Taking on encryption's usability and key management problems

Story

October 06, 2015

Encryption is an elaborate mathematical tool primarily used for cloaking data and communications to ensure that they aren’t accessed or tampered with by unauthorized parties. An overly simplified explanation is that to encrypt and decrypt data you need keys to “lock” and “unlock” the data. When attackers attempt to steal this data in encrypted form, without the right key, it’s unreadable and useless to them.

Unfortunately, encryption isn’t as easy to use as it sounds and its widespread use has been held back by basic usability and key management problems.

If you’ve ever heard the term “military encryption” and wondered how it differs from “normal encryption,” you’re not alone. They rely on identical mathematics and approaches to protect information.

The subtle difference lies in “the manner in which the cryptographic capability is implemented,” says John Droge, director of secure information services for Raytheon’s Space and Airborne Systems business in Waltham, Massachusetts (www.raytheon.com). “Military-grade cryptography takes added precautions to ensure the key material is safe at all times.”

One way to ensure safety is by designing a system with a separate processor that performs all cryptographic operations. “All key material is delivered to and stored on the system in an encrypted format,” Droge elaborates. “When a cryptographic operation is scheduled, the key material is loaded, decrypted, used as intended, and finally destroyed – all in the dedicated processors. This protects the key from being exposed in an unencrypted form. So if at some time the system is infected by an advanced persistent threat (APT), at best the attackers will only gain access to an encrypted version of the key, which is unusable.”

It’s important to point out that both software and hardware approaches can be vulnerable. Those serious about encryption on end points tend to use hardware security modules (HSMs) to do the key management aspect of encryption in a separate “trust” domain within hardware.

Pushing encryption into the hypervisor via a software-defined networking (SDN) approach is another way to move key management into a separate trust domain that would need to be compromised. An APT on the end host won’t have access to the hypervisor memory, and hypervisors are compromised much less often than end points.

Yet another way to go about it is to opt for a secure operating system.

Encryption’s usability and key management problems

With all of the huge data breaches occurring, it raises the question: Why isn’t encryption used to protect data everywhere?

Encryption is “extremely difficult to implement correctly and very easy to get wrong,” explains Lillian Ablon, an information systems analyst for Rand Corp. in Santa Monica, California (www.rand.org). “Even when implemented correctly, there can be hurdles with key management or setting up the infrastructure to handle the key management. But if you collect data, you need to protect it – whether it’s intellectual property or access to a database or, for example in the military’s case, something like mission-critical air tasking orders. Any pains involved in setting up encryption and the key management infrastructure are well worth the security it provides.”

Key management is “typically the main reason cited for not implementing encryption. No question about it – key management is the most difficult discipline within cryptography and requires extreme attention to detail by every vendor and user/operator in the information ecosystem and at every point in the data’s life cycle to achieve a secure cryptographic system,” says Raytheon’s Droge.

Essentially, although encryption has existed for quite some time, no one has ever found a way to make it practical or easy to use.

Bringing encryption to the datacenter

One place you’re not likely to find encryption is within datacenters. It’s not commonly used because encryption is considered too complex to handle the keys for all of the end points involved, and no technology is currently available to help handle this.

Virtualization software giant VMware in Palo Alto, California (www.vmware.com) is working to change that by adding “distributed network encryption” to their software-defined networking (SDN) platform, NSX, with availability at some point in the near future. This platform has the potential to radically change network security, particularly for those already using virtualization.

VMware’s goal is to enable deploying encryption as an application with NSX – complete with microsegmentation, different trust levels for workloads, and the ability to encrypt, authenticate, and verify all communications. Not up to speed with SDN? NSX is one of the very first examples of SDN, which relies on a set of primitives that can be controlled by software, independent of the physical devices – including white boxes – beneath.

Many people who are unfamiliar with SDN express security concerns about these new types of architectures, but SDN was created with security as its foundation and, in fact, received its initial backing from the intelligence agencies.

NSX embraces a “zero trust” model and taps the hypervisor for the isolation it provides for security. “Pushing encryption into the hypervisor pushes it into a separate trust domain that would also have to be compromised,” explains Martin Casado, one of the visionaries behind SDN and NSX, as well as senior vice president and general manager, Networking & Security Business Unit for VMware.

Another frequent misconception surrounding SDN is “white boxes.” As Casado notes, however: “SDN is orthogonal to white boxes. You can use white boxes if you want, but across our 700-plus customers and now well over 100 production deployments, I don’t know of a single one using white box.”

Then, of course there’s the “controller,” which people tend to assume would be easy to attack, when in fact NSX runs it on a remote compute node so it’s not even addressable.

So how is encryption being rolled in? NSX “allows you to think of an application as having encryption as an attribute,” Casado says. “To deploy encryption as an application, you’d basically click a button and all communications within that application would be encrypted with a secret only known to that application.”

If an attacker ever gains access to the datacenter or compromises a physical machine, all the information they’d see will be completely encrypted. “And you’ll be able to choose on a per-application basis whether you want to encrypt or not,” adds Casado. “This helps solve the broader problem of making it practical to use encryption and handle key management in a very controlled, fine-grained way.”

How can something like distributed network encryption help the military? “One of the biggest problems the military faces with encryption is that they’ve got many people who need to communicate in many different ways … it’s a massive key management nightmare,” Casado says.

Say, for example, you’re in a datacenter while a mission is happening and you want to spin up a bunch of workloads. “For every one of these missions that you spin up, you can encrypt it, and then if there’s a compromise within the datacenter or someone manages to gain access to the traffic from a separate mission … they won’t be able to see anything because it’s all encrypted,” he adds. “Today, it’s too difficult to manage keys at the edge of the datacenter, so we use VPN [virtual private networks], which allows people to do encryption to a gateway at the edge, but the problem with that is that within it everything is moving in plain text.”

Approaches such as “the one VMware is pursuing with network distributed encryption, along with others who are working on regenerative computing – something those in cloud services are exploring to ‘regenerate instances’ on a faster time frame – are really interesting if they can make attackers’ job more difficult. It’s not possible to be 100 percent secure, so the goal of information security instead should be to make it as difficult as possible for attackers in terms of time, money, resources, people, and technical capabilities,” says Rand’s Ablon.

Startup Keybase (www.keybase.io) is another effort Casado is affiliated with to make encryption more user-friendly via using Twitter handles and email addresses as your public key “so you won’t have to remember some goofy stream you can’t verify,” he says. “It’s a practical approach toward solving the outstanding problem in encryption – making it usable.”

R00t of insecurity

With each new data breach – including the recent Office of Personnel Management (OPM) breaches that involved the theft of records of at least 21.5 million individuals, including highly personal security-clearance information and even fingerprints – it becomes more obvious that encryption or other forms of security are necessary to protect sensitive data.

“OPM could have benefited from very standard use of authentication management, two-factor authentication or better access control, updating patches, rethinking their architecture, and by using encryption,” Ablon notes. A new security mantra is: ‘Don’t collect it if you can’t protect it.’”

So what’s the root of “insecurity”? Two key elements are humans and software vulnerabilities.

The human element

“Here’s the root of insecurity: Humans are interacting with technology, so even with the most secure systems in the world, the odds that human weaknesses will be taken advantage of are quite high. A phishing email with a malicious attachment can easily thwart security,” Ablon says.

Phishing emails, a type of social-engineering attack designed to target you specifically, can be devastating. “A few years ago I received a sweet birthday email from ‘my sister,’ complete with photos of us when we were kids and more recent ones, along with a link to go view a greeting for the card,” Casado recalls, providing a real-life scenario. “My first thought was how nice, but my sister doesn’t usually remember my birthday. After closer inspection of the email header … it was from Russia.”

At the time, Casado was VPN’d [virtual private networked] into the back end of the datacenter at work. If he had clicked the link, the attackers could have downloaded malware onto his laptop and had access to the entire datacenter – all of the information moving in plain text.

Although the attackers would have gained a foothold into the datacenter – and this is likely to happen at some point – with an approach like distributed network encryption, any traffic they’d see would be encrypted and useless to them.

“We definitely advocate pushing encryption into the datacenter,” Casado says. “Both distributed firewalling and distributed network encryption can really help to evolve a security posture within datacenters.”

Software vulns

One other factor behind network and system insecurity is software vulnerabilities, which exist because it’s difficult to locate all of the bugs within code.

“After a thorough review of several code bases, we found that there typically exists one bug per 2,000 lines of code,” Ablon points out. “Not all bugs are vulnerabilities that can be taken advantage of, but a smaller subset are and will be. That said, common operating systems use roughly 40 million lines of code. Aircraft and vehicles use 20 to 30 million lines of code, so plenty of potentially exploitable vulnerabilities exist.”

When developers are creating code, “there tends to be a ‘get it done and make it functional’ mindset, so a shift toward a mindset of including secure coding in curriculums either before or at the university level would be helpful,” she adds. “It’s extremely rare to find people with computer science degrees who were taught secure coding … especially the next generation who will be creating code and setting up systems and networks, as well as creating the web pages or devices we’ll be using.”

Quantum future

While many are exploring ways to make encryption easier to use, the National Security Agency (NSA) is focused on an entirely different aspect: quantum computers that could potentially break encryption as we know it today.

Techniques for encryption are continuously evolving, and the NSA is currently preparing for a shift to algorithms considered to be resistant in a future with quantum computers by “working with partners across the U.S. government, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next suite of cryptographic algorithms.” For more about NSA’s encryption plans, visit www.nsa.gov/ia/programs/suiteb_cryptography/.