You already know why encrypting data on your ClearPath server is important. Among other benefits, encryption protects the confidentiality of your intellectual property and your customers’ data. More than 25 countries and 46 states have data breach laws that specify financial penalties for you if you let personally identifiable information get into the wrong hands, but most of the laws let you avoid the penalties if the data is encrypted and you’ve protected the encryption keys.
The reason for the exception to the penalties is that if the data is stolen, encryption slows down the thieves.
Wait a minute … what was that again? “Encryption slows down the thieves”? Shouldn’t we say “encryption prevents the thieves from reading your data in the clear?”
No, given enough time and computer resources, they might be able to figure out the original content of your encrypted data. What typically happens is that criminals who discover that your data is encrypted will decide that decrypting it without the keys is too much work for the potential gain, and they’ll go on to an easier target.
The data thief’s decision about whether to try to decrypt or not depends on two main factors:
Neither of these factors is an absolute. Just as the perceived value of the encrypted information changes with marketplace fluctuations, some encryption methods that were considered strong in the past are no longer sufficient. Brute force attacks that were impractical 30 years ago because of the limited power of available computing resources can now sometimes be successful because of faster hardware. In addition, mathematical analysis of encryption methods continues to evolve and find potential attacks that are less compute-intensive than brute force.
As an example of this evolution, DES, the data encryption standard approved by the United States’ National Bureau of Standards (NBS) in 1977, is now considered insecure. NIST (National Institute of Standards and Technology, the successor to NBS) officially withdrew it as an approved option for federal government encryption in 2005. Whereas decrypting DES-encrypted data in 1977 was cost-prohibitive, hardware and software to crack DES encryption efficiently is now available for under $10,000.
At the same time, mathematicians and computer scientists have developed new algorithms that are sufficiently strong to discourage all but the most determined criminals. One approach to increased encryption security is to increase the key length. For example, DES uses 56-bit keys, but Triple DES, an encryption algorithm based on using DES three times, is still considered secure enough – for now – because it uses three 56-bit keys.
AES, the Advanced Encryption Standard adopted by NIST in 2001, can have keys up to 256 bits, and it is considered stronger than Triple DES. Furthermore, it executes faster than Triple DES on most processors, including ClearPath servers.
In addition to the basic algorithms, encryption solutions include different modes, which provide additional security. (Details of the modes are beyond the scope of this blog.) Among other new features, ClearPath releases in 2013 add new encryption modes to the previous offerings. ClearPath OS 2200 14.0 adds counter (CTR) and cipher feedback (CFB) modes to Triple DES and AES encryption in Cipher API. The ClearPath MCP 15.0 release adds Galois counter mode (GCM) to AES for media encryption.
For OS 2200, the new encryption modes present the user with a choice: FIPS-certified or not.
FIPS 140-2 is a United States government cryptography standard, and the National Institute of Standards and Technology (NIST) operates a Cryptographic Module Validation Program (CMVP) to let hardware and software vendors demonstrate their adherence to this standard. In 2010, Science Applications International Corporation (SAIC), a NIST-accredited testing laboratory, evaluated the OS 2200 Cryptographic Library (CryptoLib) 1R1 against FIPS 140-2, resulting in the validation certificates posted on the NIST web site.
FIPS 140-2 defines four levels of security. CryptoLib is validated at Level 1, as are most software modules. Levels 2 through 4 are for hardware cryptographic modules, because they involve additional hardware-oriented criteria, such as physical tamper-resistance. The “2” in the name means it is the second version of the standard, not level 2 validation. A new version, FIPS 140-3, has been in preparation for the past six years and is expected to eventually supersede FIPS 140-2.
Cipher API calls CryptoLib to perform software-based encryption and decryption. Because the new CTR and CFB modes were not included in CryptoLib 1R1, they are not included in the FIPS certification. Thus, if your organization requires its cryptography to be FIPS-certified, you should install CryptoLib in FIPS mode and avoid using these new encryption modes. If you need the new encryption modes but are not required to use FIPS-certified encryption, you should install CryptoLib in NOTFIPS mode.
As encryption evolves, ClearPath cryptography evolves with it. Furthermore, encryption is an integral part of the ClearPath security architecture that protects your intellectual property and your customers’ data.