A possible answer to this question is if you were using a weak encryption standard. If you were to use something like DES which is quite old there is a good chance a hacker would be able to figure out the encryption. Des was many years ago and doesn’t stand up to modern computing power. this is why its important to keep up with encryption standards to keep your data confidential.
With the rapid rise in VoIP, what cryptographic solutions can be designed to protect the unprotected voice calls which will be routed on unprotected public networks?
Hi Akshay, Good question and interesting. I did not have no idea about this and want to know the answer also. So, I researched about this topic and found some information. There are two ways for VoIP encryption
– SIP Signalling Encryption using Transport Layer Security (TLS)
– SRTP (Secure Real-Time Transport Protocol)
These two ways of encryption can enhance integrity and authentication aspects.
Source: https://www.taraspan.com/blog/voip-encryption/
Yes, I think the decryption method is highly confidential data. When the decryption method is cracked, the security of the encrypted information cannot be guaranteed.
Cipher doesn’t need to be kept secret, as if the method is mature enough, even if the attacker has the cipher, the decryption without a key will still take a long enough time to make the secret protected.
Hi Christopher,
Key length must be large enough that a brute-force attack is impossible. Today, computational power determines whether breaking an encrypted text is possible or not for an attacker. So, the level of achievement of security changes over years as computational power increases. Hence, if a key length becomes vulnerable over years, key size is increased.
Which reliable method can an organization use to exchange the secret keys or send information outside its network without compromising with its security or authenticity?
Hi Innocent,
Key exchange is a method in cryptography allowing key exchange between two parties. Key exchanging method depends on the encryption technique that is used. For example, If the cipher is a symmetric key cipher, both sender and receiver will need a copy of the same key. On the other hand, if asymmetric encryption or public-key cryptography is used, a message encrypted using a private key can be decrypted using a public key.
In the UK, the Regulation of Investigatory Powers Act (RIPA) can send you to prison for refusing to surrender your encryption keys. What type of encryption technique can be used so that the owner is seemingly unable to decrypt the data?
Hi Sarah,
If confidentiality of the data sent is the most important, “Secure Message format” can be used. The sender encrypts the file with the receiver’s public key. It provides confidentiality of the file because encrypted file can only be decrypted by the person who has the corresponding private key. Symmetric key algorithms provide confidentiality but not authenticity or nonrepudiation. If the authenticity is the concern, in this case, asymmetric cryptography might be used.
Hi Junjie, Good question. I think there are many ways which hackers can compromise encrypted information and it can affect to confidentiality and integrity. I think the main important cause comes from lacking of policy and procedures about encryption management to secure data. Without establishing proper policy and procedure, there is no guideline to follow and it still leaves many vulnerabilities. In addition, I additionally found a interesting topic about Cryptographic Vulnerability from OWASP. See more details here >> https://wiki.owasp.org/index.php/Category:Cryptographic_Vulnerability.
I would say it depends on the situation and resources – gap analysis seems like it would be best for a system that has a number of common controls, while requirements definition might be better when there aren’t as many common controls.
How can we leverage the cryptographic methods to secure the data, people, and systems within Temple or any organization we work for? (Aside from the simple password)
How to balance cost and effectiveness when choosing the encryption method between all kinds of methods based on their performance requirements and encryption level?
Is it possible that hackers can compromise data or system via encryption key? How?
A possible answer to this question is if you were using a weak encryption standard. If you were to use something like DES which is quite old there is a good chance a hacker would be able to figure out the encryption. Des was many years ago and doesn’t stand up to modern computing power. this is why its important to keep up with encryption standards to keep your data confidential.
Which security standard does NIST SP 800-53 define for guidance on managing information security risk at three distinct tiers?
With the rapid rise in VoIP, what cryptographic solutions can be designed to protect the unprotected voice calls which will be routed on unprotected public networks?
Hi Akshay, Good question and interesting. I did not have no idea about this and want to know the answer also. So, I researched about this topic and found some information. There are two ways for VoIP encryption
– SIP Signalling Encryption using Transport Layer Security (TLS)
– SRTP (Secure Real-Time Transport Protocol)
These two ways of encryption can enhance integrity and authentication aspects.
Source: https://www.taraspan.com/blog/voip-encryption/
Boyle and Panko mention that the key must be kept secret. However, do you believe the cipher should also be kept secret?
Yes, I think the decryption method is highly confidential data. When the decryption method is cracked, the security of the encrypted information cannot be guaranteed.
Cipher doesn’t need to be kept secret, as if the method is mature enough, even if the attacker has the cipher, the decryption without a key will still take a long enough time to make the secret protected.
How do you decide the bit length of encryption keys for systems?
Hi Christopher,
Key length must be large enough that a brute-force attack is impossible. Today, computational power determines whether breaking an encrypted text is possible or not for an attacker. So, the level of achievement of security changes over years as computational power increases. Hence, if a key length becomes vulnerable over years, key size is increased.
Is it possible for a hacker to use malware in order to break through an encryption key?
Hi Natalie, I researched about your question and yes, it is possible for attackers to use malware through encryption key in order to break into the system. It’s known as the threat : Encrypted Malware in SSL. Hackers implement fake SSL certification via phishing websites. In this way, if victims click the link, hackers can an embed their malware into the encrypted traffic and try to bypass any firewall system.
Here are some sources that I found related to this topic;
https://www.eurodns.com/blog/encrypted-malware-evades-ssl-detection
https://www.thesslstore.com/blog/a-sneaky-online-security-threat-encrypted-malware-in-ssl/
https://www.pandasecurity.com/mediacenter/malware/encrypted-malware-facilitated-gdpr/
Which reliable method can an organization use to exchange the secret keys or send information outside its network without compromising with its security or authenticity?
Hi Innocent,
Key exchange is a method in cryptography allowing key exchange between two parties. Key exchanging method depends on the encryption technique that is used. For example, If the cipher is a symmetric key cipher, both sender and receiver will need a copy of the same key. On the other hand, if asymmetric encryption or public-key cryptography is used, a message encrypted using a private key can be decrypted using a public key.
In the UK, the Regulation of Investigatory Powers Act (RIPA) can send you to prison for refusing to surrender your encryption keys. What type of encryption technique can be used so that the owner is seemingly unable to decrypt the data?
Hi Sarah,
If confidentiality of the data sent is the most important, “Secure Message format” can be used. The sender encrypts the file with the receiver’s public key. It provides confidentiality of the file because encrypted file can only be decrypted by the person who has the corresponding private key. Symmetric key algorithms provide confidentiality but not authenticity or nonrepudiation. If the authenticity is the concern, in this case, asymmetric cryptography might be used.
What are the main causes of encrypted information being compromised in the world today?
Hi Junjie, Good question. I think there are many ways which hackers can compromise encrypted information and it can affect to confidentiality and integrity. I think the main important cause comes from lacking of policy and procedures about encryption management to secure data. Without establishing proper policy and procedure, there is no guideline to follow and it still leaves many vulnerabilities. In addition, I additionally found a interesting topic about Cryptographic Vulnerability from OWASP. See more details here >> https://wiki.owasp.org/index.php/Category:Cryptographic_Vulnerability.
Open SSL can be used to create a public and private key. There should be a means to use it easily and conveniently enough to be adopted by everyone.
Which approach to improving controls do you prefer, as an auditor? The Gap Analysis approach or the Requirements Definition approach?
I would say it depends on the situation and resources – gap analysis seems like it would be best for a system that has a number of common controls, while requirements definition might be better when there aren’t as many common controls.
How can we leverage the cryptographic methods to secure the data, people, and systems within Temple or any organization we work for? (Aside from the simple password)
How to balance cost and effectiveness when choosing the encryption method between all kinds of methods based on their performance requirements and encryption level?
When would you most consider encryption, in transit or at rest?