Search
Close this search box.
Facebook Instagram Linkedin

Month: May 2019

Categories
Data Protection

Communication Applications with Encryption and the Use of Data

If you’re concerned about data security and privacy, you may have heard of encryption for communication applications, even if only in a superficial way.

In addition, it is possible that your interest in the subject arose as a result of some news of a leak or theft.

This is a reality that has been growing in recent years. We are increasingly concerned about our information and technology has a direct impact on our routines.

Who would have thought, for example, that the cell phone would become so important to us? But not because of its original functionality, making and receiving calls, since messaging apps have practically doomed phone calls.

Do you have any idea how many messages have been received and sent in the last few hours via the main tools of this type? And how many have replaced a connection?

Thousands of messages every day

Brazilians send thousands of messages every day to friends, family, work colleagues and other people. In the world, an average of 55 billion messages are sent every day via WhatsApp.

Even services like WhatsApp have become strategic for businesses. Considered sales tools, messaging apps help many entrepreneurs to boost the economy.

Because of this importance, we want the messages to remain restricted to interested parties only. These are often private conversations that deal with personal and strategic matters.

Given the frequency with which we all use these tools, it is increasingly important to protect privacy and personal information.

One way of doing this is by using encryption for communication applications.

Definition of cryptography

Before looking at who adopts encryption for end-to-end communication applications, it’s worth remembering the basic concept behind secure messaging.

Security systems for communication have existed for centuries. Basically, the idea is to get a message or information to a destination without any unauthorized person being able to read it.

In practice, with the help of the internet, we send a lot of private data to other computers or servers every day.

Encryption takes your data and scrambles it, making it impossible for anyone who intercepts it to read or understand.

When it reaches the recipient, the data is decrypted back to its original form so that it can be read and understood.

Unencrypted data is called plain text and encrypted data is called cipher text.

The way a device takes data and encrypts it is called the encryption algorithm. It is used with a cryptographic key, so that only the person with the right key can decrypt it.

For example, if we wanted to encrypt the message “good morning!” and send it to someone else, we would need to use an encryption algorithm, which would encrypt it to something like “SZKKB YRIGSWZB”. That way, someone using the same technology could open it and read it.

From end to end

End-to-end encryption is asymmetric. It protects the data by ensuring that only two people can read it: the sender and the recipient.

This means that no one else can read the data, such as hackers, governments, companies or servers. Therefore, when a user sends a message to another, even if it has been intercepted, it cannot be read.

If the message passes through WhatsApp’s server, for example, it won’t be able to read it. If the service wanted to provide this data to third parties, they would not be able to do so.

This is what happens when encryption for communication applications is end-to-end. To find out more about how WhatsApp messages are encrypted, as well as the algorithms used, click here.

Encryption for communication applications is a standard

The use of encryption in communication applications has become a standard in recent years. However, it has not yet been adopted by all manufacturers.

In fact, encryption is not mandatory in all situations, but in some you definitely use it, such as when you buy items online and enter your card details.

At times like these, encryption happens without you knowing. In everyday life, you can opt for encryption for communication applications just to have the peace of mind of knowing that absolutely no one else can access your messages or calls.

End-to-end encryption means that unauthorized people won’t be able to access your data and your privacy is preserved.

 

Which applications to use

There are so many options on the market that it’s hard to say which is the best. Instead, we’ll list the most popular ones that use encryption for communication applications by default.

Encryption on WhatsApp

WhatsApp already has more than 1.5 billion users and integrates the encryption protocol into its conversations. This means that WhatsApp messages are end-to-end encrypted by default.

It has chat, group calls, file sharing, archiving, location sharing, broadcasting and much more.

The popularity of the app also works in your favor, as you probably won’t need to convince other people to download it.

WhatsApp is free to use and ad-free. However, it is owned by Facebook, which openly admits to collecting a lot of data about you for marketing purposes.

Encryption in Facebook Messenger

According to one BBC reportFacebook Messenger also uses encryption, but a little differently from the encryption used in WhatsApp, in which the message is encrypted from the sender to the server, which opens the message and encrypts it back to the sender end-to-end, the same signal protocol used by WhatsApp.

But there are already plans to implement the same end-to-end encryption on Facebook Messenger as is used on WhatsApp. Ultimately, this means that your messages cannot be viewed by the social network team.

Facebook Messenger also uses encryption, but a little differently from the encryption used in Whatsapp, in which the message is encrypted from the sender to the server, which opens the message and encrypts it back to the sender. end-to-end, the same signal protocol used by WhatsApp.

But there are already plans to implement the same end-to-end encryption on Facebook Messenger as is used on WhatsApp. This means that your messages cannot be viewed by the social network team.

Facebook Messenger works like most other apps, with group chat and calls, file sharing, location sharing and video calls. It’s also very easy to use, with stickers, GIFs and even games.

However, the application is owned by Facebook, which means that it still contributes to the data collected about you and billions of other users.

Encryption in Telegram

Telegram was one of the first apps on the market. End-to-end encryption is not active by default: you need to make sure that secret mode is active so that no one else can access your messages.

The app has features such as group chat, sending files and photos – also encrypted only in secret mode – missing messages, archiving functionality and voice and video calls.

When secret mode is active, messages can also self-destruct on all devices in a chat and there is the option to self-destruct your account within a set time.

Telegram is free to use and ad-free. All data is encrypted and stored on servers, except for secret chat messages.

Encryption in iMessage and FaceTime

Apple has introduced end-to-end encryption for all your messages in iMessage, the default app on iOS devices, and all FaceTime calls and videos.

iMessage and FaceTime are available on iOS mobile devices as well as Mac computers.

Both apps cover a range of basic functionalities, such as messaging, location or file sharing and voice and video calls. iMessage messages are backed up in iCloud, but this can be disabled in your settings.

Make sure you read the data privacy policies of all the applications you use. Make sure you are comfortable with them before trusting your chosen tool.

Sobre a Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Why is encryption key management important?

Companies are moving more and more sensitive data over the internet and are heavily migrating their infrastructure to the cloud, in different types of service models. As this happens, the need to use and manage encryption keys grows.

Faced with this reality, security professionals actively protect this data with tried and tested techniques, which are used at different stages of an organization’s productivity cycle, always with the aim of guaranteeing privacy.

However, the guarantee of data protection and availability may not be possible through the use of encryption alone.

Even if there is advanced technology against data breaches, without encryption key management, the risk of information being leaked or stolen will still be high.

Why is managing cryptographic keys important?

Management means protecting cryptographic keys against loss, theft, corruption and unauthorized access. Its objectives include:

  • ensure that the keys are kept safe;
  • change the keys regularly;
  • control how and to whom keys are assigned;
  • decide on the granularity of the keys.

In practice, encryption key management means assessing whether a key should be used for all backup tapes or whether, on the other hand, each one should receive its own, for example.

It is therefore necessary to ensure that the cryptographic key – and anything related to it – is properly controlled and protected. So you can’t not think about management.

If everything isn’t properly protected and managed, it’s like having a state-of-the-art lock on your front door but leaving the key under the mat.

To make the importance of cryptographic key management clearer, we only need to remember the four objectives of cryptography: confidentiality, integrity, authentication and non-repudiation. So we see that with it we can protect personal information and confidential corporate data.

In fact, it makes no sense to use technology that guarantees data security without efficient management.

Managing encryption keys is a challenge, but it’s not impossible

In fact, managing cryptographic keys is not as simple as calling a locksmith. You can’t write the keys on a piece of paper either. You need to provide access to as few people as possible and ensure that it is restricted.

Successful crypto management in the corporate world requires good practices on several fronts.

First, you must choose the right encryption algorithm and key size to have confidence in your security.

It must then ensure that the implementation of the corporate encryption strategy complies with the standards established for this algorithm. This means being approved by a recognized certification authority – in the case of Brazil, those approved by the ITI, within ICP-Brasil.

Finally, it must guarantee efficient encryption key management, combined with security policies and processes that can ensure productive use of the technology.

To have greater confidence in your encryption key management strategy, the first questions to ask are the following:

Many management services retain private keys at the service layer, so your data can be accessible to the administrators of this activity. This is great for availability, but not for confidentiality.

So, as with any technology, the efficiency of encryption depends completely on its implementation. If it is not done correctly or if the components used are not properly protected, it is at risk, as is the data.

infographic HSM Moderno

/td>

From policy creation to cryptographic key management

A common approach to protecting company data through encryption key management is to take stock, understand the threats and create a security policy.

Companies need to know which devices and applications are trusted and how policy can be applied between them and in the cloud. It all starts with knowing what you have.

Most organizations don’t know how many keys they have, where they use encryption and which applications and devices are really trustworthy. This undeniably characterizes a total lack of management of encryption keys, data and its structure.

Undoubtedly, the most important part of an encryption system is its key management, especially when the organization needs to encrypt a large amount of data. This makes the infrastructure more complex and challenging.

Standardizing the process is fundamental

The standardization of products is fundamental. After all, even properly implemented encryption means little if an attacker gets into someone’s machine or if an employee is dishonest.

In some cases, for example, encryption can enable an attacker and render the entire security investment useless, causing damage that goes far beyond financial losses. So standardization is vital to creating useful policies and processes, reducing the possibility of loopholes that can result in cyber attacks and data theft.

Encryption really does create more business opportunities for different types of companies, not just by mitigating concerns such as cyber attacks, but by creating an organized, efficient and strategic data access cycle.

Finally, in times of digital transformation and so many technological and market disruptions, adopting encryption key management is vital for companies seeking sustainable growth.

Now you know a little more about cryptographic key management, keep up to date with this subject via our LinkedIn page.

About EVAL

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Storing digital certificates is vital for companies

How do you store digital certificates and cryptographic keys while guaranteeing company security? No doubt the way is always through the adoption of good practices.

That is, the storage of digital certificates and cryptographic keys provides a critical security layer that protects all of a company’s virtual assets.

Breaches due to trust-based attacks are caused precisely by inadequate storage and mismanagement.

When successful, an attack carried out against a digital certificate can have disastrous effects for any organization. Besides security aspects, expired certificates cause great losses in lost business.

Therefore, it is not enough to implement a policy for the use of digital certificates and cryptographic keys: it is also necessary to assertively develop storage and management processes.

Read on to learn more about digital certificate storage.

Digital certificate storage and trust-based attacks

As you know, digital certificates and cryptographic keys are essential for business. After all, they protect data, keep communications private, and establish trust between communicating parties.

In practice, digital certificates are used for several purposes. These include identity verification, file encryption, web authentication, email security, and software signature verification.

Despite their importance, many companies are vulnerable to breaches because they allow the management of certificates and cryptographic keys to be seen as an operational problem, rather than as a security vulnerability that needs to be fixed immediately.

In fact, there is much more a flaw in the policies and processes for storing digital certificates than a vulnerability caused by the absence of security updates or bugs that can compromise any kind of technological structure of an organization.

After all, hackers focus on cryptographic keys and certificates as attack vectors. With bad intentions, they steal them to obtain a trusted status, and then use this to avoid detection and bypass security controls.

The attack happens precisely when the breach of trust occurs

Cybercriminals use trust-based attacks to infiltrate companies, steal valuable information, and manipulate domains. In other words, if private keys used to sign a digital certificate fall into the wrong hands, the system can be breached and the site taken down.

When these cryptographic keys are lost, significant time and energy is wasted accessing systems or renewing certificates.

To give you an idea, if the code signing certificates used to sign an iPhone or Android application, for example, are compromised, an unauthorized developer could launch malware with the help of the breached corporate identity.

In order to reduce the risk of trust-based attacks, digital certificates and cryptographic keys need to be protected and stored securely. This prevents them from being lost or falling into the wrong hands.

Digital certificate storage options and best practices

Every time a digital certificate is issued, a key pair – private and public – is generated.

Without a doubt, the best practice is to keep the private key secure.

After all, if someone can use it, they can create phishing sites with your organization’s certificate in the address bar, authenticate on corporate networks pretending to be you, sign applications or documents in your name, and read your encrypted e-mails.

In many companies, digital certificates and cryptographic keys are the identities of their employees and therefore an extension of their organization’s identification. Protecting them is equivalent to protecting your fingerprints when using biometric credentials.

You certainly would not allow a hacker to get your fingerprint. So why let him have access to your digital certificate?

Advantages of using digital certificates and signatures

The storage of digital certificates

The most used modalities for storing digital certificates in Brazil are two: A3, in token or card, and A1, in file on the computer or other device.

A3 stored in token

This is a type of certificate that is stored in a cryptographic token, a device similar to a USB stick, which must be connected directly to a USB port on the user’s computer or server where the system will run. Furthermore, it is not possible to copy, otherwise the media will be blocked.

A3 stored on card

This type of certificate is stored on a smart card with a chip, just like the new bank cards. In short, it must be connected to a reader that needs to be plugged into a USB port on the user’s computer or server where the system will run. Likewise, it is not possible to copy, otherwise the cryptographic media will be blocked.

A1 stored in file on computer or other device

It is an electronic file stored in the user’s computer or server where the system will run. It usually has the extensions .PFX or .P12 and does not need tokens or cards to be transported from one side to the other.

A1 cloud storage

With it you can access your certificate and digitally sign documents through any device: desktops, smartphones and tablets. Finally, you also gain in security and eliminate the worry about physical damage, theft, and loss.

Don’t lose your digital certificates

In summary, the storage of digital certificates needs to be efficient and treated as a priority in the organization.

The choice of the best way to store will depend on the security policies and processes implemented in the company, and especially on who uses the certificates and what they are used for.

In this way, any regulations your company needs to comply with, costs and internal resources will be secured by storing the digital certificates.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

How does a lack of investment in security affect a company?

A lack of investment in cybersecurity and a data breach can have three major consequences: financial, reputational and legal.

In fact, cyber security is no longer just a matter of technology, but an essential aspect of business.

Gone are the days when companies could hand over data protection responsibilities to the IT department alone. After all, it has become strategic and affects all sectors.

The impact of lack of investment in security

Lack of investment in security results in substantial financial losses:

  • Theft of corporate information;
  • Theft of financial information (e.g. bank details or card details);
  • Theft of money;
  • Business interruptions (e.g. inability to carry out online transactions);
  • Loss of business or contracts;

Companies that suffer cyber breaches usually also have costs associated with repairing systems, networks and devices.

This is especially important as companies are becoming increasingly digital, which means they will be exposed to a greater number of threats if they don’t manage security risk properly and make the necessary investment.

Reputational damage is greater than financial damage

Many companies have not yet realized or measured the real impact of the loss of credibility. Trust is undoubtedly an essential element in customer relations.

After all, cyber attacks and data theft can damage your organization’s reputation and completely break down the trust that consumers have in you.

This, in turn, can lead to consequences such as:

  • Loss of customers;
  • Loss of sales;
  • Significant reduction in profits;
  • Bankruptcy.

The effect of reputational damage due to a lack of investment in security can impact even your suppliers, as well as the relationships you have with partners, investors and third parties involved in your business.

Understanding the importance of changing the mindset when it comes to investing in cybersecurity has become vital. In the midst of the digital transformation era, companies cannot risk suffering an attack or not knowing how to handle an incident.

Legal consequences of a lack of investment in security

We mustn’t forget that failing to invest in security also results in legal problems. After all, the General Data Protection Act (LGPD) requires your company to manage all the personal information it holds, whether it’s about your staff or your customers.

If this data is accidentally or deliberately compromised, and you fail to implement the appropriate security measures, you could face fines and regulatory sanctions that could make your business unviable.

Recent global breaches have impacted more than 200,000 computers in 150 countries and cost millions; nothing could make the importance of investing in cyber security clearer, as it impacts companies as a whole, not just IT departments.

 

The risk of attacks is real and affects every company

It’s not enough to read this post, agree that we need to invest in security and do nothing. Because you have to be aware that the risk is real and will affect your company’s operations cycle at some point.

A simple risk analysis is enough to see what can happen to your organization, employees and, above all, customers:

  • Physical loss of data. You can lose immediate access for reasons ranging from flooding to power outages. This can also happen for simpler reasons, such as a disk failure;
  • Unauthorized access to data. Remember that if you have confidential client information, you are often contractually responsible for protecting it as if it were your own;
  • Interception of information in transit. The risks include data transmitted between company sites or between the organization and its employees, partners and contractors, at home or elsewhere;
  • Your data could fall into the hands of other people. Do you share this information with third parties, including contractors, partners and other important data? What protects them while they are in your hands or those of your partners?
  • Data corruption, intentional or not. This can modify them to favor an external party or because of a software error.

Every company needs to have a security investment program

A lack of cyber security needs to be seen as a business risk and not just a technology problem. It is therefore necessary to follow guidelines that help the organization achieve adequate levels of protection.

So no matter what size your company is, it needs to have an investment plan to guarantee the security of its information assets.

This plan is responsible for all the policies and processes for creating a cyber security program, as well as making you think holistically about your organization’s data protection.

In short, a program provides the framework for keeping your company at an adequate level of security, assessing the risks you face, deciding what to prioritize and planning how to have up-to-date practices.

Investing in security means protecting its confidentiality, integrity and availability

Having a security investment program means that you have taken steps to reduce the risk of losing data in various ways and have defined a lifecycle for managing the information and technology in your organization.

Fortunately, cybersecurity technologies are available to companies of different sizes and segments, so they adapt to their business realities and help them meet the challenges of data protection.

How to minimize the impact of cyber attacks on companies

As we have seen, security breaches can devastate even the most resilient companies.

It is extremely important to manage the risks according to the nature of the business before and after an attack takes place, make the necessary investments and create an effective cyber incident protection and response plan. Since it can help your company:

  • Prevent and reduce the impact of cyber attacks;
  • Report incidents to the responsible authorities;
  • Recover the affected systems;
  • Getting your business up and running in the shortest possible time.

In this way, we can see that making an investment in security means training, educating and raising awareness among your organization’s users on an ongoing basis and, of course, acquiring technologies and services, always seeking to guarantee the protection of customer data and business continuity, enabling the company’s continued growth.

Do you have any questions about this? Our experts will be happy to answer your questions and contribute to your information security projects.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Cryptography and Key Management – Important Concepts

The use of encryption and key management, as well as cryptographic services are vital for protecting data at rest or media, a reality for companies and users of services such as cloud storage, messaging and many others.

However, those responsible for these services are presented with many options for cryptographic mechanisms and consequently there are many choices to be made.

Inappropriate choices can result in little or no gain, creating a false sense of security. Cryptography, key management and cryptographic services - Life cycle

For example: encrypt a database and keep the cryptographic key in a file on the server.

In this article we intend to address some aspects relevant to information security that are related to cryptographic keys. With this we will show the importance of their correct management for the programming of cryptographic services.

To facilitate understanding, we will divide the article into three parts. Starting with the basics of cryptography, key management and cryptographic services.

Basic concepts of data encryption

Cryptography is a set of principles used to guarantee the security of information.

To do this, it uses techniques to transform one piece of information (cipher) into another (cryptogram) that is readable only by those who know the secret (secret key).

By keeping this secret safe, we prevent unauthorized persons from gaining access to the original information (decrypt).

Secrecy

The security of cryptographic services is based on the secrecy of the cryptographic key, which allows encryption and decryption, and not on the method of transforming the information, i.e. the algorithm used, which must be public.

Symmetric and asymmetric keys

In cryptography and key management there are two basic types of algorithms: symmetric and asymmetric. The former use a single key to encrypt and decrypt the data, while the latter adopt a pair of keys, one for encryption and the other for decryption.

The diagram below shows the use of a symmetric key to encrypt a message. We can see that the key used by John is the same one adopted by Alice.

Cryptography, key management and cryptographic services - Symmetric and asymmetric keys.
Figure 2 – Symmetric key algorithm

The next diagram shows the use of an asymmetric key. The key used by Alice to encrypt is the public key of John, who uses his private key to decrypt.

Cryptography, key management and cryptographic services - Asymmetric key algorithm
Figure 3 – Asymmetric key algorithm

An interesting point about this type of algorithm is that after encrypting with the public key, only the private key can decrypt.

Examples of uses for these algorithms include a database that uses the AES algorithm (symmetric key) to encrypt certain information in the database and the digital signing of documents using the RSA algorithm (asymmetric key).

We would also like to point out that the secret in these two types of algorithms lies in protecting the symmetric key and the private key (in the case of asymmetric keys).

Finally, another aspect is that these algorithms are complementary and serve as the basis for programming cryptographic services.

Cryptographic summary and digital signature

In relation to cryptography and key management, a cryptographic digest is a value that represents information. It is generated using an algorithm, such as SHA256, to analyze the data bit-by-bit and creates a value that cannot be falsified in practice.

Cryptography, key management and cryptographic services - Cryptographic summary
Figure 4 – Cryptographic summary

However, the cryptographic digest cannot be used on its own, because although it cannot be falsified, it can be replaced.

So, to be used in practice, the cryptographic summary is encrypted with the private key (asymmetric), generating a digital signature.

This way, everyone who has the public key can generate the cryptographic summary and compare it with the one in the digital signature.

You can then check whether the data is valid. Fundamental actions in cryptography and key management.

Cryptography, key management and cryptographic services - Digital signature
Figure 5 – Digital signature

Let’s take SHA256 with RSA for example. It uses the SHA256 summarization algorithm and the RSA encryption algorithm to generate the digital signature. However, this is still not enough, as we have no way of identifying who a given public key belongs to.

This requires a new element: the digital certificate.

A digital certificate basically consists of textual information that identifies an entity (person, company or server), a public key and a purpose of use. It has a digital signature.

It is important to note that the digital certificate must be signed by a trusted third party (digital certification authority).

Thus, we introduced the concept of a relationship of trust. According to him, if we trust entity A and it trusts entity B, then we also trust B.

Cryptography and key management and cryptographic services - Trust relationship
Figure 6 – Relationship of trust

This concludes the basic concepts of cryptography. In the next part, we’ll talk about the cryptographic services that can be created from them.

Cryptographic services

As part of the cryptography and key management lifecycle, basic cryptographic mechanisms such as symmetric encryption and cryptographic digest are used to support confidentiality, integrity, authorization and irretrievability or non-repudiation services.

Thus, one cryptographic mechanism can be used to support several services. It is also important that cryptographic services should be used together to guarantee security.

Below we will briefly describe the basic cryptographic services:

Confidentiality

This service provides data confidentiality through encryption and key management. It also ensures that the information cannot be viewed by third parties and that only authorized persons have access to it. Fundamental to cryptography and key management.

Examples include encrypting files, file systems and databases with symmetric keys. We also have information encrypted with the certificate’s public key, so only those who have the corresponding private key can open the information.

Integrity

The integrity service must ensure that a given piece of information is not modified in an unauthorized way after it has been created, during transmission or storage.

Whether the change is accidental or intentional, the insertion, removal or replacement of data must be detected. Cryptographic mechanisms such as cryptographic digest, also known as hash, and digital signature provide the support for this service.

Authentication

The authentication service verifies the identity of a user or system requesting authorization to access information.

The digital signature is a cryptographic mechanism generally used to support this service, as the identification of the user has already been validated before the digital certificate is issued, either by a trusted ICP-Brasil Certificate Authority or another that the organization trusts, such as an Internal Certificate Authority.

At ICP-Brasil Certifying Authorities, it is in the process of issuing the digital certificate that the person needs to attend a face-to-face validation, with original documents proving the applicant’s identity.

 
Irretractability

The non-retractability service provides the means to guarantee that whoever created the information cannot deny its authenticity.

In this sense, it is linked to the digital signature, in which the owner of the private key cannot deny that he has held it for a particular purpose.

This concludes the description of cryptographic services. In the next section, we will present the main factors to be considered in key management – cryptography and key management.

Authorization

Additionally, after authentication, it is possible to use the information of the authenticated user in the system to define the authorization of the information. The authorization service provides approval or permission for the execution of an activity.

As an example, the authorization service can be employed to define the permissions to use a cryptographic key that would consequently allow access to a certain piece of information.

Cryptographic key management

Cryptographic keys are the foundation of cryptography and key management, and the security of encrypted data lies in them. Breaches can lead to compromised keys and, consequently, the leakage of sensitive information.

The increased use of encryption for data protection, mainly due to government regulations, means that companies have to deal with multiple encryption solutions.

Because of the diversity of vendors, organizations also need to define various procedures for managing cryptographic keys, and these are not always adequate.

Cryptographic key management consists of storing, protecting, organizing and ensuring the proper use of cryptographic keys, managing their lifecycle and maintaining backup copies in a secure and consistent manner.

When managing keys, we must take a few points into account, which we will describe below:

Secure storage of keys

The keys should be stored securely, i.e. encrypted and with access control.

Encryption should preferably be carried out using keys (KEK) protected on cryptographic hardware.

Identification of keys

It must be possible to identify a key, its type, its purpose, who is authorized to use it and the period of use.

User authentication and authorization

The use of cryptographic keys should only be allowed after the user has been identified.

Therefore, for proper key management, the system must provide authentication and authorization mechanisms or allow integration with existing systems, such as Microsoft’s Active Directory.

Life cycle of cryptographic keys

The lifecycle of cryptographic keys must be controlled so that they are used properly during their validity period – in other words, only authorized people or systems can use them during a predefined time and with secure mechanisms so that they are not compromised.

We will describe the life cycle of the keys, according to NIST recommendation.

The life cycle of a key starts with generation and ends with destruction, passing through one or more of the states described below:

  • Generation: when the key is created and not yet ready for use;
  • Pre-activation: the key has been generated, but is not yet ready for use because it is waiting for the period of use or the issue of a certificate;
  • Activated: the key is available for use;
  • Suspended: use of the key is temporarily suspended. In this state, it can no longer perform ciphering or signing operations, but can be used for data recovery or verification of signatures previously performed.
  • Inactivated: the key can no longer be used for encryption or digital signature, but is kept for processing encrypted or signed data prior to inactivation.
  • Compromised: indicates that the key has had its security affected and can no longer be used in cryptographic operations (encryption and key management). In some cases, as in symmetric keys, it can be used to recover the encrypted data for later encryption with another key.
  • Destroyed: this status indicates that a key is no longer needed. The destruction of the key is the final stage and can be achieved due to the end of the key’s usage cycle or the compromise of its security.

Backing up cryptographic keys

The main function of backups is to guarantee the recovery of keys and, consequently, encrypted data in the event of loss or failure.

Just like keys, which must be stored securely during use, backup copies also need to be protected.

They can be stored in encrypted files or cryptographic hardware suitable for this purpose, which should be kept in secure locations.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level. Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97