Encryption 101

Encryption 101

·

7 min read

Encryption

Encryption is a process that converts data into a coded form to prevent unauthorized access. It uses algorithms and keys to transform readable data (plaintext) into an unreadable format (ciphertext). Only authorized parties with the correct decryption key can revert the ciphertext back to plaintext.

Encryption at Rest

Encryption at rest refers to encrypting data stored on a disk or other storage media. This protects the data from unauthorized access when it is not being transmitted or actively used. Common use cases include encrypting files on hard drives, databases, or cloud storage.

Benefits:

  • Protects data from physical theft of devices

  • Safeguards against unauthorized access in case of a data breach

  • Ensures compliance with data protection regulations

Encryption in Transit

Encryption in transit protects data as it moves from one location to another, such as over the internet or a private network. It ensures that data remains confidential and integral while being transmitted between clients, servers, and other systems.

Benefits:

  • Prevents eavesdropping and man-in-the-middle attacks

  • Ensures data integrity during transmission

  • Secures sensitive information exchanged over networks


Public & Private Key

Public Key: This key is intended to be shared publicly and is used for encryption. It allows anyone to encrypt a message or data that can only be decrypted by the corresponding private key. When you want to send a secure message to someone, you use their public key to encrypt it. However, even if someone knows your public key, they cannot decrypt messages encrypted with it.

Private Key: This key must be kept secret and is used for decryption. It allows you to decrypt messages or data that have been encrypted with your public key. Since only you should have access to your private key, only you can decrypt messages encrypted with your public key.


Types of Encryption

1. Symmetric Encryption:

  • Uses a single key for both encryption and decryption

  • Faster and more efficient for large data volumes

  • Examples: AES (Advanced Encryption Standard), DES (Data Encryption Standard)

2. Asymmetric Encryption:

  • Uses a pair of keys: a public key for encryption and a private key for decryption

  • Provides strong security for data transmission

  • Examples: RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve Cryptography)

3. Hybrid Encryption:

  • Combines symmetric and asymmetric encryption

  • Often used in protocols like SSL/TLS where a symmetric key is exchanged using asymmetric encryption


Client & Server Side Encryption

Client-Side Encryption

Client-side encryption involves encrypting data on the client’s side before it is sent to a server or cloud storage. The client retains control of the encryption keys, providing a higher level of security.

Benefits:

  • Data is protected before it leaves the client’s environment

  • Client retains control over encryption keys

  • Reduces the risk of data exposure even if the server is compromised

Challenges:

  • Managing and securing encryption keys can be complex

  • Performance overhead on the client device

Server-Side Encryption

Server-side encryption occurs when data is encrypted after it is sent to the server or storage system. The server handles the encryption and decryption processes, often using managed encryption services provided by cloud providers.

Benefits:

  • Simplifies key management for clients

  • Integrates seamlessly with cloud storage services

  • Provides built-in encryption options with minimal configuration

Challenges:

  • Relies on the server’s security measures

  • Potential exposure if the server is compromised


Digital Signature

A digital signature is a cryptographic technique that ensures the authenticity and integrity of a message, document, or software. It provides a way to verify that a message was created by a known sender (authentication) and that it was not altered in transit (integrity).

Applications: Email verification, software distribution, financial transactions.

How Does it Work?

  1. Hashing: The message or document is processed through a hash function to create a unique fixed-size string of characters, known as the hash value or message digest.

  2. Encryption: The hash value is encrypted using the sender’s private key, creating the digital signature. This private key is part of a public/private key pair used in asymmetric encryption.

  3. Verification: The recipient decrypts the digital signature using the sender’s public key. This produces the original hash value. The recipient also hashes t

    he received the message or document and compares the two hash values. If they match, the message is verified as authentic and unaltered.

Applications: Email verification, software distribution, financial transactions.


Steganography

Steganography is the practice of hiding information within another file, message, image, or video. Unlike encryption, which makes data unreadable without a key, steganography hides the existence of the message itself.

How Does it Work?

  1. Embedding Data: The hidden message is embedded into a carrier medium (e.g., an image, audio, or video file) by slightly altering the least significant bits of the carrier file. These alterations are usually imperceptible to the human eye or ear.

  2. Extraction: The recipient uses a predefined algorithm or key to extract the hidden message from the carrier medium.

Applications: Covert communication, digital watermarking, secure information hiding.

Example: Imagine you have a digital photo with a clear blue sky. You can use steganography software to slightly modify the color values of some pixels in the sky. These changes might be so subtle that they're undetectable to the naked eye, but the software can interpret them as a hidden message. Someone who knows the secret technique and has the right software can then extract the hidden message from the image.

Steganography doesn't necessarily make a message secure. If someone suspects hidden information, they might use steganalysis techniques to try to uncover it.


Envelope Encryption

Envelope encryption is a technique used to improve the performance and security of encrypting large amounts of data. It combines symmetric and asymmetric encryption to efficiently protect data while maintaining strong security.

How Envelope Encryption Works

  1. Data Encryption Key (DEK): A DEK is a symmetric key used to encrypt and decrypt actual data. It can be generated by AWS KMS or by the user and then encrypted using a KEK/CMK. Symmetric encryption is chosen for its speed and efficiency, making it suitable for encrypting large data sets.

  2. Encrypt Data: The data is encrypted using the DEK. This step produces the ciphertext of the data.

  3. Key Encryption Key (KEK): The DEK itself is then encrypted using a different key, called the Key Encryption Key (KEK). KEKs are often asymmetric keys, providing strong security for the DEK.

  4. Store Encrypted DEK: The encrypted DEK (encrypted with the KEK) is stored alongside the encrypted data. This allows the DEK to be retrieved and decrypted only by authorized entities with access to the KEK.

  5. Decryption Process: To decrypt the data, the encrypted DEK is first decrypted using the KEK to obtain the original DEK. The DEK is then used to decrypt the data, returning it to plaintext.


AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that makes it easy to create and control cryptographic keys used for encryption across AWS services and applications. KMS integrates with various AWS services to provide seamless encryption and key management.

Key Features:

  • Centralized Key Management: Create, rotate, and manage keys from a central location.

  • Integration: Easily integrates with AWS services like S3, EBS, RDS, Lambda, and more for automatic encryption.

  • Fine-Grained Access Control: Define and enforce policies for key usage and access through AWS Identity and Access Management (IAM).

  • Auditing: Provides detailed logging of all key usage through AWS CloudTrail, helping with compliance and auditing.

  • High Availability: Ensures keys are available and secure, leveraging AWS's robust infrastructure.

Customer Master Key (CMK)

A CMK is a key stored in AWS KMS that is used to encrypt and decrypt data encryption keys (DEKs). It serves as a key encryption key (KEK).


Managing Customer Master Keys (CMKs) in AWS KMS

When using AWS Key Management Service (KMS) to secure your data, you have the option to manage your Customer Master Keys (CMKs) yourself or to let AWS KMS manage them for you. Both approaches come with their own benefits, challenges, and considerations.

AWS-Managed CMKs

AWS KMS provides AWS-managed CMKs, which are automatically created, rotated, and managed by AWS on your behalf. These keys are used by various AWS services to encrypt your data without requiring manual intervention.

  • Pros: Simplified management, seamless integration, cost-effective.

  • Cons: Limited control and customization.

Customer-Managed CMKs

Customer-managed CMKs are created, managed, and controlled by you. You have full control over the key lifecycle, including creation, rotation, and deletion, as well as the policies and permissions associated with the keys.

  • Pros: Full control, customization, compliance support.

  • Cons: Increased complexity, administrative responsibility, higher cost.

Did you find this article valuable?

Support AWS X SUJAN by becoming a sponsor. Any amount is appreciated!