This article can also be found in the Premium Editorial Download "Storage magazine: Upgrade path bumpy for major backup app."
Download it now to read this article plus other related content.
Merriam-Webster Dictionary defines encryption as "the manipulation of data to prevent accurate interpretation by all but those for whom the data is intended." Fine, but exactly how is this data manipulated in the first place?
In its simplest form, encryption is a mathematical operation. Human-readable documents (cleartext) are mathematically combined with an encryption algorithm and returned in an enciphered format, or ciphertext.
An encryption key allows transforming between cleartext and ciphertext. Remember high-school algebra when you had to figure out what X represented in an equation? You can think of an encryption key as the same type of value.
There are two types of encryption keys: symmetric and asymmetric. With symmetric keying, a single key is used by the algorithm for encryption and decryption. An asymmetric key algorithm uses a pair of cryptographic keys to encrypt and decrypt. A message encrypted by the algorithm using one key can be decrypted by the same algorithm using the other. In a sense, one key locks (encrypts), but a different key is required to unlock (decrypt). Storage encryption operations tend to use symmetric keying.
Protecting data through encryption depends on:
The strength of the encryption algorithm. Commonly used encryption algorithms are published so that the world's best math heads and crackers can have a go. None of today's standard algorithms has been broken.
size (i.e., number of bits) of an encryption key. An encryption key length determines the number of possible key permutations. The old cipher workhorse was the Data Encryption Standard (DES), a 56-bit algorithm approved as a U.S. government standard in 1976. With DES, there are 72 quadrillion possible keys. This is tough for an individual to crack, but not for today's computing power. In fact, cryptanalysts broke DES using a program called "DES Cracker" in the late 1990s. Current encryption algorithms tend to use 128-bit algorithms that can generate 340,282,366,920,938,000,000,000,000,000,000,000,000 possible keys.
Protecting the encryption keys. If a bad guy gets the encryption keys, he can read whatever he wants. Given the number of possible keys, it's easier to steal keys than guess them.
Key management basics
Managing and protecting encryption keys from would-be intruders is important, but key management systems do more than just that. The total process is often called key lifecycle management, which includes:
Key generation. The key management system creates a unique 128-bit key for everything that gets encrypted. The important concept here is randomness. No key can be associated with those generated before or after it.
Key deletion. Deleting keys when they've expired or are no longer needed is important in preventing security breaches.
Key distribution. A single key management system can create keys as a service for multiple encryption engines.
Key protection. Facilities for key storage, backup and recovery, and key management server clustering for availability.
Key administration. Key management systems have to provide for day-to-day operations. Generally, this is done by following the security principle of separation of duties, where responsibilities are divided so no one person has the "keys" to the kingdom.
Key auditing. Key management must include logging information on the keying and administrative processes used by credentialed personnel for reporting and auditing.
This was first published in September 2006