AES Encryption & Related ConceptsDownload the white paper "AES Encryption & Related Concepts" |
Over the weekend a news report surfaced describing lost Secret Service tapes that contained extremely sensitive information such as personnel and investigative information. The loss was both typical and mundane: a carry bag with the tapes was left on a metro train. This kind of thing happens all of the time - a couple of years ago I left a laptop on a plane when I arrived in San Francisco (luckily recovered). Something similar has probably happened to you.
But one commentator said something that was shocking:
"... this is 2008 encryption. And years later, our abilities to break encryption, our algorithms to do that, are much, much better. If those tapes were found, I'm sure they could be cracked in moments."
Excuse me ???
In 2008 the new NIST Advanced Encryption standard (AES) had been in place for several years, and many of us were shipping products that were certified by NIST to meet that standard. Triple DES was in use at that time, and might also may have been used to encrypt those tapes. The article did not identify which algorithm, if any, was used.
Both of these algorithms are still considered strong today (see reference below). They are not broken, they are not weak, and they can't be "cracked in moments." And encryption does not have a shelf life like cottage cheese - encryption methods do not get stale just because some time goes by. [Fore more information download our white paper AES Encryption and Related Concepts]
There are a lot of things that could have been wrong about how the tapes were protected. They:
People get the implementation details wrong all of the time, which leads to weak protection. But, again, good encryption does not spoil like milk, and data protected properly in 2008 would still be just as strong today.
Misconceptions like this have a bad knock-on effect. When there are still so many organizations who've done nothing to protect data, this type of false information creates a sense of despair, and re-enforces the belief that nothing can or should be done. I just recently heard someone say,
"If the NSA can't prevent a break-in, what chance do we have?".
Substitute Secret Service, NSA, DOD, RSA Security, McAfee, and others, and you get another excuse for doing nothing to protect the organization's key assets. That's a sad and unnecessary result of bad information.
For the record: If you were using a NIST-approved encryption method in 2008 such as 128-bit AES, and you were using best practices for encryption and key management, that information is still protected today. You can find NIST guidance about encryption algorithms here (see Section 2 about Encryption):
Patrick
For more information on encryption and key management, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and key management work together to secure your data.