Luke O’Connor has a good description of the use of passwords with encryption on his blog. He talks about the recent problems with Adobe document protection and how security actually got weaker with the most recent release. You can find his comments here:
http://lukenotricks.blogspot.com/2008/12/spin-on-passwords-and-aes.html
He explains why passwords make poor encryption keys, talks about Password Based Encryption (PBE), and describes a bit about the PKCS#5 standard for PBE. It’s a very well written piece.
It is amazing to me that there are still security problems surfacing around the use of encryption, and related key management technologies. I do think that PBE is a reasonably good technology for protecting keys, and you should never accept a security solution that relies on a raw password as an encryption key. That being said, Enterprise users should use proper key management systems.
Patrick
As we bring 2008 to a close, it’s a good time to review the current state of data protection. Many large retailers made significant progress this year with encryption of credit card information at the database level. The pressure of PCI compliance and on-site auditors is moving companies towards good practice in this area, but many gaps still remain. While the focus of many companies has been on database protection, there is arguably more risk in unstructured data. Unstructured data includes flat files, inter-process messages, printed reports, and files sent over a network connection. We find unstructured data still unprotected by encryption in many companies.
Mid-size retailers are now feeling the heat to become PCI compliant. Even without the pressure of an annual PCI audit, many now understand the risk to their business of a data loss and are moving forward with PCI compliance projects. I believe the New Year will bring a renewed focus, by regulatory bodies, on mid-size companies. Unfortunately, as larger companies achieve PCI compliance, I feel the bad guys will move to easier targets.
The new Massachusetts privacy law sent a shock wave over the business community. This new law mandates encryption of any private information sent over an Internet connection. There are other states moving similar statutes forward, and this represents a new toughness by regulators to protect consumer information. In the past, privacy laws imposed fines and notification requirements in the event of a loss. The failure of these laws to significantly reduce losses is motivating lawmakers to impose pro-active requirements on data security. You should expect to see more of this type of regulatory activity in 2009.
One disturbing trend in 2008 has been the increase in very sophisticated data theft operations. The bad guys have definitely ramped up the quality of their attacks including the ability to cloak their operations. I predict that we will soon see successful attacks that break weak or poorly implemented encryption and key management. Now would be a good time to review your encryption strategy, with special emphasis on key management. Be sure you are not storing encryption keys on the same platform with your sensitive data, and that you are using a key management solution that fits your Enterprise’s security needs.
I wish you all the best for the Holidays, and a safe and prosperous new year!
Patrick