- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - Most companies do not know what level of cryptography is required to properly protect their data lifeblood, nor do they have anyone tasked with assessing the coverage. As a result, most corporations today are not following cryptographic best practices and are potentially exposed.
The first step in analyzing the required level of cryptography is to assess the value and sensitivity of your data and its associated lifetime. Some data, such as stock trades, may have ephemeral lives and be of little value beyond a few minutes. At the other end of the spectrum are electronic medical records, which may have to last more than 80 years.
Trade-secret data, such as business plans, next-generation pharmaceutical test results, merger and acquisition plans, or advanced CPU designs, will likely be in between these bookends. Some data, such as the remote telemetry commands to program a pacemaker or to open a dam floodgate, may have significant human costs if improperly issued. Data must be protected by cryptography rated for the data's lifetime and sensitivity.
Just as computing capabilities have changed over the years, cryptography also has changed to meet computing developments. For example, in the mid-1980s, Data Encryption Standard (DES) was widely used to protect corporate and financial information. DES is an example of a symmetric cipher in which the same key is used to lock and unlock (encrypt/decrypt) the information, and it used a 56-bit key.
Public key (or asymmetric) algorithms such as RSA and Elliptic Curve Cryptography (ECC) use two keys -- one to encrypt and
one to decrypt -- and were used to securely distribute DES keys to communicating parties. In the mid-1980s, RSA key sizes
of only 384 bits were considered sufficient for most commercial traffic, with 512 bits reserved for very sensitive data.
Moore's law and crypt-analytic improvements made short work of 56-bit DES and 512-bit RSA keys. By the mid-1990s, we had triple DES (effective key size of 112 bits) and RSA at 1,024 bits, plus RSA at 2,048 bits was also used. In the early 2000s, the National Institute of Standards and Technology (NIST) had formally adopted the Advanced Encryption Standard (AES), with key sizes of 128-, 192- and 256-bits to replace DES.
At the same time on the public-key front, NIST and the American National Standards Institute published guidance that stated: RSA 1,024 should no longer be used to protect sensitive data by 2010; and for AES-128, RSA with a key size of 3,072 bits or ECC with 256 bits should be used.
But users and vendors have largely remained ignorant of these critical guidelines. If you ask how many conference room attendees use VPNs, all hands will be raised. If you ask how many are using AES, most hands will stay raised -- and the same with RSA-1024. If you ask about RSA-3,072, all the hands will drop, despite NIST guidelines and regulatory pressure to ensure appropriate data protection.
With its public announcement in 2005 of the Suite B set of cryptographic algorithms, the U.S. government has raised more awareness around the need for stronger cryptography. Specifically, the National Security Agency defined the algorithms and strengths needed to protect both Sensitive But Unclassified (SBU) and classified information for use in its Cryptographic Modernization program.