There was a time, some years ago, when it was difficult to make a business case for encryption data in motion. Only the most secure organisations – those where data protection was mandated – were prepared to sacrifice network performance and invest in encryption for the sake of security.
How times have changed. Encryption is no longer a luxury item. It is an essential element of an organisation’s data protection strategy. A range of factors have driven this: the explosion of Cloud and data centre services that proliferate the IT landscape; the arrival of Big Data and the Internet of Things and Cloud-based Software as a Service; the increasing threat of cyber-crime and the evolution of cryptography itself.
Whilst encrypting at IPSEC (Layer 3) will still add unnecessary network overhead and impact on network speed and bandwidth, Layer 2 encryption can offer high-assurance data protection without compromising network or application performance.
Not all encryption solutions are the same. They vary widely in their performance and security characteristics. However, there has been a misconception, in the past, that all encryption is an unwieldy, blunt instrument. One that offers little in the way of compromise and sits heavy, like a leviathan, in the middle of the network. Offering a “take it or leave it” proposition that seen the network do all the compromising to accommodate encryption.
The reality is, the best modern encryption solutions are much more agile than some might think. They occupy a barely perceptible presence on the network, are transparent to all other devices, result in minimal latency (frequently less than 4µs at higher speeds) and are suitable for networks of all shapes and sizes. From modest 10Mbps to ultra-fast 100Gbps speeds.
Agility is about more than simple performance statistics; it comes from compatibility and interoperability, from FPGA-based flexibility and from the ability to support custom cryptographic elements. It even enables a choice of encryption algorithms and standards.
What does that agility look like? Well, truly high-assurance encryption solutions are based on standards-based algorithms, typically AES 128 or 256bit. However, there’s nothing that says you must use the manufacturer’s standard algorithms. If you are able provide your own, assuming they do not represent a downgrading of the device’s security, you may prefer to use them.
It’s worth mentioning that there are a variety of encryption modes available. Your chosen encryption platform should offer support for as many of these as possible. That’s agility. For example, CFB (Cipher Feedback) mode, CTR (Counter) mode and GCM – an authenticated encryption mode.
Beyond encryption modes, agility should also extend to support for other custom components, such as user-defined curves, external certificate authorities and sources of randomness – what you might call Bring-your-own-Entropy.
Cryptography needs to provide long-term data protection; that is, some data needs to be safe for 50+ years. This is a particularly important issue in the looming ‘post-quantum’ computing era. The current limitations on computing power will become a thing of the past and the brute force attacks on encrypted data that can take decades to yield any benefit may take just hours.
Crypto-agility should also include the ability to incorporate quantum key generation and distribution (QKD). This provides even longer-term data protection by guaranteeing provable secure key exchange and features and an anti-eavesdropping mechanism to ensure forward secrecy of the encryption keys.
About Senetas Encryptors
All Senetas encryptors are ‘crypto-agile’; from encryption modes to 100% interoperability and compatibility, to customisable encryption components and FPGA-based flexibility.
Senetas encryptors support Quantum Key Distribution (Quantum Cryptography) and Quantum Random Number Generation, for even longer-term data security.
Senetas also assists customers with their requirements for custom encryptors; including their own encryption algorithms and standards.
For more information on high-assurance encryption solutions, visit our product pages.