Search
Close this search box.
Categories
Data Protection

Cryptographic Flaws: Second Biggest Cybersecurity Threat

“Cryptographic flaws have become a growing problem in a world heavily dependent on digital transactions and online communications that make use of cryptography.

In this context, cyber security, with a special focus on cryptographic algorithms, has become critical. These algorithms are an essential tool for protecting sensitive data.

However, the effectiveness of this data encryption is directly dependent on its correct and secure implementation, an aspect that, unfortunately, is often overlooked.”

A
OWASP (Open Worldwide Application Security Project)
) is a non-profit foundation that works to improve software security. In 2021, the foundation published its latest “Top 10” list,
a ranking of cybersecurity threats
.

On this list,
cryptographic flaws have risen to second position
highlighting the seriousness of this problem.

Owasp-Top10 2021 - Cryptographic Faults

Previously categorized as “Exposure of Sensitive Data,” cryptographic flaws have been recognized as the root cause of many security breaches.

These are not mere symptoms of broader security problems, but fundamental flaws that allow sensitive data to be exposed and systems to be compromised.

This paper will explore the growing threat of cryptographic flaws and highlight the importance of tighter control over cryptographic keys and algorithms.

By understanding the nature of these flaws and implementing appropriate controls, we can make our systems more secure and better protect our data from cyber threats.

The need for stricter control over Cryptographic Keys and Algorithms

In short, encryption is a powerful tool for protecting sensitive data, but when misused or neglected, it can be the source of catastrophic security breaches.

Many of the most common mistakes related to cryptography can be attributed to flaws in the control of cryptographic keys and algorithms. Here are some of the most common problems:

  • Use of weak or obsolete cryptographic algorithms and protocols

As technology advances, algorithms and protocols that were once considered secure can become vulnerable. For example, hash functions such as MD5 and SHA1 were once widely used, but are now considered insecure and are discouraged.

Similarly, the use of obsolete cryptographic padding methods, such as PKCS number 1 v1.5, can also lead to vulnerabilities.

  • Improper use of cryptographic keys

Cryptographic keys are a fundamental part of cryptography, but are often mismanaged.

Common problems include the use, generation or reuse of weak cryptographic keys, and lack of proper key rotation.

In addition, improper storage of keys, such as storing keys in source code, can make them vulnerable to exposure and theft.

  • Plain Text Data Transmission

Even with encryption in place, if data is transmitted in clear text (e.g. via protocols such as HTTP, SMTP, FTP), it can be intercepted and read by attackers.

  • Failure to properly validate certificates and chains of trust

To establish a secure connection, you must properly validate the server’s certificates and trust chains. If you don’t do this, attackers can impersonate trusted entities and intercept or alter data.

  • No authenticated encryption

Authenticated encryption is a form of encryption that not only protects the confidentiality of data, but also its integrity and authenticity.

If only encryption is used, without authentication, the data can be vulnerable to certain types of attacks.

In practice, to mitigate these flaws, strict control over cryptographic keys and algorithms is vital.

Strengthening Cybersecurity: Mitigating Cryptographic Breaches

Cryptographic flaws, although dangerous, are avoidable. There are several preventive measures that can be taken to minimize the risk of such failures. Here are some of the most important ones:

  • Classify your data

Identify which data is sensitive and needs extra protection. This can include personal information, health records, credit card numbers, trade secrets, and any data that is subject to privacy laws or regulations.

  • Minimize storage of sensitive data

In other words, don’t store more than necessary. Discard sensitive data as soon as it is no longer needed.

If you need to store sensitive data, make sure it is encrypted.

  • Use secure and up-to-date algorithms and protocols

Avoid using cryptographic algorithms and protocols that are known to be insecure or have become obsolete. Make sure that you are using algorithms and protocols that are considered secure by today’s cyber security authorities.

  • Implement effective key management

Cryptographic keys must be generated and stored securely, avoiding reuse between different systems or applications. In addition, a process must be implemented to rotate the keys regularly.

  • Use encryption in transit and at rest

Data must be encrypted, even at rest or when being transmitted between systems (in transit).

  • Authenticate your encryptions

Always use authenticated encryption, which protects not only the confidentiality of data, but also its integrity and authenticity.

  • Avoid obsolete cryptographic functions and schemes

Avoid using obsolete hash functions like MD5 and SHA1 and obsolete cryptographic padding schemes like PKCS number 1 v1.5.

By adopting these preventive measures, organizations can strengthen their cybersecurity and mitigate the risk of cryptographic flaws.

Cyber security is a constantly evolving field, and it is important to always be vigilant and up-to-date with the latest and best practices.

Rise of Cryptographic Flaws: the urgency of strict control

As web security threats continue to evolve, it is essential that encryption practices evolve as well.

Implementing robust preventive measures and maintaining tight control over cryptographic keys and algorithms is a crucial step in ensuring data security and system reliability.

Raising awareness about the importance of secure and effective encryption is the key to combating the rising tide of cryptographic flaws.

Eval leads in Cryptographic Agility and Advanced Technologies

Eval is a company that differentiates itself in the market by adopting and offering advanced technologies. One of its main areas of expertise is cryptographic agility, along with electronic signature tools, essential in today’s digital age.

Eval’s electronic signature solutions are robust tools that provide the level of security required for digital transactions and agreements. With them, the authenticity of documents, contracts, and digital transactions can be confirmed, protecting against fraud and misunderstandings.

However, it is in cryptographic agility that Eval really shines. As one of the most vital strategies for protecting digital information, cryptographic agility enables rapid adaptation to threats and evolutions in the cybersecurity landscape.

Cryptographic agility is essential for maintaining trust in digital environments, where threats are always evolving and data security is of utmost importance. Eval recognizes this need and is at the forefront of implementing systems that enable rapid change and updating of cryptographic algorithms and security protocols.

At Eval, we use the latest and most secure forms of encryption and cryptographic agility practices to ensure that our customers’ data is always protected, without compromising the ability to adapt to the changing digital security landscape.

Contact Eval to learn more

Now that you are aware of the growing threat of cryptographic flaws and the importance of strict control over cryptographic keys and algorithms, it is time to take a step further.

Don’t leave the security of your data to chance. Effective protection of your data starts with choosing a reliable and experienced technology partner.

To learn more about how Eval can help you strengthen your data security and reduce the risks associated with cryptographic flaws, contact us today. Our experts are ready to listen to your needs and work out a customized solution that best meets your requirements.

Don’t wait until it is too late. Make securing your data a priority today, and find out how Eval can help you achieve this.

Contact Eval now and take the first step toward a safer future.

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Written by Arnaldo Miranda, Evaldo. Ai, reviewed by Marcelo Tiziano and designed by Caio.

Categories
Data Protection

Personal health information: ensuring safety and security

Personal health information refers, in short, to demographic information, medical histories, test and lab results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.

This same detailed information about our health is also a product. In addition to their use for patients and healthcare professionals, they are also valuable for clinical and scientific researchers when anonymized.

For hackers this data is a treasure trove. After all, this is personal patient information that could be stolen and sold elsewhere. What’s more, they can hijack the data via ransomware until the medical institution pays the ransom.

Medical institutions deal with personal health information and this can be a risk

As we have seen, by the nature of the sector, healthcare institutions deal with confidential patient data. This information includes date of birth, medical conditions and health insurance applications.

Whether in paper records or in an electronic record system, personal health information describes a patient’s medical history, thus including diseases, treatments and outcomes.

To give you an idea, from the first moments after birth, a baby today is likely to have their personal health information entered into an electronic health record system, including weight, length, body temperature and any complications during delivery.

Tracking this information over the course of a patient’s life provides the clinician with the context of the person’s health. This way it is better for the professional to make treatment decisions.

When properly recorded, personal health information can be stored without identifying features and added anonymously to large databases of patient information.

These de-identified data can contribute to population health management and value-based care programs.

However, there are cases where data security, protection and privacy measures are not applied. This puts health institutions, staff and especially patients at serious risk.

Cybersecurity threats in healthcare affect patients and institutions

As technology advances, healthcare professionals work to implement innovations to improve care, but cybersecurity threats continue to evolve as well.

Ransomware attacks ransomware and healthcare data breaches remain top concerns for healthcare entities and business partners of all sizes.

Ransomware is a good example of a major impact for the healthcare sector. It is considered high-risk, as healthcare organizations are tasked with caring for people. Thus, if certain information is locked or inaccessible, this care may be affected.

The responsibility for the protection of personal health information lies with all institutions and their business partners.

A situation that is sometimes misunderstood by health institutions is that privacy and security of health information do not always move together.

While privacy requires security measures, it is possible to have security restrictions that do not fully protect the private information of patients and caregivers.

Let’s think of an example: if a healthcare institution or a cloud provider shares encrypted medical data to an outpatient clinic, protection and privacy may be at risk.

After all, institutions need to enter into a partnership agreement that includes requirements for data security processes and policies. If this does not occur, the information shared is at high risk.

Despite the high risk, it is possible to protect your organization from cybercrime by securing patient information

Ransomware and other cybercrime attacks occur when a hacker gains access to an organization’s network. In the aftermath, files are encrypted or stolen.

In the specific case of ransomware, the files are inaccessible by the target until a ransom is paid.

To protect your organization from attacks like this and other cybercrimes targeting the healthcare industry, data protection experts recommend ten practices for securing health information:

1. Define clear data protection and privacy policies and processes

An important step in the protection and privacy of patient and caregiver health information is to clearly define data protection and privacy policies and processes.

This is the kick-off for all the other safety recommendations for the benefit of medical institutions.

2. Protect patient information in the workplace

Use access controls to ensure that patient health information is accessed only by authorized staff.

 
3. Conduct staff training on health data protection and privacy policies and processes

A protected health organization must train all members of its workforce on the policies and procedures regarding personal health information.

Training should be provided to each new professional within a reasonable period of time after the person joins the institution.

In addition, staff members should also be trained if their roles are affected by a material change in policies and procedures in the defined privacy and protection rules.

4. Procedures for disclosure or sharing of health information must be documented and authorized

A written authorization from the patient is required when a healthcare facility needs to share or disclose psychotherapy, substance abuse disorder, and treatment records, information, or notes.

5. Define secure health data storage and retrieval procedures

Data should be backed up periodically. Incidentally, it is also a best practice to regularly back up data via hardware such as flash drives and external hard drives, and then copy the data through the cloud while it is being modified.

This redundancy ensures that critical information is readily available. If possible, health institutions should have backups in multiple locations.

6. Firewalls are essential to ensure that protected information is not improperly destroyed

Properly using a firewall can help prevent your organization from falling victim to unauthorized access that could potentially compromise the confidentiality, integrity or availability of patient health information.

7. Health data recorded on paper should be protected

The concern for data protection and privacy also applies to the use of paper and other physical files. In addition to policies and procedures covering the physical security of documents, staff should be instructed to immediately report all incidents that may involve the loss or theft of such paper records.

8. Personal health information should never be left unattended

Extra care should be taken when patient records are temporarily transported to other health care institutions.

This information must be supervised and protected by responsible professionals during the journey, delivery and storage of personal health information.

9. Document and device encryption must protect medical data from cybercriminals

In short, devices and documents should be protected using encryption and digital signature when sharing between institutions and other healthcare professionals.

10. Keeping anti-virus and anti-malware software up to date is vitally important for personal health information

In addition, software updates and patches must be applied in a timely manner to keep networks and systems secure.

It is also worth remembering that common sense is always a good best practice. Employees should never share passwords. Default passwords should be changed immediately after assigning a new application. Finally, they should not be reused between different systems and should also be changed if they are compromised.

The ultimate goal is to achieve high levels of data security, protection and privacy, thus ensuring the integrity of the personal health information of patients and other caregivers.

About Eval

A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.

Categories
Data Protection

Cryptographic Key Management: Learn How to Protect Yourself

Hardware Security Module (HSM) basically consists of a physical device that provides extra security for sensitive data. This type of device is used to take care of cryptographic key management for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

Companies can use an HSM to protect trade secrets with significant value. This ensures that only authorized individuals can access the device and use the key stored on it.

Responsible for performing cryptographic operations and Cryptographic Key Management

HSM solutions are designed to meet stringent government and regulatory standards and often have strong access controls and role-based privilege models.

Designed specifically for fast cryptographic operations and resistant to logical and physical tampering, adopting an HSM is the most secure way to perform cryptographic key management. However, its use is not so practical and requires additional software.

The use of HSM should be standard practice for any highly regulated organization, thus preventing these companies from losing business from customers such as the government, financial and healthcare systems, which require strong protection controls for all data considered sensitive in their operations.

It is also important for companies that adopt, as part of their strategies, the care not to take risks due to lack of necessary protection, these being able to tarnish the image of the organization.

Best practices and uses of the HSM

The use of HSMs can provide improved cryptographic throughput and result in a more secure and efficient architecture for your business.

HSM becomes a vital component in a security architecture, which not only minimizes business risks but also achieves top performance in cryptographic operations.

Some of the best practices and use cases for HSMs used by leading security practitioners are as follows:

Storage of certificate authority keys

The security of certificate authority (CA) keys is most critical in a Public Key Infrastructure (PKI). If a CA key is compromised, the security of the entire infrastructure is at risk.

CA keys are primarily stored in dedicated HSMs to provide protection against tampering and disclosure against unauthorized entities. This can be done even for internal CAs.

Storage and management of application keys

Cryptography, considered essential in many businesses, is also helped by the powerful performance of HSMs, doing an incredible job of minimizing performance impact of using asymmetric cryptography (public key cryptography) as they are optimized for the encryption algorithms.

A prime example of this is database encryption, where high latency per transaction cannot be tolerated. But don’t forget to encrypt only what is necessary, so your solution won’t spend time on non-sensitive information.

Encryption operations

Encryption operations are sometimes time consuming and can slow down applications. HSMs have dedicated and powerful cryptographic processors that can simultaneously perform thousands of cryptographic operations.

They can be effectively used by offloading cryptographic operations from application servers.

Full audit trails, logging and user authorization

HSMs should keep the record of cryptographic operations such as key management, encryption, decryption, digital signature and hashing according to the date and time the operation was performed. The process of recording events involves the authenticity and protection of the time source.

Modification of the date and time settings interface requires strong authentication by a smart card or at least two people to sanction or authorize this task.

Destruction of keys in case of attacks

HSMs follow strict safety requirements. The most important content for an HSM is the keys. In the event of a physical or logical attack, they reset or erase all your keys so they don’t fall into the wrong hands.

The HSM should “reset” itself, deleting all sensitive data if it detects any undue tampering. This prevents an attacker who has gained access to the device from gaining access to the protected keys.

The full lifecycle of keys

NIST, the National Institute of Standards and Technology, a non-regulatory agency of the US Department of Commerce, defines the encryption key lifecycle as 4 main stages of operation: pre-operational, operational, post-operational and deletion, and requires that, among other things, an operational encryption period be defined for each key. For more details, click here and see from page 84 to page 110.

Therefore, a cryptographic period is the “time interval during which a specific key is authorized for use”.

In addition, the cryptographic period is determined by combining the estimated time during which encryption will be applied to the data, including the period of use and the period in which it will be decrypted for use.

Long-term encryption

But after all, since an organization may reasonably want to encrypt and decrypt the same data for years on end, other factors may come into play when considering the cryptographic period:

You can for example limit it to:

  • Amount of information protected by a given key;
  • Amount of exposure if a single key is compromised;
  • Time available for physical, procedural and logical access attempts;
  • Period within which information may be compromised by inadvertent disclosure.

This can be boiled down to a few key questions:

  • For how long will the data be used?
  • How is the data being used?
  • How much data is there?
  • What is the sensitivity of the data?
  • How much damage will be caused if data is exposed or keys lost?

So the general rule is: as the sensitivity of the protected data increases, the lifetime of an encryption key decreases.

Given this, we see that your encryption key may have a shorter active life than an authorized user’s access to the data. This means that you will need to archive deactivated keys and use them only for decryption.

Once the data has been decrypted by the old key, it will be encrypted by the new key and over time the old key will no longer be used to encrypt/decrypt data and can be deleted.

Life cycle management of cryptographic keys using HSM

It has often been said that the most difficult part of cryptography is key management. This is because the discipline of cryptography is a mature science where most of the major issues have been addressed.

On the other hand, key management is considered recent, subject to individual design and preference rather than objective facts.

An excellent example of this is the extremely diverse approaches HSM manufacturers have taken to implementing their key management, which eventually led to the development of another product line, Ciphertrust. It has several features of HSMs and others that are unique, such as anonymization and authorization for example.

However, there have been many cases where HSM manufacturers have allowed some insecure practices to go unnoticed, resulting in vulnerabilities that have compromised the lifecycle of cryptographic keys.

Therefore, when looking for an HSM to manage full lifecycle, secure and general purpose, it is essential to inspect those that have excellent customer references, long deployment life and quality certifications.

HSM in a nutshell

To summarize, an HSM is typically a server with different levels of security protection or simply “protection” that prevents breaches or loss. We can summarize it like this:

  • Tamper-evident: addition of tamper-evident coatings or seals on bolts or latches on all removable lids or doors.
  • Tamper resistant: adding “tamper detection/response circuitry” that erases all sensitive data.
  • Tamper proof: complete module hardening with tamper evident/resistant screws and locks, together with the highest sensitivity “tamper detection/response circuit” that erases all sensitive data

With many organizations moving some or all of their operations to the cloud, the need to move their security to this architecture has also emerged.

The good news is that many of the leading HSM manufacturers have developed solutions to install traditional HSMs in cloud environments.

Therefore, the same levels of “protection” will apply as we have a traditional HSM in a cloud environment.

Learn more about the use of HSM in cryptographic key management in our blog and find out how to apply encryption technology effectively in your business by contacting Eval’s experts.

We are available to answer your questions and help you define the best ways to protect your organization against data leakage and theft.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias. 

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a Lei Geral de Proteção de Dados (LGPD). Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos. 

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível. 

Eval, segurança é valor. 

Categories
Data Protection

Encryption and Cryptography: 10 posts you need to read

The concepts behind the emergence of cryptography are quite simple. However, knowing how to take advantage of the benefits of this technology and avoiding pitfalls in the management of your business are other issues.

Cryptography is an evolution and an alternative to techniques and methods against cyber attacks and data theft. It continues to evolve alongside technological advances. After all, new solutions are emerging and more companies are turning to encryption to guarantee privacy and protection.

Not so long ago, the industry defined cryptography as the method by which a plain text, or any other type of data, is converted from a readable format into an encoded version that can only be decoded by another entity that has access to a decryption key.

This definition has expanded and changed in recent years, as companies like Eval have entered the market with products that offer advances in encryption and practical solutions.

Thus, the innovation went beyond the main objectives of encryption. Since it currently has several benefits. These include, for example: reducing costs, increasing productivity and strategic management for different types of companies, regardless of size or segment.

Eval’s blog articles present a series of concepts and practices that readers can use at various stages of the acquisition, deployment and management cycle. That way, we can help them make the most of the benefits of encryption.

Implement digital signatures, adopt a document management-centric approach or invest in policies. There is information here that will certainly help your company in its quest for effective data protection.

Data protection as a priority

Before we even start our list, it’s important to highlight the consequences of a lack of investment in security and privacy. That’s why we’re going to show you the problems caused by a lack of data protection in your organization.

In this article, as well as understanding the importance of data protection through our list of publications, you can get an idea of the risks we are currently experiencing.

The fact is that data protection has become a concern for institutions such as the International Monetary Fund (IMF), the government itself and other organizations that have information security as a priority.

Now, let’s get to our list!

The basis for understanding the importance of cryptography

Basically, we’ll divide our list into two parts. The first of these serves to provide a foundation and teach good practices related to encryption and cryptographic key management.

1. About cryptography and key management

In the article Data encryption and key management, we covered aspects relevant to information security related to encryption.

The aim was to present the basics of cryptographic technology, cryptographic services and, finally, cryptographic key management.

We also show the importance of correctly managing cryptographic keys for programming cryptographic services.

2. Why manage cryptographic keys?

After all, why should you manage cryptographic keys? In this article, we show you that management means protecting against loss, theft, corruption and unauthorized access.

Therefore, data protection is not just about adopting encryption in business processes, management and sharing. After all, you need to efficiently manage all the elements related to the use of technology.

3. What if the encryption keys are still lost?

For those who haven’t been convinced of the importance of managing cryptographic keys, or haven’t understood the problem of mismanagement, the article The truth no one ever told you about key loss shows the consequences.

4. The search for the best way to protect data

So far, you’ve seen the concepts, the benefits of adopting cryptography in business and the impacts of managing cryptographic keys.

In the article ” Is native encryption the best way to protect data?”, we showed that Enterprise Key Management (EKM) solutions in companies have become essential to comply with existing market regulations.

This type of solution also provides access to other important data protection benefits for any organization.

Hybrid Infographic HSM

5. Important facts about cryptography

To close the first part of our list, we have the article What you didn’t know about encryption software. He clarifies doubts and shows important points about this subject, which companies and professionals are often unaware of.

Therefore, we conclude this stage by pointing out issues that cannot be ignored in a technology adoption process.

Encryption in practice

There’s no point in theory without practice, is there?

These success stories demonstrate that the use of cryptography is one of the main ways to guarantee information security and data protection.

So let’s begin the second stage of our list of articles on encryption.

6. Where encryption applies

In the article Places where you use cryptography and don’t even know it, we show everyday situations where technology is applied and often we don’t even know it.

An interesting piece of content that shows how technology is successfully applied, guaranteeing privacy and data protection.

7. The famous relationship between cryptography and the financial market

Cryptography has become well known through its applicability in the financial market.

That’s why it’s only fair that our first success story is featured in the article How does crypto benefit the financial market?

8. Encryption goes through our credit card

One of the most critical points when it comes to data theft is the misuse of credit cards and other forms of payment that are part of our daily lives.

By the end of the article Encryption for financial records and payment data, the reader will understand why this technology has become so vital for our financial transactions and personal information.

9. Yes, encryption is also in communication

This is yet another case that shows that technology is in our daily lives and we don’t even realize it.

In the article Encryption for communication applications: learn more, the reader will realize that privacy and data protection go through our main channels of conversation.

The main messaging apps have already adopted this technology as their main data security tool.

10. Our information is kept confidential through the use of encryption

To conclude our list of articles, the content Secrecy and origin verification using asymmetric cryptography shows the case of applying this technique to find out where a message came from.

Despite being conceptual, the article makes an analogy with a real situation: the importance of the confidentiality of the information we share on a daily basis.

What did you think of our list? Did it help you understand the concepts and importance of encryption in your professional and personal life? Keep following our blog to find out more about E-VAL’s technology and news.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.  

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.  

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.  

Eval, segurança é valor. 

Categories
Data Protection

Cryptography and Key Management – Important Concepts

The use of encryption and key management, as well as cryptographic services are vital for protecting data at rest or media, a reality for companies and users of services such as cloud storage, messaging and many others.

However, those responsible for these services are presented with many options for cryptographic mechanisms and consequently there are many choices to be made.

Inappropriate choices can result in little or no gain, creating a false sense of security. Cryptography, key management and cryptographic services - Life cycle

For example: encrypt a database and keep the cryptographic key in a file on the server.

In this article we intend to address some aspects relevant to information security that are related to cryptographic keys. With this we will show the importance of their correct management for the programming of cryptographic services.

To facilitate understanding, we will divide the article into three parts. Starting with the basics of cryptography, key management and cryptographic services.

Basic concepts of data encryption

Cryptography is a set of principles used to guarantee the security of information.

To do this, it uses techniques to transform one piece of information (cipher) into another (cryptogram) that is readable only by those who know the secret (secret key).

By keeping this secret safe, we prevent unauthorized persons from gaining access to the original information (decrypt).

Secrecy

The security of cryptographic services is based on the secrecy of the cryptographic key, which allows encryption and decryption, and not on the method of transforming the information, i.e. the algorithm used, which must be public.

Symmetric and asymmetric keys

In cryptography and key management there are two basic types of algorithms: symmetric and asymmetric. The former use a single key to encrypt and decrypt the data, while the latter adopt a pair of keys, one for encryption and the other for decryption.

The diagram below shows the use of a symmetric key to encrypt a message. We can see that the key used by John is the same one adopted by Alice.

Cryptography, key management and cryptographic services - Symmetric and asymmetric keys.
Figure 2 – Symmetric key algorithm

The next diagram shows the use of an asymmetric key. The key used by Alice to encrypt is the public key of John, who uses his private key to decrypt.

Cryptography, key management and cryptographic services - Asymmetric key algorithm
Figure 3 – Asymmetric key algorithm

An interesting point about this type of algorithm is that after encrypting with the public key, only the private key can decrypt.

Examples of uses for these algorithms include a database that uses the AES algorithm (symmetric key) to encrypt certain information in the database and the digital signing of documents using the RSA algorithm (asymmetric key).

We would also like to point out that the secret in these two types of algorithms lies in protecting the symmetric key and the private key (in the case of asymmetric keys).

Finally, another aspect is that these algorithms are complementary and serve as the basis for programming cryptographic services.

Cryptographic summary and digital signature

In relation to cryptography and key management, a cryptographic digest is a value that represents information. It is generated using an algorithm, such as SHA256, to analyze the data bit-by-bit and creates a value that cannot be falsified in practice.

Cryptography, key management and cryptographic services - Cryptographic summary
Figure 4 – Cryptographic summary

However, the cryptographic digest cannot be used on its own, because although it cannot be falsified, it can be replaced.

So, to be used in practice, the cryptographic summary is encrypted with the private key (asymmetric), generating a digital signature.

This way, everyone who has the public key can generate the cryptographic summary and compare it with the one in the digital signature.

You can then check whether the data is valid. Fundamental actions in cryptography and key management.

Cryptography, key management and cryptographic services - Digital signature
Figure 5 – Digital signature

Let’s take SHA256 with RSA for example. It uses the SHA256 summarization algorithm and the RSA encryption algorithm to generate the digital signature. However, this is still not enough, as we have no way of identifying who a given public key belongs to.

This requires a new element: the digital certificate.

A digital certificate basically consists of textual information that identifies an entity (person, company or server), a public key and a purpose of use. It has a digital signature.

It is important to note that the digital certificate must be signed by a trusted third party (digital certification authority).

Thus, we introduced the concept of a relationship of trust. According to him, if we trust entity A and it trusts entity B, then we also trust B.

Cryptography and key management and cryptographic services - Trust relationship
Figure 6 – Relationship of trust

This concludes the basic concepts of cryptography. In the next part, we’ll talk about the cryptographic services that can be created from them.

Cryptographic services

As part of the cryptography and key management lifecycle, basic cryptographic mechanisms such as symmetric encryption and cryptographic digest are used to support confidentiality, integrity, authorization and irretrievability or non-repudiation services.

Thus, one cryptographic mechanism can be used to support several services. It is also important that cryptographic services should be used together to guarantee security.

Below we will briefly describe the basic cryptographic services:

Confidentiality

This service provides data confidentiality through encryption and key management. It also ensures that the information cannot be viewed by third parties and that only authorized persons have access to it. Fundamental to cryptography and key management.

Examples include encrypting files, file systems and databases with symmetric keys. We also have information encrypted with the certificate’s public key, so only those who have the corresponding private key can open the information.

Integrity

The integrity service must ensure that a given piece of information is not modified in an unauthorized way after it has been created, during transmission or storage.

Whether the change is accidental or intentional, the insertion, removal or replacement of data must be detected. Cryptographic mechanisms such as cryptographic digest, also known as hash, and digital signature provide the support for this service.

Authentication

The authentication service verifies the identity of a user or system requesting authorization to access information.

The digital signature is a cryptographic mechanism generally used to support this service, as the identification of the user has already been validated before the digital certificate is issued, either by a trusted ICP-Brasil Certificate Authority or another that the organization trusts, such as an Internal Certificate Authority.

At ICP-Brasil Certifying Authorities, it is in the process of issuing the digital certificate that the person needs to attend a face-to-face validation, with original documents proving the applicant’s identity.

 
Irretractability

The non-retractability service provides the means to guarantee that whoever created the information cannot deny its authenticity.

In this sense, it is linked to the digital signature, in which the owner of the private key cannot deny that he has held it for a particular purpose.

This concludes the description of cryptographic services. In the next section, we will present the main factors to be considered in key management – cryptography and key management.

Authorization

Additionally, after authentication, it is possible to use the information of the authenticated user in the system to define the authorization of the information. The authorization service provides approval or permission for the execution of an activity.

As an example, the authorization service can be employed to define the permissions to use a cryptographic key that would consequently allow access to a certain piece of information.

Cryptographic key management

Cryptographic keys are the foundation of cryptography and key management, and the security of encrypted data lies in them. Breaches can lead to compromised keys and, consequently, the leakage of sensitive information.

The increased use of encryption for data protection, mainly due to government regulations, means that companies have to deal with multiple encryption solutions.

Because of the diversity of vendors, organizations also need to define various procedures for managing cryptographic keys, and these are not always adequate.

Cryptographic key management consists of storing, protecting, organizing and ensuring the proper use of cryptographic keys, managing their lifecycle and maintaining backup copies in a secure and consistent manner.

When managing keys, we must take a few points into account, which we will describe below:

Secure storage of keys

The keys should be stored securely, i.e. encrypted and with access control.

Encryption should preferably be carried out using keys (KEK) protected on cryptographic hardware.

Identification of keys

It must be possible to identify a key, its type, its purpose, who is authorized to use it and the period of use.

User authentication and authorization

The use of cryptographic keys should only be allowed after the user has been identified.

Therefore, for proper key management, the system must provide authentication and authorization mechanisms or allow integration with existing systems, such as Microsoft’s Active Directory.

Life cycle of cryptographic keys

The lifecycle of cryptographic keys must be controlled so that they are used properly during their validity period – in other words, only authorized people or systems can use them during a predefined time and with secure mechanisms so that they are not compromised.

We will describe the life cycle of the keys, according to NIST recommendation.

The life cycle of a key starts with generation and ends with destruction, passing through one or more of the states described below:

  • Generation: when the key is created and not yet ready for use;
  • Pre-activation: the key has been generated, but is not yet ready for use because it is waiting for the period of use or the issue of a certificate;
  • Activated: the key is available for use;
  • Suspended: use of the key is temporarily suspended. In this state, it can no longer perform ciphering or signing operations, but can be used for data recovery or verification of signatures previously performed.
  • Inactivated: the key can no longer be used for encryption or digital signature, but is kept for processing encrypted or signed data prior to inactivation.
  • Compromised: indicates that the key has had its security affected and can no longer be used in cryptographic operations (encryption and key management). In some cases, as in symmetric keys, it can be used to recover the encrypted data for later encryption with another key.
  • Destroyed: this status indicates that a key is no longer needed. The destruction of the key is the final stage and can be achieved due to the end of the key’s usage cycle or the compromise of its security.

Backing up cryptographic keys

The main function of backups is to guarantee the recovery of keys and, consequently, encrypted data in the event of loss or failure.

Just like keys, which must be stored securely during use, backup copies also need to be protected.

They can be stored in encrypted files or cryptographic hardware suitable for this purpose, which should be kept in secure locations.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and the General Data Protection Law (LGPD). In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level. Eval, safety is value.

Categories
Data Protection

Loss of Keys and the Truth No One Told You

Today, data theft and regulatory compliance requirements have caused a dramatic increase in the use of encryption keys in companies. This also caused an incidence of key loss due to poor management of these assets.

It is very common, for example, for a single company to use several dozen different encryption tools. Possibly these tools are incompatible, thus resulting in thousands of encryption keys.

How to prevent the loss of keys?

In a perfect world, cryptographic key management has the responsibility for the administration, protection, storage, and backup of encryption keys.

After all, every key must be securely stored, protected, and retrievable. However, reality is different and you should know well how this story ends regarding the loss of keys.

The importance of storing and backing up encryption keys

Key management means protecting the encryption keys from loss and unauthorized access.

Many processes must be used to control and manage keys. This includes changing keys regularly, managing how keys are assigned, and who gets them.

Experience shows us that the loss of keys has a major impact on important business processes in companies. This causes loss of access to systems and data, as well as rendering a system completely useless unless it is formatted and completely reinstalled.

It is worth pointing out that nowadays it is essential for any company to have more than one person responsible for storing and backing up the encryption keys.

In this way, we are directed to several good practices in the market. For example, we have defined the roles of the responsible parties and created an efficient encryption key management policy that is accessible to everyone.

However, there is a big challenge ahead. One of the big known problems is the lack of unified tools to reduce management overhead.

A key management system purchased from one vendor cannot manage another vendor’s keys. This is due to the fact that each implements a management mechanism in its own way.

You are probably remembering some facts related to the lack of efficient storage. Including the cases of lost keys and the impacts to the company.

Lost keys expose data of people and companies

The loss or exposure of encryption keys will never be a good experience. Imagine, for example, a developer accidentally storing keys in a public repository?

Unfortunately this scenario is likely, it can easily happen for any type of encryption keys and in different companies.

Someone might accidentally send the keys in a source code or in any file or data set submission.

Whether in the cloud or in owned data centers, companies need to build a management strategy that prevents the loss of keys and/or undue exposure.

As we have seen, keys must be stored securely and with access limited to those who need them to work. For this reason, some companies use key-loss protection applications.

They serve to check network traffic for data leaks. As well as detecting the accidental or malicious disclosure of confidential or private information.

Not only poor key management can lead to compromised servers. But also if the keys used to encrypt data are lost, the data encrypted with that key will also be lost.

Therefore, there is no substitute for encryption key management.

Common situations that lead to the loss of cryptographic keys

Because it is something of relative complexity for certain company employees, you can imagine that the loss of keys does not happen so often. However, there are very common situations in our routines that lead us to key-loss scenarios:

  • The key holder forgets the password to access the key;
  • The employee responsible for the keys does not remember where he stored the key;
  • The manager has a huge amount of keys to manage;
  • The person responsible for the keys leaves the organization, and whoever stays ends up with a big management problem.

The importance of cryptographic keys is obvious to information security professionals. But the complexity of managing them can be almost as daunting as the encryption algorithms themselves.

infographic HSM Moderno

It all comes down to how important it is for companies to control the keys

First of all, it is important to see what a digital signature is and how it works.

A digital signature is the equivalent of a written signature. Its purpose can be to verify the authenticity of a document or to verify that the sender is who he claims to be.

This shows us the importance of encryption keys in productive processes, as well as the impact generated by the loss of keys in the routines of companies of different segments or sizes.

The main cost of key loss is risk management. This is because it will mainly focus on making companies the target of sophisticated cyber attacks, leading to losses not only financial but also related to the organization’s image.

One of the most recommended practices for reducing incidents related to cyber attacks is to conduct audits. This is because it helps to identify whether the keys are being used in the right way.

This process consists of auditing public key cryptography to identify vulnerable sources and devices, from tokens to TLS certificates.

Available mitigation strategies from vendors can then be reviewed and applied according to risk-based priorities.

The solution to all problems is…

There is no shortage of guidance on how to manage digital identities and how to identify the best option for your company, it all depends on the current environment and available resources.

While using a stronger management policy may be the safest option, this can also result in significant costs. Companies must focus on continuous improvement. In addition, it can help you manage your risks at a price that is compatible with your reality.

Companies must critically evaluate how they protect their systems. They must also consider the root causes of security incidents in their environments as part of a risk assessment.

It is common, for example, to have several security incidents related to compromised accounts. This is mainly due to the lack of proper management of the encryption keys.

As systems become more secure and companies take effective measures to manage their processes. It is worth remembering that initiatives such as authentication and key management are becoming increasingly important.

It is important to ensure that your company is using the appropriate authentication and authorization processes. This requires the use of cryptographic keys based on risk management.

After all, it is already the first step in reducing the risk of incidents and ensuring the confidentiality of customer and employee data.

At the end of our article, answer the following question: What is your company’s current encryption key management strategy?

Subscribe to our Newsletter and stay up to date with EVAL news and technologies. Keep following our content on the blog and also on our Linkedin profile.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Cybersecurity Challenges – Reality-Changing Technologies

The area of cybersecurity is facing ever greater challenges. With criminal organizations increasing the sophistication and diversity of their attacks, institutions need to have the tools to protect themselves, such as Artificial Intelligence, Blockchain and other innovations.

Fortunately, evolution is not one-sided.

Governments, users and information security professionals are paying close attention to the issue, seeking better solutions to cybersecurity challenges and finding good prospects.

In this article, for example, we’ve listed 5 technologies that are changing the cybersecurity landscape. Not all of them are new, but they have been used in innovative ways to tackle cybercrime.

1. Blockchain for cybersecurity challenges

Known for being the technology behind bitcoin blockchain has been seen as providing many opportunities. In the field of cybersecurity, it is still in its early stages.

But it should soon be responsible for many new developments in the sector.

Since it records all activity permanently and transparently for the entire network, the blockchain makes it possible to see when a new user tries to access files they’ve never accessed before, for example.

This can make it easier to spot anomalies, as they will be recorded in the chain’s information blocks.

2. Artificial Intelligence and Cybersecurity

Because of its high processing capacity, artificial intelligence has been a great ally in the search to break patterns in networks.

The speed with which they can scan the system is infinitely greater than human capacity, which helps to detect unknown events and stop them from continuing before they escalate.

This is a technology that is set to grow enormously, especially with the possibility of machines continually expanding their learning, depending less on human input.

3. Machine Learning and the development of cybersecurity

Machine learning promises to be the missing icing on the artificial intelligence cake.

With their ability to learn no longer dependent on a person, machines can quickly learn new patterns and more intuitively identify malicious changes in the network.

Although it has been in the spotlight for some time now, the concept of machine learning is nothing new. However, it is only today that it finds the technological possibilities to develop more fully and create new possibilities for various areas.

And, of course, that includes cybersecurity.

 

4. Cloud Computing and the Challenges of Cybersecurity

In addition to saving on investment and offering more options when it comes to scalability, cloud computing also offers more security than physical data centers.

Of course, you have to remember that at the end of the day your data will be somewhere in the world, stored in a physical space.

However, because it is a dedicated location, it will have a higher security structure than your organization can probably offer.

In addition, cloud services offer plans with automatic backups and monitor network security at all times. Even remediation, if necessary, is much quicker in the cloud.

5. Cryptography applied to cybersecurity

What if, even with all the precautions, your organization has a data leak?

In this case, encryption offers a last, important barrier of protection. Without the cryptographic key, your information remains unreadable.

This technology has changed the financial market in particular. Some examples of their use are tokens and the encryption of credit card data in online purchases. Today, even instant messaging and social networks rely on this technology.

You already know about the technologies that are changing the cybersecurity landscape, but you don’t know where to start?

When it comes to data security, the more solutions you use, the better. In fact, the various technologies guarantee more layers of protection and make the network more robust.

But if you still need to draw up an information security plan for your company from scratch, here’s where to start your strategy.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Cryptography in practice: Places where you use it and don’t even know it

If you think that cryptography in practice is only for large companies in the financial sector, you’re wrong.

In fact, data protection is more important than we realize, it is often right in front of us and we don’t even notice. The tendency is that it really does go unnoticed, thus ensuring its efficiency.

Here are everyday examples that bring cryptography closer to people without them realizing it:

Cryptography in practice: it’s where you don’t think it is

Internet Banking

Online payments and remote financial transactions are already a reality in the daily life of thousands of Brazilians. However, many of them do not even realize that they are benefiting from the encryption in these services.

The ease that Internet banking systems bring to users is made possible by the security system that banks adopt to protect their data.

Thus, all transactions are protected by encryption in practice, guaranteeing the security of user data.

WhatsApp

The use of applications on mobile devices is becoming more and more common. There are many possibilities, and one of the users’ favorites is to exchange quick messages.

The most used messaging application in Brazil is WhatsApp, which is currently owned by Facebook. The functions within the app are diverse and allow among other things the exchange of photos, videos, and voice messages, for example.

Everything happens quickly and simply, and so the volume of messages is increasing.

In order to ensure that the content of messages exchanged by WhatsApp is not intercepted, the app uses a security technology that they themselves call end-to-end encryption.

Privacy has become a paramount factor for the app’s users who learned of the encryption protection through a notice issued by the app.

 

iPhone is an example of encryption in practice

Keeping private data safe is a reality in many areas, and on portable devices this is also the case with encryption in practice, but few users are aware of this.

Smartphones from the manufacturer Apple are known, among other things, for offering good security to their users. This is undoubtedly one of the attractions for the brand’s legion of fans.

The fact is that when needed, the iPhone’s encryption has proven to be resilient. As in the case where the FBI needed to breach the security of a device belonging to a suspected terrorist.

The repercussion was great. O FBI asked for Apple’s help to break iPhone encryption. Apple in turn went to court to ensure that it did not participate in the breach, as this would bring a risk to the company, if it helps break one customer’s encryption, why not everyone’s?

Social Networks

Social networks have their own security policies to ensure the integrity of their users’ data. When you decide to join a social network you need to agree to its privacy terms.

Therefore, the responsibility for the content posted is yours. In addition, understanding this privacy policy gives the user an awareness of what is and is not recommended to be shared there.

In order to access a social network the user needs a permission key, created with the system in advance. Your password allows you to interact with other users, exchange messages and view internal content.

To guarantee security, encryption in practice is applied from the communication channel to some user information that is stored.

About Eval

A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.