Data Scrambling vs. Encryption
The article below is an update to their Townsend Security’s blog post comparing data scrambling and data encryption.
For most organizations, the motivation to encrypt their data is closely tied to various compliance requirements. Such compliance regulations include PCI DSS, HIPAA, HITECH, GDPR, Sarbanes-Oxley (SOX) and a whole host of regional privacy laws. So, if you’re going through the due diligence of database encryption, you want to make sure you get it right – the first time!
A big part of getting it right is using the right encryption tool. There are plenty of tools on the market that claim to do encryption, and perhaps you know a few clever programmers who say they can come up with a nifty little data scrambling algorithm that no-one has ever seen before. But encryption – real encryption – demands that we reach for a higher standard.
The U.S. Department of Commerce publishes the definitive encryption standard on its National Institute of Standard and Technology (NIST) website, and to date, thousands of cryptographic providers have achieved this high standard. As of this post’s publication date, NIST has certified over 5,600 AES encryption implementation.
A fundamental truth of encryption
Cryptographers do not suffer fools lightly. Their science is mathematically based, and their algorithms are both well known and thoroughly vetted. A fundamental truth of cryptography is that real encryption cannot rely on keeping the algorithm secret. Instead, the secret that protects the data is the encryption key, and only the encryption key. Anyone who says otherwise might get a dissertation-length earful on the mathematical correctness of accepted encryption algorithms.
And really, this makes total sense. If everyone used a secret algorithm to encrypt data, then the discovery of that algorithm would put the world’s data at risk. However, if the encryption key is the one-and-only secret that unlocks the data, then a compromised key would only risk data that was encrypted with that particular key. All data encrypted with other keys is still safe. This not only demonstrates the wisdom of strong and open algorithms, but also the fundamental importance of strong key protection.
Another benefit of open algorithms is that they are peer reviewed and extremely well vetted. The AES standard – the de-facto standard for encrypting data at rest – is well known in cryptography and mathematical circles. AES is recognized across the globe as the most effective method for encrypting business data. Its modes of encryption are well known and proven. There is also a strong body of knowledge on correct implementation of the AES standard. From the perspective of a cryptographic (encryption) provider, encryption libraries are not easy to write, but they are known to be solid when implemented according to accepted standards.
Read our eBook
This eBook provides an introduction to encryption, including best practices for IBM i encryption.
Data scrambling tools
Unfortunately, some software providers have taken a different route. For them, AES encryption must have seemed too difficult or cumbersome, so they instead found loopholes or shortcuts to simplify their implementation. Some software providers use untested software, or unique and un-vetted methods of encryption. These data scrambling methods aren’t (and never could be) NIST or FIPS certified. Regrettably, if their customers never ask about certification or independent validation, those providers are unlikely to mention it.
The result is that we see a number of uncertified, and un-vetted cipher methods introduced in the market place. And while it is possible that one or more of these upstart modes could be better than one of the current, standard modes, there is no way to know this because these new modes have not been properly tested and crypto-analyzed. Without testing and peer review, each of these modes is just another premature idea that is statistically more likely to be a bad encryption method than a good one.
Show me the cert!
Many software vendors are beginning to recognize the value of certifications. Some claim certifications they don’t actually have (HINT: PCI does not certify encryption software) and some will use confusing language to infer they have achieved levels of certification they haven’t.
Recently I visited a website that claimed (I’m paraphrasing): Our stuff uses FIPS 140-2 certified algorithms to ensure the highest level of data security.
The NIST AES website displays no record of this company ever having received a certification for any encryption software. Clearly, they recognize the value of certification, but have not yet done the hard work to make it so. And if you don’t attempt to verify their claims, it’s likely that you’ll soon regret it.
The simplest way to verify a vendor who claims to be certified for any type of encryption is to ask a simple question: “Can you show me the cert?” It ought to be available on the web or in paper form for them to show you that this software has passed an independent evaluation. Once you have confirmed they have a cert, then you can dig down deeper to determine whether the software will fit your specific needs. However, if they are claiming a certification that they cannot prove, its best to keep your hand on your wallet and run.
For information on encryption, read this eBook: IBM i Encryption 101