8

I feel that no one in the group I work in, myself included, really groks encryption and security, or the reasons behind making certain decisions. For example, we recently had a conversation regarding encryption of data that we handle for another group that we work with - the data ends up in a database that is on our secure corporate network (I work in a small group in a large software company, so the integrity of the corporate network is very high), along with everything else we handle. Of course, standard guidelines call for "encryption" of this data.

Obviously, that could mean many things - IPSec/encrypted connections, encrypted fileshares, encryption implemented in the DB (whole-DB or column), encryption of the actual bits in the file, etc. - and some people in the group are under the impression that the only kind of encryption that really counts is directly encrypting the bits that are stored, the argument being that everything else is too easy to circumvent - "if the DB is encrypted, I could still log into it and see the data there; if the file share is encrypted, as long as I have permissions to the folder I can just grab the file; but if the bits are directly encrypted, I won't be able to read it". My instinct says that that statement is based on limited understanding: they can see themselves logging into SQL Server Management Studio to see the data, but since they wouldn't know how to take a stream or array of encrypted data and use a certificate that they probably have access to to decrypt it, it's probably safe. Are they right? Am I right? No one seems to really know, so decisions get based on the opinion of the loudest or highest-paid person.

Anyway, that's just kind of an extended example of what I'm talking about. I feel like it's the blind leading the blind here, with decisions based on limited understanding, and it's frustrating. I'm no expert on the technical bits of encryption, but I know how to use standard libraries to encrypt streams and arrays and the like - where I really need more knowledge is about architecting data security and information on which I can base decisions like the above. Where can I read about this kind of stuff?

nlawalker
  • 3,002
  • 20
  • 21
  • 1
    "Of course, standard guidelines call for "encryption" of this data." Most of your question seems to boil down to "we don't know what standard guidelines mean". Where do these "standard guidelines" come from? Who sent them to you? Who's responsible for them? Who checks for compliance? – S.Lott Feb 23 '11 at 16:14
  • You are, of course, correct, and part of what I need to do is find these things out. Thanks. – nlawalker Feb 23 '11 at 16:28
  • "is find these things out"? You should be able to answer the question 'Where do these "standard guidelines" come from?' without finding anything out. It's a documented requirement, correct? If not, it's all just rumor and of course you're confused. – S.Lott Feb 23 '11 at 16:36
  • 1
    +1 for "the blind leading the blind", at least you were wise enough to recognize your shortcomings and seeking help! I certainly hope we can gather some interesting things here. – Matthieu M. Feb 23 '11 at 19:02

2 Answers2

4

Ferguson & Schneier's Cryptography Engineering will tell you how to use crypto properly. From the sound of your question, it's the book for you.

Specifically, while many books will teach you about the algorithms used in crypto - AES, SHA-1, etc. - Cryptography Engineering doesn't. Instead it addresses the use of crypto through a cookbook approach. When you secure a message, do you sign it and then encrypt the message? Or do you encrypt and then sign? How do you plug the crypto primitives together to build a secure system? (And what does "secure" really mean?)

In short, if you want to use crypto, as opposed to learn crypto algorithms, this book is for you.

Frank Shearar
  • 16,643
  • 7
  • 48
  • 84
3

The first step in using cryptography effectively is figuring out what threat you're trying to defend against. From the sound of things, you don't have any real agreement about that.

There are at least two basic points you need to consider: first, who can have access to the data and who can't? You have at least a few people who need access to the data, and usually at least a few more (system administrators) who you're willing to trust.

Second, what sort of "bad guys" and what kinds of attacks are you trying to protect against? Are you trying to simply quell people's curiosity and keep them from finding things by accident, or are you protecting against a serious attacker who knows cryptography and is willing to put a lot of time and effort into getting to your data? Are you concerned only about an outsider seeing data as (for example) it's transmitted over the Internet, or do you have to be concerned about the possibility of a computer being physically stolen, so an attacker can study everything on the computer in detail for an extended period of time?

Jerry Coffin
  • 44,385
  • 5
  • 89
  • 162