Data Encryption Standards
Previously, I’ve discussed the security issues of cloud computing. Nowadays, data at rest is not secure as comparing to data transmission or data in-use. In order to secure and protect the data at rest in the cloud, data encryption — cryptography is introduced to cloud computing. However, data encryption is facing many challenges for data at rest in the cloud. One of the challenges is the standard of data encryption. There are many standards of data encryption that created by different countries and organizations, such as Data Encryption Standards (DES), Rijndael, GOST block cipher, Skipjack, Triple DES, MARS. Among these standards, DES is highly influential in the advancement of modern cryptography. In this blog, I am going to explore the various aspects of DES.
DES, which is a symmetric key algorithm for encryption of electronic data, was originated in the early 1970s by the US standards body National Bureau of Standards (NBS) — now named National Institute of Standards and Technology (NIST). In 1973, IBM submitted variant of Lucifer that was designed by Horst Feistel. And later, NBS adopted DES as a federal standard in 1976 and DES was improved and derived during 1980s and 1990s. However, DES was broken by exhaustive research in 1997. In 2000, NIST adopted Rijndael as Advanced Encryption Standard (AES) to replace DES.
The algorithm is the most fascinating part of DES, however, it is quite complicated and irrelevant to the “Global Intersection”. If you find it interesting, you may read my other blog.
Strength and Weakness:
The nature of algorithm and many different sets of complicated permutation are making the DES highly secure. Cryptanalyst can perform cryptanalysis by exploiting the characteristic of DES algorithm but no one has succeeded in finding out the weakness (DES weakness and strength, n.d.).
On the other hand, DES keys are the one of weaknesses for DES. Despite of the DES keys or the original key, critics believe that brute-force is possible to attack on the cipher-text. For instance, the original key is 56-bit binary data that contains power(2, 56) possibilities, which is approximately 7.2 x power(10, 16) keys (CSE Department, n.d.). With today’s technology, at least one million keys can be checked per second. It means that a computer with one processor requires to take more than two thousand years to break the 56-bit key (Forouzan and Mukhopadhyay, 2010). If a computer with one million chips is in parallel processing, then it only takes approximately 20 hours to break the 56-bit key. In addition, parallel processing can be simulated and done through the computer networks. Thus, it is possible to decrypt the encrypted data even without the original key.
Kapoor et al. (2012) argued that DES was not designed for software initially. Hardware implementation of DES are much faster than the software implementation. Also, DES is symmetric encryption technique and it has only one private key that is used for encryption as well as for decryption. If the key is lost to decrypt the data, it means that there is no way to get the readable data at the receiving end.
Regulation and Control:
DES is a well-known and well-spread encryption within many organizations and universities, however, DES is only the basic encryption. For the new derived and developed encryption, many countries and organizations have strict rule and control for exporting to other countries and organizations. For instance, US encryption related to non-military exports are controlled by Export Administration Regulations (EAR), whereas military exports are controlled by Department of State. US government takes export restrictions on encryption very seriously. EAR purposes to apply to all people, anywhere on earth. Gordon (2014) illustrated that “any encryption was developed in the US, incorporates technology developed in the US, or is transshipped through the US to be US-origin. Violations can come with criminal penalties that can reach $1,000,000 and 20 years in prison.” In particular, it applies to the US or a US citizen, permanent resident or otherwise have important ties to the US.
A company has been fined by US government for exporting crypto software without a license (Schneier, 2014). Another example is that US government has imposed a $750,000 fine on an Intel subsidiary for exporting encryption to China, Russia, Israel and other countries (Leyden, 2014). As for the tech companies, export restriction creates a huge competitive disadvantage to offer products and services worldwide. Even though encryption published or “open source” disseminated online via internet, EAR has very strict rule on it (Department of Commerce, 2000).
Also, in Russia, illegal activity related to information security is considered a serious offense (Lukatsky, 2011). For instance, performing activities without registration, with violations of registration rules, submittal of false facts to the licensing agency, if it caused damages related to citizens, organizations, or state, the charge will be up to RUB 300000 or compulsory labor up to 240 hours or detention up to 6 months; transferring goods in large quantities across customs border by-passing customs without declaring or submittal of false one, RUB 300000 or imprisonment for up to 5 years are the minimum fines.
In China, the regulations and controls are quite similar to other countries. Besides, some of the rules are even stricter, which could pose headaches for many US vendors, such as firewalls, routers, database security tools and network intrusion detection products (Vijayan, 2010). The Chinese government will require vendors to disclose details of encryption used in their products so that they could first get the products tested and certified by China’s Certification and Accreditation Administration (CNCA), then sell to government agencies and at the end into the consumer market.
Usage and Future:
DES is highly influential to the late-comer. As a result, DES is evolved into Triple DES, AES, whereas some other countries and organizations developed their own security algorithms that actually are based on the concept of DES, such as GOST block cipher of Russian government standard.
CISCO (2015) refers different types of data encryption as the Next Generation Encryption (NGE). It also mentions that NGE has had fundamental contributions by many cryptographers from around the world, including Japan, Canada, and US, which interprets that NGE is composed of globally created, globally reviewed and publicly available algorithms. In this sense, more and more business will be using NGE as the primary protection scheme even though regulations and restrictions exist.
Dunkelberger (n.d.) indicated that several markets will shape the future of data encryption and the applications that embodied it, such as email privacy, e-commerce, banking, communications appliances, enterprise storage solutions, because these markets are close to consumer private information.
The future of encryption is more advanced than ever before. The control and protection of corporation information assets and third-party information are more demanding and increasing dramatically, especially the big data in cloud computing (Soofi et al., 2014). Data confidentiality is at the top of the list of security concern for cloud computing. Many methods have been introduced to overcome this issue, however, encryption is one of them and widely used method to ensure the data confidentiality in cloud environment.
CISCO. (2015, October). Next generation encryption (NGE). Retrieved from http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
CSE Department. (n.d.). Cryptography and network security. Kakinada: Jawaharlal Nehru Technological University. Retrieved from http://www.student.apamaravathi.in/meterials/cns/UNIT%202%20CNS_MVR%20College%20of%20Engineering%20and%20technologybyD.Srinivas.pdf
Data Encryption Standard (DES) weakness and strength. (n.d.). Retrieved from http://www.careerride.com/Networking-DES-weakness-and-strength.aspx
Dunkelberger, P. (n.d.). The future of encryption. PGP Group. Retrieved from http://www.ttivanguard.com/austinreconn/encrypt.pdf
Forouzan, B. A., & Mukhopadhyay, D. (2010). Cryptography and network security. Retrieved from https://www.google.co.nz/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwj3kKLexMDOAhVIG5QKHQBFBfcQFggaMAA&url=http%3A%2F%2Fhighered.mheducation.com%2Fsites%2Fdl%2Ffree%2F007070208x%2F877405%2FChapter_06_Data_Encription_Standard.pdf&usg=AFQjCNGHS6_YGkRRoVCJNCm4LaZptgagWQ&cad=rja
Gordon, J. (2014, December. 4). Encryption, open source and export control. Retrieved from https://www.thoughtworks.com/insights/blog/encryption-open-source-and-export-control
Kapoor, P., Mohan, P., & Kumar, M. (2012, October. 23). DES (Data Encryption Standard). Retrieved from http://www.priyaprakharmrigank.blogspot.co.nz
Leyden, J. (2014, October. 17). US government fines Intel’s Wind River over crypto exports — new emphasis on encryption as a weapon? Retrieved from http://www.theregister.co.uk/2014/10/17/intel_subsidiary_crypto_export_fine/
Lukatsky, A. (2011, September. 12). Regulation of cryptography in Russia. CISCO Systems. Retrieved from http://www.slideshare.net/lukatsky/crypto-regulations-in-russia
Majak, R. R. (2000, January. 10). Revised US encryption export control regulations. Washington DC: Department of Commerce. Retrieved from https://epic.org/crypto/export_controls/regs_1_00.html
Schneier, B. (2014, November. 14). The return of crypto export controls? Retrieved from https://www.schneier.com/blog/archives/2014/11/the_return_of_c.html
Soofi, A. A., Khan, M. I., & Fazal-e-Amin. (2014). Encryption techniques for cloud data confidentiality. International Journal of Grid Distribution Computing, 7(4), 11–20. Retrieved from http://dx.doi.org/10.14257/ijgdc.2014.7.4.02
Vijiayan, J. (2010, April. 29). New China encryption rule could pose headaches for US vendors. Computerworld. Retrieved from http://www.computerworld.com/article/2517805/security0/new-china-encryption-rule-could-pose-headaches-for-u-s--vendors.html