Ever wonder how encryption actually works? Experts, Ed Pullin and Judy Furlong, provided an encryption primer to hundreds of attendees at our SNIA NSF webcast Storage Networking Security: Encryption 101. If you missed it, It’s now available on-demand. We promised during the live event to post answers to the questions we received. Here they are:
Q. When using asymmetric keys, how often do the keys need to be changed?
A. How often asymmetric (and symmetric) keys need to be changed is driven by the purpose the keys are used for, the security policies of the organization/environment in which they are used and the length of the key material. For example, the CA/Browser Forum has a policy that certificates used for TLS (secure communications) have a validity of no more than two years.
Q. In earlier slides there was a mention that information can only be decrypted via private key (not public key). So, was Bob’s public key retrieved using the public key of signing authority?
A. In asymmetric cryptography the opposite key is needed to reverse the encryption process. So, if you encrypt using Bob’s private key (normally referred to a digital signature) then anyone can use his public key to decrypt. If you use Bob’s public key to encrypt, then his private key should be used to decrypt. Bob’s public key would be contained in the public key certificate that is digitally signed by the CA and can be extracted from the certificate to be used to verify Bob’s signature.
Q. Do you see TCG Opal 2.0 or TCG for Enterprise as requirements for drive encryption? What about the FIPS 140-2 L2 with cryptography validated by 3rd party NIST? As NIST was the key player in selecting AES, their stamp of approval for a FIPS drive seems to be the best way to prove that the cryptographic methods of a specific drive are properly implemented.
A. Yes, the TCG Opal 2.0 and TCG for Enterprise standards are generally recognized in the industry for self-encrypting drives (SEDs)/drive level encryption. FIPS 140 cryptographic module validation is a requirement for sale into the U.S. Federal market and is also recognized in other verticals as well. Validation of the algorithm implementation (e.g. AES) is part of the FIPS 140 (Cryptographic Module Validation Program (CMVP)) companion Cryptographic Algorithm Validation Program (CAVP).
Q. Can you explain Constructive Key Management (CKM) that allows different keys given to different parties in order to allow levels of credentialed access to components of a single encrypted object?
A. Based on the available descriptions of CKM, this approach is using a combination of key derivation and key splitting techniques. Both of these concepts will be covered in the upcoming Key Management 101 webinar. An overview of CKM can be found in this Computer World article (box at the top right).
Q. Could you comment on Zero Knowledge Proofs and Digital Verifiable Credentials based on Decentralized IDs (DIDs)?
A.
A Zero Knowledge Proof is a cryptographic-based method for being able to prove
you know something without revealing what it is. This is a field of
cryptography that has emerged in the past few decades and has only more
recently transitioned from a theoretical research to a practical implementation
phase with crypto currencies/blockchain and multi-party computation (privacy
preservation).
Decentralized IDs (DIDs) is an authentication approach which leverages
blockchain/decentralized ledger technology. Blockchain/decentralized ledgers
employ cryptographic techniques and is an example of applying cryptography and
uses several of the underlying cryptographic algorithms described in this 101
webinar.
Q. Is Ed saying every block should be encrypted with a different key?
A. No. we believe the confusion was over the key transformation portion of Ed’s diagram. In the AES Algorithm a key transformation occurs that uses the initial key as input, and provides the AES rounds their own key. This Key expansion is part of the AES Algorithm itself and is known as the Key Schedule.
Q. Where can I learn more about storage security?
A. Remember this Encryption 101 webcast was part of the SNIA Networking Storage Forum’s Storage Networking Security Webcast Series. You can keep up with additional installments here and by following us on Twitter @SNIANSF.