Cryptography on L7
Why you should secure your users data in order not to lose them.
Since beginning of civilization everything we do like humankind is summarized in transactions, nowadays in digital era practically everything we do are transactions, from receiving emails to financials movements. We want to protect the information from unwanted people in order to doing transactions, and the cypherpunk goal is create secure anonymous transaction systems. We forget the idea is to have knowledge only of that which is directly necessary for doing a transaction.
When we create a new website, IoT, store or app, we only secure channels to send or receive information and that is good. The main problem is when we start to store those data. Data bases give you the ability to remember your customers data, for example: name, address, preferences, passport id and so on. Here he have a problem your customers don’t mind their privacy, because you are trusted, in other words: your customers trust you to store their data, your customers expect you to protect their data and make good use of it. let me say an analogy:
You go to the bank and you want to check your last movements:
- Bank: Sir, let me remember you when you enter in that room noone won’t be able to listen anything… few seconds later. Could you me your password to continue? please.
- You: My password is XXXXXXXX
- Bank: Your password is correct, let me show you your last movements.
- After a while….
- You: Thank you so much, bye.
What you don’t know: the bank didn’t tell you your data is unprotected. It means if some employee wants to read your information, he will be able to do it. He just need to say “I’ll have to stayed awake for a long while, because I need to check some files”
Ask yourself: is my data protected? should I trust the bank to store my data? or my data can be more secure inside my safe?
That is the sad reality with our internet services (not all, but a lot of them). We just secure channel not data store. OSI model is conceptual model for communications and basically it gives you standards to communicate with any system.
On OSI model we secure our data like this:
Let me explain this picture, on L7 is what we know what internet is, here we can find facebook, google, twitter, tinder and so on. On L4 is the channel which let us communicate with internet services with security. We see lacking of cohesiveness and coherence between L4 and L7 in security (cryptography). Not all the problems apply between 2 layers, each layer has its own problems and challenges to resolve in security matter. L4 gives security only on this layer, the problem comes because we want to extrapolate this feature to L7, it doesn’t work. An equivalent analogy for this is: I don’t paint inside my house because outside the house is already painted. And here comes the big problem “data breaches”. We are talking about when the information is stolen. when your customer suffers identity theft, you will not be trusted anymore and that is not funny not for you nor for them. Basically your customers will feel betrayed and you will not be able to face that feeling. I repeat you you won’t trusted anymore.
Monday in the morning, you go to the bank:
- Bank: Good morning Sir, How can I help you?
- You: I need to check my last movements.
- Bank: Sorry Sir, it can’t be possible, because on weekend some thieves entered the facilities. But don’t worry Sir, they didn’t steal anything, your money is safe.
- You: So?
- Bank: Well, actually they xerox all the bank’s documents, including yours, but i repeat you, don’t worry , we keep the originals documents.
Oh my god !!! the thieves have all your information
Ask yourself: What do i do?,
What I do: as soon as possible I cancel my account.
According to Gemalto we have these highlights:
On 2017 (source):
- 7,125,940 compromised records every day
- 2,96914 compromised records every hour
- 4,949 compromised records every minute
- 82 compromised records every second
On first half 2018 (source):
- 25,155,650 compromised every day
- 1,048,152 compromised records every hour
- 17,469 compromised records every minute
- 291 compromised records every second
We need to understand these highlights:
- Five of the top six companies in the world by market valuation are data companies.
- The impact of data breach
- The data is the most valuable
So, What is data value?
According to data4sdgs with their article What Do We Know About the Value of Data?, they give us this approach for data value:
- Cost-based approaches — Value is determined based on the cost to produce the data.
- Market-based approaches — Value is determined based on the market price of equivalent products or users’ willingness to pay.
- Income-based approaches — Value is defined by estimating the future cash flows that can be derived from the data.
- Benefit monetization approaches — Value is estimated by defining the benefits of particular data products, such as a census, and then monetizing the benefits.
- Impact-based approaches — Value is determined by assessing the causal effect of data availability on economic and social outcomes, or the costs in terms of inefficiencies or poor policy decisions due to limited or poor-quality data.
How could you solve it nowadays?
Let’s see some tools to protect your data:
- Veracrypt, it gives you disk encryption, you need to put all your database files here, it is especially useful if someone steals your hard drives.
- Node.js, it gives you a lot packages to encrypt, you encrypt and decrypt data on the fly, it it is especially useful if someone try to hack your systems.
- Coherence, It is a cryptographic server that helps you to create your own cryptographic protocols for modern web apps to protect data.
- Appliances (HSM vendors: Thales, Utimaco, Gemalto). it gives you all you need to protect your data. It offers certified protection.
- Acra, database security suite for sensitive and personal data protection. it gives you all you need to protect your data, too.
- Enveil, data security company, it offers cryptography solutions for analytics (data in use).
- Others: vaultproject, sqlcipher.
It depends on your needs, remember each one is good for its own approach. The best answer I can give you is: test all of them by your own. A simple guide could be:
- If you need physical security then Veracrypt.
- if your platform is mobile then Sqlcipher.
- If you platform is server then Acra.
- If you need flexibility then Coherence.
- If you need to protect passwords then Vault.
- If you need protection for data in use then Enveil.
- If you need a solution for a compliance then HSM vendors.
- Veracrypt does not give you row or column encryption. Not nice when you need row encryption.
- Node.js gives you a lot of cryptographic libs. Which one?
- HSMs are expensive. Not nice when you do not have money
- Acra only works on Mysql and Postgresql. Not nice when you need mongodb encryption.
- Sqlcipher is just for mobile apps.
- Coherence you need to add your own code.
- Vault only stores passwords. Not nice when you need database encryption.
Why the problem persist?
The technology to solve this problem has not been adopted because is not accessible either by price, lack of features, lack of knowledge or by complex integration.
Lack of knowledge
This is the main problem, the sad reality is the people doesn’t understand cryptography so they aren’t able to implement the algorithms.
With node.js we have a very good example because you have a lot of cryptographic libs but it doesn’t have a standard API, and the problem becomes bigger when you use different languages.
Although the HSM ar expensive you only need one when you are on a compliance like PCI.
Lack of features
This is only for whose really understand cryptography and they need some specific features to implement, but these features aren’t available.
Privacy needs authenticity, confidentiality, integrity and anonymity but not only on L4 but too on L7.
The main problem to suffer data breaches is developers don’t care about it because of lack of knowledge, developers need more resources to implement cryptography inside their work. For me with Veracrypt and Coherence is enough I have security and flexibility to implement my own security layer for my own needs, It is open source solution, It is a cheap solution and I don’t need compliance,