumeric characters that represent cardholder information and data specific to the transaction underway. Unlike most modern encryption algorithms, the transformation algorithm is proprietary and the recovery of the actual account number from the token is not done by an encryption key. The link between token and PAN is maintained at a service provider who provides the tokenization option. This linkage is vulnerable to data breach at the service provider unless it is encrypted, and, as with encryption algorithms, the tokenization algorithm is vulnerable to attack chrome-extensions-make-encryption-easier-for-everyone.html esar.php nternet_security.html

11 The Advanced Encryption Standard is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology in RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in