Search
Close this search box.
Facebook Instagram Linkedin

Tag: encryption for data protection

Categories
Data Protection

Cipher Suites and their importance in data security

In today’s digital landscape, data security has transcended necessity to become an obligation.

Every day, millions of transactions take place online, each of which requires a high level of cybersecurity in companies to protect valuable information.

In this context, Cipher Suites have emerged as crucial elements in building a secure digital environment. They form the backbone of many data security operations on the Internet, ensuring that information moves safely and efficiently.

This article seeks to explore the complexity of Cipher Suites, unraveling their nature, functioning and the importance they have in online data security.

What are Cipher Suites?

Cipher Suites is the set of algorithms used in combination to establish a secure connection, which include:


  • A session key algorithm and its key size:
     This is the symmetric encryption algorithm used to encrypt the data transmitted in the session, such as 128-bit AES, for example.

  • A public key algorithm and its key size:
     This is the asymmetric encryption algorithm used to encrypt the session key, such as 2048-bit RSA, for example.
  • A hash algorithm: It is used to guarantee data integrity, ensuring that data is not altered in the exchange of information. An example of a hash algorithm used is SHA.
  • A key exchange algorithm: This is the method by which the session key is exchanged. The most common examples are RSA or Diffie-Hellman.

As a result, we have a constant that indicates which algorithms were used in a given session, such as “TLS_RSA_WITH_AES_256_CBC_SHA”, which uses the TLS protocol, with the RSA asymmetric encryption algorithm, AES CBC 256 as the session key and SHA to guarantee data integrity.

Another example is“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384“, which uses ECDHE for the key exchange, ECDSA for authentication, AES with 256 bits in GCM mode for encryption and SHA384 for the hash function.

Now that we understand that, let’s examine how Cipher Suites work in conjunction with HTTPS/TLS.

Another example is
“TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”
 which uses ECDHE for the key exchange, ECDSA for authentication, AES with 256 bits in GCM mode for encryption and SHA384 for the hash function.

Having understood this, let’s now see how they work together with HTTPS/TLS.

How does the technology work?

Cipher Suites are the driving force behind the security of an HTTPS connection, although their operation may seem a little complex. At the heart of this operation is the SSL/TLS handshake process.

Let’s dive a little deeper into the concept to understand how Cipher Suites work.

  1. When a connection is initiated between a client (e.g. a browser) and a server, an SSL/TLS handshake process is triggered. This process is a series of steps that are carried out to establish a secure connection between the client and the server. This is where the Cipher Suites come into play.
  2. During this handshake, the client and server exchange a list of the Cipher Suites they support. These lists are compared to find a Cipher Suite that they both support.The server then has the responsibility of choosing the most secure and efficient Cipher Suite that both support to be used during the session.
  3. Once the Cipher Suite has been chosen, the client and server begin the key exchange process, which is governed by the key exchange algorithm present in the chosen Cipher Suite.Here, it is important to note that a session key is created and it is this key that will be used to encrypt and decrypt the data transmitted during the session.In addition, the encryption algorithm that will be used to encrypt the data transmitted between the client and the server is defined, as well as the hash or MAC function that will be used to guarantee the integrity of the data.

At the end of the handshake, the connection is established and data can be exchanged securely between the client and server using the algorithms defined by the chosen Cipher Suite.

This ensures that communications are protected from interception or modification by malicious third parties.

There are also some protocol variations, such as SSL, TLS 1.2 and TLS 1.3. For educational purposes, below is a summary of the step-by-step TLS 1.2 and TLS 1.3 protocols:

Understanding Cipher Suites and their importance in data security - Protocols

Why are Cipher Suites important?

Cipher Suites play a crucial role in setting up a secure HTTPS connection, as they encapsulate a variety of cryptographic functions, each playing a specific role in the security and integrity of the connection.

During the SSL handshake, the client and the web server use four main elements, each represented by a specific algorithm within the Cipher Suite:

  • Key Exchange Algorithm:

This algorithm determines how the symmetric keys will be exchanged between the client and the server.

The symmetric keys are used to encrypt and decrypt the data transmitted during the session.

Asymmetric encryption algorithms used for key exchange include:


    • RSA:
      Traditional and very well known, RSA is used in key exchange, in short, the recipient’s public key is used to encrypt a session key, which is a symmetric algorithm key, such as AES.

    • Diffie-Hellman (DH):
       It is one of the best-known algorithms still used today for key exchange.

    • Diffie-Hellman Ephemeral (DHE):
       This is a variation of DH, in which a new key is used for each new session.

    • Elliptic Curve Diffie-Hellman (ECDH):
       It is very similar to DH, but instead of using prime numbers, it makes use of elliptic curves.

    • Elliptic Curve Diffie-Hellman Ephemeral (ECDHE):
       This is a variation of ECDH and DHE, in which a new key, using elliptic curves in this case, is used with each new session.
  • Authentication Algorithm or Digital Signature:

This algorithm dictates how server authentication and client authentication (if required) will be implemented.

Authentication or Digital Signature allows the client and server to confirm each other’s identity, guaranteeing that they are communicating with the correct entity.

Authentication algorithms include RSA, ECDSA, and DSA.

  • Symmetric encryption algorithms used for session keys:

This algorithm is used to encrypt the data that is transmitted between the client and the server during the session.

Symmetric encryption helps to guarantee the confidentiality of data at a low computational cost compared to asymmetric encryption algorithms, making it unintelligible to anyone who might intercept the communication.

Symmetric encryption algorithms include AES, CHACHA20, Camellia, and ARIA.

  • Hash/MAC function:

This function determines how data integrity checks will be carried out. Data integrity is important to ensure that the data has not been altered during transmission.

Hash/MAC functions, such as SHA-256 and POLY1305, are used to create a unique checksum value for the data, which can be used to check whether the data has been altered.

These cryptographic functions are needed at various points in the connection to perform authentication, key generation and exchange, and a checksum to guarantee integrity.

To determine which specific algorithms to use, the client and the web server start by mutually deciding on the Cipher Suite to be used.

In practice, Cipher Suites are necessary due to the variety of servers, operating systems and browsers.

There is a need to accommodate all these combinations, which is why Cipher Suites are useful for ensuring compatibility.

The importance of Cipher Suites in data security

In practice, Cipher Suites play a vital role in data security in an increasingly digital world.

As we’ve seen throughout the article, they are the backbone of secure connections on the Internet, allowing information to be transmitted securely between clients and servers.

Cipher Suites provide a set of algorithms that guarantee authentication, privacy and data integrity during communication.

They help prevent a wide range of attacks, from the interception of communications to the manipulation of transmitted data.

Given everything we’ve learned so far, there’s an interesting website on which it makes a diagnosis of which Cipher Suites your computer accepts.

To find out more go to:
https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html.
 As a result, it should return something like:

Understanding Cipher Suites and their importance in data security - Capabilities

As we can see, he has listed the protocols, the algorithms and some additional information. However, choosing the right Cipher Suites for a server is a crucial task for administrators.

Understanding technology is the first step to ensuring Data Security

An inappropriate choice can result in insecure connections, or even incompatibility with some clients.

Therefore, keeping up to date with the best practices for selecting Cipher Suites is an essential part of data security management.

And how do you do that? How do you choose the algorithms, remembering that they have to be accepted by both sides, the client and the server?

One way to increase your computer’s security is to eliminate some algorithms that are already known to be weak. To do this, we recommend reading Microsoft’s article in which they teach you the commands you can use via PowerShell to limit the use of weak algorithms.

Click here to see how to disable algorithms in Windows.

You can also check out the algorithms that are already accepted by default in Windows.


Click here to see more on windows 11
.

With the advance of technology and the constant evolution of security threats, it is crucial to understand the importance of Cipher Suites and how they work.

This knowledge will allow us to make more informed decisions to protect our data and keep our online communications secure.

In short, Cipher Suites are more than just a set of algorithms, they are the front line in the ongoing battle for data security on the internet.

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Written by Arnaldo Miranda, Evaldo. Ai, reviewed by Marcelo Tiziano and designed by Caio.

Categories
Data Protection

Difference between encryption types for data protection

Companies can reduce the likelihood of a data breach, and thus reduce the risk of fines in the future under the General Data Protection Act (GDPR), if they choose to use encryption for data protection.

The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber attacks are almost inevitable for companies.

Therefore, encryption for data protection plays an increasing role in IT security for a large part of companies.

In general, encryption refers to the procedure that converts unencrypted text, also known as clear text, into information that is unreadable, in a form of interpretation using a key, where the output information only becomes readable again using the correct key.

This minimizes the risk of an incident during data processing, as the encrypted content is basically unreadable to third parties who do not have the correct key.

Encryption is the best way to protect data during transfer and is a way to protect stored personal data. It also reduces the risk of abuse within a company, as access is limited to only authorized people with the right key.

Encryption for data protection and the GDPR: what you should know

In today’s age of computers, encryption is often associated with the process where an ordinary plain text is converted into cipher text, which is the text made in such a way that the intended recipient of the text can only decode it and hence this process is known as cryptography.

The process of converting ciphertext into plaintext is known as decryption.

The main uses of encryption are as follows:

  • Confidentiality: the information can only be accessed by the person for whom it is intended and no other person except them can access it;
  • Digital Signature: In which information is signed so that the sender of the information can be identified, with integrity and non-repudiation.
  • Integrity: the information cannot be modified in storage or in the transition between the sender and the intended recipient without any addition to the information being detected;
  • Authentication: the identities of the sender and recipient are confirmed. As well as the destination/source of the information is confirmed.

Types of encryption for data protection:

In general, there are three types of encryption for data protection:

  • Symmetric key cryptography

It is an encryption system where the sender and receiver of the message use a single common key to encrypt and decrypt messages.

Symmetric key systems are faster and simpler, but the problem is that the sender and recipient need to somehow exchange the key in a secure way.

The most popular symmetric key cryptosystem is the Data Encryption System (DES) and the Advanced Encryption Standard (AES). Advanced Encryption Standard (AES);

  • Hash functions

There is no use of any key in this algorithm. A fixed-length hash value is calculated according to the plaintext, which makes it impossible for the content of the plaintext to be retrieved. Many operating systems use hash functions to encrypt passwords;

  • Asymmetric key cryptography

In this system, a key pair is used to encrypt and decrypt information. A public key is used to encrypt and a private key is used to decrypt.

The public key and the private key are different. Even if the public key is known to everyone, the intended receiver can only decrypt it because only he knows the private key.

To maintain confidentiality in the storage and transit of data

Encryption allows data to be stored encrypted, allowing users to stay away from attacks by hackers.

Reliability of transmission

A conventional approach that enables reliability is to perform encryption of the transmission channel, either symmetric or asymmetric or even a combination of the two encryptions.

If you use symmetric cryptography, you need a key to encrypt the information, then you need to find some way to exchange the key, which turns out to be a problem to be solved, which is the exchange of keys in a secure way.

It is worth remembering that this method performs well.

Another way is to use asymmetric cryptography, in which the recipient’s public key can be used so that the message can be opened only by the recipient who has the corresponding key, the private key.

The problem with this type of use is performance.

Identity Authentication

For authenticity, which aims to know if the sender of the message is himself, makes use of PKI, (Public Key Infrastructure).

This is done by encrypting the message with the sender’s private key, just as anyone can have their corresponding public key, it can be verified that the message was generated by the appropriate sender.

Why is encryption for data protection crucial for GDPR compliance?

While there are no explicit data protection encryption requirements in the General Data Protection Act (GDPR), the new legislation requires you to apply security measures and safeguards.

The LGPD highlights the need to use appropriate technical and organizational measures for personal data security.

Because encryption for data protection makes information unreadable and unusable to people without a valid cryptographic key,encryption strategies for data protection can be extremely beneficial to your company in the event of a data breach and the requirements under the GDPR.

Remember the LGPD requirement to notify customers affected by a security incident?

By encrypting your data, you reduce the chance of fulfilling this obligation due to cyber attack issues or other types of problems.

No information is technically “breached” if the data is unintelligible to the attacker.

How to choose the most appropriate way to ensure data security?

The Thales CipherTrust Data Security platform guarantees the entire structure and integrity of your company’s data, and the format of the fields in the database, whatever it may be: Oracle, SQL, MySQL, DB2, PostGrid, you name it.

Simple, comprehensive and effective, Cipher Trust provides capabilities to secure and control access to databases, files and containers – and can protect assets located in cloud, virtual, big data and physical environments.

With CipherTrust, you can protect your company’s data and anonymize your sensitive assets, ensuring security for your company and avoiding future problems with data leakage.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97