Search
Close this search box.
Facebook Instagram Linkedin

Tag: data security

Categories
Data Protection

Cipher Suites and their importance in data security

In today’s digital landscape, data security has transcended necessity to become an obligation.

Every day, millions of transactions take place online, each of which requires a high level of cybersecurity in companies to protect valuable information.

In this context, Cipher Suites have emerged as crucial elements in building a secure digital environment. They form the backbone of many data security operations on the Internet, ensuring that information moves safely and efficiently.

This article seeks to explore the complexity of Cipher Suites, unraveling their nature, functioning and the importance they have in online data security.

What are Cipher Suites?

Cipher Suites is the set of algorithms used in combination to establish a secure connection, which include:


  • A session key algorithm and its key size:
     This is the symmetric encryption algorithm used to encrypt the data transmitted in the session, such as 128-bit AES, for example.

  • A public key algorithm and its key size:
     This is the asymmetric encryption algorithm used to encrypt the session key, such as 2048-bit RSA, for example.
  • A hash algorithm: It is used to guarantee data integrity, ensuring that data is not altered in the exchange of information. An example of a hash algorithm used is SHA.
  • A key exchange algorithm: This is the method by which the session key is exchanged. The most common examples are RSA or Diffie-Hellman.

As a result, we have a constant that indicates which algorithms were used in a given session, such as “TLS_RSA_WITH_AES_256_CBC_SHA”, which uses the TLS protocol, with the RSA asymmetric encryption algorithm, AES CBC 256 as the session key and SHA to guarantee data integrity.

Another example is“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384“, which uses ECDHE for the key exchange, ECDSA for authentication, AES with 256 bits in GCM mode for encryption and SHA384 for the hash function.

Now that we understand that, let’s examine how Cipher Suites work in conjunction with HTTPS/TLS.

Another example is
“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”
 which uses ECDHE for the key exchange, ECDSA for authentication, AES with 256 bits in GCM mode for encryption and SHA384 for the hash function.

Having understood this, let’s now see how they work together with HTTPS/TLS.

How does the technology work?

Cipher Suites are the driving force behind the security of an HTTPS connection, although their operation may seem a little complex. At the heart of this operation is the SSL/TLS handshake process.

Let’s dive a little deeper into the concept to understand how Cipher Suites work.

  1. When a connection is initiated between a client (e.g. a browser) and a server, an SSL/TLS handshake process is triggered. This process is a series of steps that are carried out to establish a secure connection between the client and the server. This is where the Cipher Suites come into play.
  2. During this handshake, the client and server exchange a list of the Cipher Suites they support. These lists are compared to find a Cipher Suite that they both support.The server then has the responsibility of choosing the most secure and efficient Cipher Suite that both support to be used during the session.
  3. Once the Cipher Suite has been chosen, the client and server begin the key exchange process, which is governed by the key exchange algorithm present in the chosen Cipher Suite.Here, it is important to note that a session key is created and it is this key that will be used to encrypt and decrypt the data transmitted during the session.In addition, the encryption algorithm that will be used to encrypt the data transmitted between the client and the server is defined, as well as the hash or MAC function that will be used to guarantee the integrity of the data.

At the end of the handshake, the connection is established and data can be exchanged securely between the client and server using the algorithms defined by the chosen Cipher Suite.

This ensures that communications are protected from interception or modification by malicious third parties.

There are also some protocol variations, such as SSL, TLS 1.2 and TLS 1.3. For educational purposes, below is a summary of the step-by-step TLS 1.2 and TLS 1.3 protocols:

Understanding Cipher Suites and their importance in data security - Protocols

Why are Cipher Suites important?

Cipher Suites play a crucial role in setting up a secure HTTPS connection, as they encapsulate a variety of cryptographic functions, each playing a specific role in the security and integrity of the connection.

During the SSL handshake, the client and the web server use four main elements, each represented by a specific algorithm within the Cipher Suite:

  • Key Exchange Algorithm:

This algorithm determines how the symmetric keys will be exchanged between the client and the server.

The symmetric keys are used to encrypt and decrypt the data transmitted during the session.

Asymmetric encryption algorithms used for key exchange include:


    • RSA:
      Traditional and very well known, RSA is used in key exchange, in short, the recipient’s public key is used to encrypt a session key, which is a symmetric algorithm key, such as AES.

    • Diffie-Hellman (DH):
       It is one of the best-known algorithms still used today for key exchange.

    • Diffie-Hellman Ephemeral (DHE):
       This is a variation of DH, in which a new key is used for each new session.

    • Elliptic Curve Diffie-Hellman (ECDH):
       It is very similar to DH, but instead of using prime numbers, it makes use of elliptic curves.

    • Elliptic Curve Diffie-Hellman Ephemeral (ECDHE):
       This is a variation of ECDH and DHE, in which a new key, using elliptic curves in this case, is used with each new session.
  • Authentication Algorithm or Digital Signature:

This algorithm dictates how server authentication and client authentication (if required) will be implemented.

Authentication or Digital Signature allows the client and server to confirm each other’s identity, guaranteeing that they are communicating with the correct entity.

Authentication algorithms include RSA, ECDSA, and DSA.

  • Symmetric encryption algorithms used for session keys:

This algorithm is used to encrypt the data that is transmitted between the client and the server during the session.

Symmetric encryption helps to guarantee the confidentiality of data at a low computational cost compared to asymmetric encryption algorithms, making it unintelligible to anyone who might intercept the communication.

Symmetric encryption algorithms include AES, CHACHA20, Camellia, and ARIA.

  • Hash/MAC function:

This function determines how data integrity checks will be carried out. Data integrity is important to ensure that the data has not been altered during transmission.

Hash/MAC functions, such as SHA-256 and POLY1305, are used to create a unique checksum value for the data, which can be used to check whether the data has been altered.

These cryptographic functions are needed at various points in the connection to perform authentication, key generation and exchange, and a checksum to guarantee integrity.

To determine which specific algorithms to use, the client and the web server start by mutually deciding on the Cipher Suite to be used.

In practice, Cipher Suites are necessary due to the variety of servers, operating systems and browsers.

There is a need to accommodate all these combinations, which is why Cipher Suites are useful for ensuring compatibility.

The importance of Cipher Suites in data security

In practice, Cipher Suites play a vital role in data security in an increasingly digital world.

As we’ve seen throughout the article, they are the backbone of secure connections on the Internet, allowing information to be transmitted securely between clients and servers.

Cipher Suites provide a set of algorithms that guarantee authentication, privacy and data integrity during communication.

They help prevent a wide range of attacks, from the interception of communications to the manipulation of transmitted data.

Given everything we’ve learned so far, there’s an interesting website on which it makes a diagnosis of which Cipher Suites your computer accepts.

To find out more go to:
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html.
 As a result, it should return something like:

Understanding Cipher Suites and their importance in data security - Capabilities

As we can see, he has listed the protocols, the algorithms and some additional information. However, choosing the right Cipher Suites for a server is a crucial task for administrators.

Understanding technology is the first step to ensuring Data Security

An inappropriate choice can result in insecure connections, or even incompatibility with some clients.

Therefore, keeping up to date with the best practices for selecting Cipher Suites is an essential part of data security management.

And how do you do that? How do you choose the algorithms, remembering that they have to be accepted by both sides, the client and the server?

One way to increase your computer’s security is to eliminate some algorithms that are already known to be weak. To do this, we recommend reading Microsoft’s article in which they teach you the commands you can use via PowerShell to limit the use of weak algorithms.

Click here to see how to disable algorithms in Windows.

You can also check out the algorithms that are already accepted by default in Windows.


Click here to see more on windows 11
.

With the advance of technology and the constant evolution of security threats, it is crucial to understand the importance of Cipher Suites and how they work.

This knowledge will allow us to make more informed decisions to protect our data and keep our online communications secure.

In short, Cipher Suites are more than just a set of algorithms, they are the front line in the ongoing battle for data security on the internet.

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Written by Arnaldo Miranda, Evaldo. Ai, reviewed by Marcelo Tiziano and designed by Caio.

Categories
Data Protection

Fighting cyber attacks: the importance of prevention

Throughout 2021, individuals, businesses and governments have all been concerned about combating cyber attacks.

Keeping our data safe in a world where everything is on the Internet, from travel diaries to credit card information, data protection has become one of the most pressing challenges of cybersecurity.

Ransomware, phishing attacks, malware attacks, and other cybersecurity threats are some examples. No wonder that one of the fastest growing areas in IT is combating cyber attacks.

The need for data protection is increasingly recognized by organizations.

Companies, in particular, are paying more attention, as data breaches cause great damage every year and expose large amounts of personal information.

The fight against cyber attacks is increasing as society is increasingly connected

Although many of the attacks that occurred in 2021 were caused by the increased use of the Internet as a result of the pandemic of coronaviruses and blockades, the threat to businesses remains significant.

With the cost of combating global cyberattacks estimated to reach $10.5 trillion by 2025, according to
Cybersecurity Ventures
a specialist cybercrime magazine, the threats posed by cybercriminals will only increase as organizations become more reliant on the internet and technology.

Ransomware cases increased in 2021 by about 62% from 2019, and it is considered the top threat this year. In fact, cyber threats are becoming more sophisticated during these times and are much more difficult to detect.

The nature of all attacks are much more dangerous than a simple theft. So let’s dig a little deeper into this discussion by showing the top cyber attack cases occurring in 2021.

The Colonial Pipeline

If we are going to talk about cyber attacks occurring in 2021, then Colonial Pipeline should be on the list.

Considered the largest fuel pipeline in the United States, it experienced a cyber attack in May 2021, disrupting fuel distribution in 12 states for a few days. The company had to pay $4.5 million as ransom to resolve the situation.

Florida’s supply system

A cybercriminal tried to poison the water supply in Florida and managed to increase the amount of sodium hydroxide to a potentially dangerous level.

The cyber attacks occurred by hacking into the IT systems of the Oldsmar city water treatment plant, briefly increasing the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. This scenario is an example of how an invasion of critical infrastructure at any level puts residents’ lives at risk.

Microsoft Exchange

A massive cyber attack has affected millions of Microsoft customers worldwide, in which cybercriminals actively exploited four Zero Day vulnerabilities in Microsoft’s Exchange Server solution.

At least nine government agencies, as well as more than 60,000 private companies in the United States alone, are believed to have been affected by the attack.

Aircraft Manufacturer Bombardier

A popular Canadian aircraft manufacturer, Bombardier, suffered a data breach in February 2021. The breach resulted in the compromise of confidential data of suppliers, customers, and about 130 employees located in Costa Rica.

The investigation revealed that an unauthorized party gained access to the data by exploiting a vulnerability in a third-party file transfer application.

Acer Computers

World-renowned computer giant Acer suffered a ransomware attack, being asked to pay a ransom of $50 million, which made the record for the largest ransom known to date.

A cybercriminal group called Revil is believed to be responsible for the attack. The digital criminals also announced the breach on their website and leaked some images of the stolen data.

In Brazil it was no different in terms of the intensity of attacks and cybercrime

In a survey conducted by digital security company Avast, cybercriminals continue to take advantage of the Covide-19 pandemic by exploiting people’s habits created during the lockdown period to spread scams.

Following the global trend, ransomware attacks, cryptocurrency malware, and other scams were prevalent in Brazil.

For mobile devices, adware and fleeceware are among the top threats. According to Avast, the growth of ransomware attacks in Brazil was stronger than the global average.

Combating cyber attacks is already a major concern for most Brazilian companies today, as many of these attacks occurred only in 2021, such as the one that occurred at Lojas Renner, which completely paralyzed the system.

We still had the case of the Fleury group, which was unable to perform tests for several days, and JBS, which was forced to pay US$ 11 million in ransom for the hacker attack on its operation in the United States, all these situations put the issue even more in evidence in Brazil.

Organs and companies linked to the Brazilian government have also been targeted by cybercriminals. Social Security, the Ministry of Labor, the Federal Public Ministry, Petrobras, among other organizations have also suffered attacks.

Already in 2021, the LGPD offered an opportunity for companies to rethink how they fight cybercrime.

The General Data Protection Law (LGPD) went into effect in September 2020. The overall goal of the new legislation is to establish a regulatory framework for the protection of personal data, making it easier for all Brazilian citizens to understand how their data is used and, if necessary, to file a complaint about its processing.

The goal of the LGPD can be summarized in three key points:

  • Strengthening the rights of individuals;
  • Train the actors involved in data processing;
  • Increase the credibility of regulation through cooperation between data protection authorities.

If there is one thing that the LGPD achieved during the year 2021, it was to raise awareness about data protection and privacy issues. In practice, companies cannot sweep incidents under the rug because of the risk of revenue-based fines.

The data protection law has also given companies more visibility into the data they are collecting. The basic principle of the LGPD is that companies know what data they have and ensure that they are processing it correctly and securely.

LGPD compliant companies now have the basic elements they need to build a good information security program because if you don’t know what you have, you don’t know what to protect.

The Data Protection and Privacy Act has also changed the financial equation for organizations when it comes to privacy risk. This has encouraged companies to think holistically about risks and invest in improving privacy controls and governance.

Invest in 2022 and beyond. CipherTrust solution enables the fight against digital crime

According to IDC, more than 175 zetabytes of data will be created by 2025, and today more than half of all corporate data is stored in the cloud.

To handle the complexity of where data is stored, CipherTrust Data Security Platform provides strong capabilities to protect and control access to sensitive data in databases, files, and containers. Specific technologies include:

CipherTrust Transparent Encryption

Encrypt data in on-premises, cloud, database, file, and Big Data environments with comprehensive access controls and detailed data access audit logging that can prevent the most malicious attacks.

CipherTrust Database Protection

It provides transparent column-level encryption of structured and confidential data that resides in databases such as credit card, social security numbers, national identification numbers, passwords, and e-mail addresses.

CipherTrust Application Data Protection

It offers APIs for developers to quickly add encryption and other cryptographic functions to their applications, while SecOps controls the encryption keys.

CipherTrust Tokenization

It offers application-level data tokenization services in two convenient solutions that provide customer flexibility – Token without Vault with dynamic policy-based data masking and Tokenization in Vault.

CipherTrust Batch Data Transformation

CipherTrust’s solution designs data protection products and solutions against cyber attacks to meet a range of security and privacy requirements, including electronic identification, authentication, and trust.

CipherTrust Manager

It centralizes keys, management policies, and data access for all CipherTrust Data Security Platform products and is available in FIPS 140-2 Level 3 compliant physical and virtual formats.

CipherTrust Cloud Key Manager

It offers its own key lifecycle management (BYOK) for many cloud infrastructure, platform, and software-as-a-service providers.

CipherTrust KMIP Server

It centralizes key management for the Key Management Interoperability Protocol (KMIP) commonly used in storage solutions.

CipherTrust TDE Key Manager

Centralizes key management for encryption found in Oracle, SQL and Always Encrypted SQL.

The portfolio of data protection products that make up the CipherTrust Data Security Platform solution enables companies to protect data at rest and in motion across the entire IT ecosystem and ensures that the keys to this information are always protected and only under your control.

It simplifies data security against cyber attacks, improves operational efficiency, and accelerates compliance time. Regardless of where your data resides.

The CipherTrust platform offers a wide range of proven, market-leading products and solutions to ensure the fight against cyber attacks.

These products can be deployed in data centers or at cloud service providers (CSPs) or managed service providers (MSPs). In addition, you can also count on the cloud-based service managed by Thales, a leading company in the security industry.

Portfolio of tool to ensure cybercrime is tackled

With data protection products from the CipherTrust Data Security Platform, your company can:

Strengthen security and compliance

CipherTrust designs its data protection products and solutions against cyber attacks to meet a range of security and privacy requirements, including electronic identification, authentication, and trust.

In addition, these products are also compliant with the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Act (LGPD), and other compliance requirements.

Optimizes team and resource efficiency against security incidents

CipherTrust Data Security Platform is the industry leader and provides extensive support for data security use cases.

With products designed to work together, a single thread for global support, and a proven track record of protecting against evolving threats, this platform also boasts the industry’s largest ecosystem of data security partnerships.

The CipherTrust Data Security Platform solution was developed with a focus on ease of use, with APIs for automation and responsive management.

With this solution, your teams can quickly implement, secure, and monitor the protection of your business against cyber attacks.

In addition, professional services and partners are available to assist in implementation and staff training, ensuring fast and reliable implementations.

In this way, it is possible to reduce the time required from your staff for these activities.

Reduces total cost of ownership

The CipherTrust Data Security Platform offers a broad set of data security products and solutions for protection against cyber attacks.

This portfolio can be easily scaled, expanded for new use cases, and has a proven track record of protecting both new and traditional technologies.

With the CipherTrust Data Security Platform, companies can prepare their investments to combat cyberattacks while reducing operational costs and capital expenditures.

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Encryption Software: Benefits and Challenges

The use of encryption software has been one of the most efficient methods for providing data security, especially for end-to-end protection transmitted between networks.

Companies and individuals also use encryption to protect confidential data stored on computers, servers and devices such as phones or tablets.

If you still have doubts about the efficient use of encryption software when carrying out different transactions over the Internet, take advantage of this article to clarify all the points.

Encryption software is widely used on the Internet to protect users

One example of the use of encryption software is data protection. In short, we have passwords, payment information and other personal information that should be considered private and sensitive.

How encryption works

The data, usually made up of plain text, is encrypted using an algorithm and an encryption key. This process generates a ciphertext that can only be viewed in its original form if it is deciphered with the correct key.

Decryption is simply the reverse process of encryption, following the same steps but reversing the order of operations. Encryption software basically falls into two categories: symmetric and asymmetric.

  • Symmetric Cryptography

Also known as a “secret key”, only one key is used, also called a shared secret. This is because the system performing the encryption must share it with any entity that intends to decrypt the encrypted data.

Symmetric key encryption is generally much faster than asymmetric encryption, but the sender must exchange the key used to encrypt the data with the recipient before they can perform decryption on the ciphertext.

  • Asymmetric encryption

Known as public key cryptography, it uses two different keys, i.e. a pair of keys known as the public key and the private key. The public key can be shared with everyone, while the private key must be kept secret.

The benefits of using encryption software

The main purpose of cryptography is to protect the confidentiality of digital data stored on computer systems, transmitted over the Internet or any other computer network.

Many companies and organizations recommend or require that confidential data be encrypted to prevent unauthorized persons from gaining access.

In practice, the best-known example is the data security standard used in the payment card sector. It requires customer card data to be encrypted when transmitted over public networks.

Encryption algorithms play a key role in ensuring the security of IT systems and communications. After all, they can provide not only confidentiality, but also elements that are considered key to data security:

Many Internet protocols define mechanisms for encrypting data that moves from one system to another – this is known as data in transit.

Cryptography being used in communication applications

Some applications use end-to-end encryption (E2EE) to ensure that data passing between two parties cannot be viewed by an attacker capable of intercepting the communication channel.

The use of an encrypted communication circuit, as provided by Transport Layer Security (TLS), between the web client and the web server software is not always sufficient to guarantee security.

Normally, the actual content being transmitted is encrypted by the software before being passed on to a web client and decrypted only by the recipient.

Messaging applications that provide E2EE include Facebook’s WhatsApp and Open Whisper Systems’ Signal. Facebook Messenger users can also receive E2EE messages with the “Secret conversations” option.

Current cryptographic challenges

For any current encryption key, the most basic method of attack is brute force. In other words, the hackers make several attempts in a row to find the right key.

The length of the key determines the number of possible keys, hence the viability of this type of attack. There are two important elements that show how strong the encryption used is. These are the algorithms used and the size of the key.

After all, as the size of the key increases, greater resources are also required in an attempt to break the key.

Currently, attackers also try to crack a target key through cryptanalysis. In other words, the process that tries to find some weakness in the key that can be exploited with less complexity than a brute force attack.

Recently, security agencies(such as the FBI ) have criticized technology companies that offer end-to-end encryption. It was claimed that this type of encryption prevents law enforcement authorities from accessing data and communications, even with a warrant.

The US Department of Justice has publicized the need for “responsible encryption”. That is, it can be released by technology companies under a court order.

Next steps

Key management is one of the biggest challenges in the strategy for using encryption software. After all, the keys to decrypt the ciphertext need to be stored somewhere in the environment. However, attackers usually have a good idea of where to look.

That’s why when an organization needs to access encrypted data, it usually puts encryption keys into stored procedures in the database management system. In such cases, the protection may be inadequate.

The next steps in improving the use of cryptography are the challenge of developing an information security plan capable of defining more reliable key storage structures, which is one of the weakest links in the application of corporate cryptography.

Security policies and methods should seek best practices in order to reduce malicious attempts to break and use cryptographic keys and invalidate the use of encryption software.

Now you know a little more about encryption software. Always keep up to date, subscribe to our newsletter and stay on top of Eval news and technologies. Keep following our content on the blog and also on our Linkedin profile.

About EVAL

A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.

logo-footer

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho, São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
Privacy Policy

Copyright © 2022, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97