Article

An Encryption Primer
By Jim Benlein, CISA, CISM, CRISC

4 minutes

digitalized keyOver the past few years, as new products or services have been examined at your credit union, the question of how passwords are secured has probably come up. In most cases, vendors you were considering probably responded: “Oh. We encrypt passwords.” That’s certainly nice to hear, but not quite what is needed in today’s turbulent security environment.

This article will briefly discuss encryption terms and concepts and wrap up with a list of questions you can ask your vendors to make sure they’re going a good job protecting your data.

Encryption Primer

First, what exactly is “encryption”? According to the National Institute of Standards & Technology, encryption is “…The process of transforming plaintext into cyphertext using a cryptographic algorithm and key…” The table below offers some insight into the various parts of this definition.

Plaintext

Text easily readable and understood by humans
• This article is in plaintext

Cyphertext

Text that is not meant to be read per se, but rather used by humans or machines to direct understanding or action
• Cyphertext looks like gobbledygook, but has meaning.

Cryptographic algorithm

A well-defined computational procedure taking/using variable inputs, possibly including a cryptographic key, to provide confidentiality, data integrity, authentication and/or non-repudiation (cannot be denied).
• The algorithm is the function/procedure/process/equation used to turn plaintext to cyphertext.

Key (e.g., cryptographic key)

A binary string used as a parameter by a cryptographic algorithm.
• The key is the code/base/figure/amount/standard used in the algorithm as a constant to flip/switch/translate the plaintext and cyphertext.

Simple basic encryption then:

  • works to hide the value of the password;
  • allows the value of the password to be verified;
    • Does what is entered, when run through the algorithm, match the stored value?
  • relies on the secrecy of both the key and algorithm to protect passwords;
    • Loss of one or both can compromise passwords.
  • is “easily” reversible (bi-directional).
    • “Easily” depends on the complexity of the algorithm and key; the computing power available to crack them; and the determination of the attacker.

While basic encryption has value, it also has weaknesses. Its bi-directional nature means password cracking is fairly achievable, given sufficient resources—resources  more readily available to today’s hackers than a few years ago. To help combat this weakness, you move from “simple” encryption to “hashing” encryption.

Hashing, as information security lingo, is generally defined as “…a process used to create a fixed length digest or representative value for variable length/size data…” Specific to passwords, hashing involves using a mathematical formula to create a fixed- length value representing the (plaintext) password.

Different from just “plain” encryption, password hashing encryption is intended to be “one way,” making it much more difficult to trace the stored encrypted password back to its plaintext value.

While an improvement over plain encryption, there are some weaknesses associated with password hashing:

  • If you know the length (e.g., number of characters) of the password’s hash value, you can generally guess the hashing algorithm used.
  • Knowing the hashing algorithm used, you can create lists or tables containing hashed values and “reversed” password values.

Referred to as “lookup or “rainbow” tables, these files of plaintext and hashed values are standard hacker tools. Combined with cheap computing resources available in the cloud, cyber criminals can fairly easily sort through a stolen password file to gather information.

How do you combat this weakness? Add salt to your hash.

“Salting” is the process of appending data to a password to change the calculated (stored) hash value. The salting occurs “behind the scenes” during the encryption/hashing process. So while the password chosen, known and entered by the user isn’t changed, the stored password-hash value is.

Questions to Ask Vendors

When you’re talking with third-party vendors, you can use your knowledge of encryption to ask good questions about how they’re managing passwords. The more items you are able to check off from the following list; the more you are ensuring good protections are placed around your passwords. Ask:

  • How are passwords stored?
    • Passwords are not stored in clear text.
    • Passwords cannot be retrieved and provided to users – implies only simple encryption may be used. (Look out for “For your records, this email contains a copy of your username and password. Please keep it secure.)
    • Passwords are not just “encrypted,” they are “hashed” using a cryptographically strong/secure password hashing function.
  • What password hashing algorithm is used?
    • Unacceptable: MD5 (it’s been cracked)
    • Marginally acceptable: SHA-1
    • Preferred: SHA-2 (e.g., SHA-256, SHA-384, SHA-512, etc.)
  • How are password hash salt values generated?
    • Salt values are unique to each password/user
    • Salt values are changed if the password changes
    • Salt values are created via a cryptographically strong/secure password hashing function

Jim Benlein, CISA, CISM, CRISC, owns KGS Consulting, LLC, Silverdale, Wash., and offers insight on issues involving information technology governance, information security, and technology risk management.

Compass Subscription