Two Common Pitfalls of Encryption
Technology follows a predictable path as it develops. New technologies are developed to address a small, but specific criteria. Over time, the user-friendliness of the technology increases, leading to adoption by a larger portion of the userbase. Eventually, the technology is easy enough to use that nearly everyone is a user.
Email is an example of a technology that followed this path. From its original use – communications between computer-savvy members of government and academia, on through usage in corporations and the technophiles in the public at large – to today, when it is extremely rare to encounter someone who doesn’t use email on a daily basis.
For the general population, encryption sits on the border today. In its earliest incarnations, it was difficult to use and confusing for the novice user. Over time, it progressed into more user-friendly applications. Currently, some Windows Vista versions have strong encryption built in to the operating system. In a couple years, the question won’t be “Do you encrypt your important files?” but rather “How do you encrypt your important files?”
Often, while a technology is making its final transition into user-friendliness, there is a period where the average user is left in limbo: unable to evaluate the strengths and weaknesses of a product due to unfamiliarity with the technology but also reliant on it. This is where we find ourselves today. As a computer forensics investigator, I have the opportunity to see how users at varying levels of sophistication actually use their computers. Which people use a certain technology? What is their level of sophistication? Was the decision to use this technology made out of some specific need or because it was dictated to them by another party?
Keeping in mind all of that, there are two common problems with encryption that we frequently see in either the forensics or data recovery labs: insecure encryption and too-secure encryption. I’ll explain the latter term below – it’s not as nonsensical as it may seem.
The purpose of encrypting your data is to secure it from unauthorized access. In this regard, you can imagine your encryption is like a safe in the physical world. You choose your level of security based on a number of factors, such as cost, complexity and protection.
To the average user, there are two levels of security: password-protected and not. If a file is password-protected, this user judges the level of protection by the complexity of the password. Microsoft Word offers a commonly-known example. A user can choose to password-protect a Microsoft Word document, locking out certain functions for someone who does not know the password. Depending on the level of security chosen, the unauthorized user may not be able to edit, print or even open and view the document.
What many users do not know is that most versions of Microsoft Office use an encryption scheme that can be circumvented by specialized software, breaking the passwords in a matter of seconds. Even recent versions are vulnerable to a more technical attack, but still within the reach of many individuals and all businesses with the will to access the protected file.
This weakness is dangerous because – like the safe in the real world – an encrypted file screams out “There is something valuable in here! I took time out to give this information special protection and it’s worth your while to find out why!” In effect, you are drawing attention to the very data you wanted to protect – and once identified, it is easily accessed by determined users.
The caution here is to ensure that the protection you use will withstand the efforts of those to whom you wish to deny access. A ninety-nine dollar safe will stop most of us from ever being able to access the contents, but it will hardly slow a professional thief down. Thus, if you believe your data is valuable enough to be the target of professionals, the “ninety-nine dollar safe” version of encryption is not enough for you.
You’ve determined that you have valuable data that must be protected against professional and proficient attackers. After consultation with an expert and testing of software, you’ve chosen and implemented a strong encryption scheme. All the computers in all the world working for the rest of your life would not be able to decrypt it. Your data is secure!
This morning, your CFO tells the IT Help Desk of a problem he’s having. One of the earliest adopters of the technology, he was glad to finally be able to prevent unauthorized access to the company books. He regularly changes his passwords and makes them sufficiently complex that they cannot be guessed, using numbers, letters, capitals and punctuation in them and ensuring that they are always longer than 14 characters.
The problem is, he seems to have forgotten the password.
In a moment, encryption has gone from being an asset – securing your data from prying eyes – to an enemy, holding your data for the ransom of one correct password.
In some real-world cases, the encryption used was weak and could be bypassed or otherwise decrypted using many computers ‘brute-forcing’ – trying every possible combination of letters and numbers until the password is found.
In this case, the encryption used is strong – the passwords sufficiently long and complex that guessing them using brute force would take hundreds or even thousands of years. The chances are that your data is lost until some point in the future where computers are drastically more powerful than they are today. Regardless of what conspiracy theorists think, mathmatics theorists can show that the amount of processing power required to decrypt today’s strong encryption schemes exceeds the total processing power of all computing devices in the world. This means that even if you have a friend at the NSA, they can’t help you get your Quickbooks back.
Encryption can provide you with great peace of mind, knowing that your private data is safe and it is a valuable addition to your commonly used software.
Selection of software and hardware to protect your data is extremely important. Evaluate your needs and select an encryption scheme that suits you. Be sure that the actual security is on par with the advertised security.
Remember: using strong encryption prevents anyone without the key from accessing the data in our lifetimes – even you!
Look for an explanation of commercially-avaliable encryption and a comparison of features in an upcoming post.