In article 21(h) the EU’s NIS2 directive underscores the importance of cryptography and encryption. They are, after all, essential parts of robust data protection measures. But what exactly are they? In this blog, we explore cryptography, encryption, and the relationship between data security, cryptography, and network security, as well as future challenges and solutions.
What Are Cryptography and Encryption?
Cryptography is a method of protecting information and communications by obfuscating or encoding data. The use of codes and algorithms ensures that only the sender and intended recipient of the information can read it. This way information can be transmitted securely between two parties. Unauthorized third parties who might intercept the message, won’t be able to access it. There are various techniques involved in securing data like encryption, decryption, hashing, digital signatures, and more.
Cryptography plays a crucial role in applications like secure communication over the internet, data protection in storage systems, authentication mechanisms in computer networks, and electronic transactions. The main goals of cryptography are:
- Confidentiality: Ensuring that information can only be accessed by the people for whom it is intended. Encryption converts the data into an unreadable format (ciphertext) using an algorithm and a key. Only those that have the key to break the code can render it into a readable format again.
- Integrity: Ensuring that the information can’t be modified during transmission or storage. The information must reach the receiver without any additions or changes. Here, hash functions can generate fixed-size “hash codes” or “digests” from data. These can be used to verify the integrity of the data.
- Authentication: Allowing sender and receiver to confirm each other’s identity. Techniques such as digital signatures allow a sender to digitally sign a message. This provides assurance to the receiver of the message’s origin and authenticity.
- Non-repudiation: Preventing a sender from denying that they sent a message. Digital signatures can also provide non-repudiation. Once the sender has signed the message they cannot deny that they did so.
Cryptography and Encryption
The NIS2 Directive explicitly mentions encryption in the same section as cryptography. We’ve already established that encryption is a fundamental component of cryptography. In the context of data protection and cybersecurity, it warrants its own considerations.
Put plainly, encryption is the process of converting plaintext (unencrypted data) into ciphertext (encrypted data) using an algorithm and a key. This renders the original data unreadable to anyone who doesn’t have the appropriate decryption key. This ensures the confidentiality of a message or transmission. It guarantees that only authorized parties can access and understand the encrypted information.
In the context of cryptography, encryption facilitates secure communication and data protection. It safeguards sensitive information from unauthorized access, interception, and disclosure.
What About End-to-End Encryption
Most people are familiar with end-to-end encryption (E2EE) because of its extensive use in mobile communication. Like many other forms of encryption, it is a method of secure communication that is meant to prevent third parties from accessing data or information while it is being transferred from one system to another.
In E2EE the data is encrypted on the sender’s system and can only be decrypted by the recipient. This provides a high level of security and privacy for communication and data exchange. It ensures that sensitive information remains confidential and protected from unauthorized access throughout the entire transmission process.
It is a common form of encryption used in messaging applications, email services, and file-sharing platforms. This has often led to controversy, as it also means that providers won’t be able to share user information with authorities. This makes it harder to intercept private messaging from suspects involved in illegal activities.
What Role Does Cryptography Play in IT Security?
Cryptography is important for various reasons. It helps to maintain trust, privacy, and security in the digital age. As we continue to rely more and more on digital transactions, the need for cryptography grows. Massive amounts of sensitive data are being transmitted every day and need to be protected. It creates an extra layer of confidentiality and security, by enabling secure communication and protecting sensitive information, critical systems, and infrastructure against various cyber threats.
Cryptography protects sensitive data like personal information, financial data, and even classified government intelligence. It plays a vital role in communication on all levels ranging from personal privacy to safeguarding national security interests. It also ensures that this data remains intact and unaltered and can only be accessed by the parties involved in the communication.
Implementing reliable policies and procedures regarding the use of cryptography within your organization helps provide a framework for implementing cryptographic controls effectively and managing cryptographic assets responsibly. It creates a secure and compliant environment for handling sensitive data, protecting against security threats, and maintaining the trust of customers, partners, and stakeholders.
The Different Types of Cryptography
As we established above, Cryptography covers a wide range of different processes. There are a couple of different types of cryptography. They can be classified based on various criteria like the techniques and keys used and the purpose. They have varying levels of security, depending on the type of information being transmitted.
Symmetric Key Cryptography
Also known as secret-key cryptography, symmetric key cryptography uses the same key for both encryption and decryption. It is a simple form of cryptography that is fast and efficient and ideal for encrypting large amounts of data. Examples of symmetric encryption algorithms are AES (Advanced Encryption Standard) and DES (Data Encryption Standard. The difficulty in this model is to find a way to securely share the key between the sender and receiver.
Asymmetric Cryptography
Also called public-key cryptography, asymmetric cryptography uses two different keys: a public key for encryption and a private key for decryption. It’s a more secure type of cryptography since only the receiver has the private key needed for decryption. commonly used for secure key exchange, digital signatures, and secure communication over insecure channels. Examples include RSA (Rivest-Shamir-Adleman), E2EE (end-to-end encryption), and ECC (Elliptic-curve Cryptography).
Hash Functions
Hash functions are a type of cryptographic algorithms that don’t use a key. These functions produce a “hash value” or “digest” – a fixed-size string of bytes that is used as a unique data identifier– based on the length of a plain-text input or “message”. This makes it impossible to recover the contents of the plain text. They are often used for data integrity verification, protecting passwords, and digital signatures. Examples include SHA-256 (Secure Hash Algorithm 256-bit) and MD5 (Message Digest Algorithm 5).
The Risk of Cryptographic Attacks
As we can tell from everything described above, the effectiveness of encryption is highly dependent on the keys involved. Many attacks on encrypted data are therefore aimed at the keys. If your keys are compromised, an attacker will be able to crack the code and access your protected data.
Most issues arise from weak keys, incorrectly used keys, the same key being reused for different purposes, not changing keys when they are out of date, or not storing your keys carefully. Issues can also arise from insider attacks, forgetting to make a backup of your keys, are simply recording them incorrectly.
You can minimize this threat to your cryptography strategy by investing in an electronic key management system to generate, manage and protect your keys. More in general, make sure to:,
- Regularly update the cryptographic algorithms and protocols, so they don’t become outdated.
- Ensure that all your sensitive data is properly encrypted.
- Use strong and unique keys.
- Store your keys in a secure location and regularly create backups.
- Test your system for vulnerabilities.
- Educate your employees on cryptography, proper key management, and the possibility of cryptographic attacks.
Post-Quantum Cryptography: The Future of Cryptography
In recent years, concerns have been rising about attackers bypassing cryptography. While some of these are due to weak keys or the improper use of keys, one serious concern is the processing power of quantum computing. For now, quantum computers are still in the early stages of development. However, once they become available for practical use, they will be able to break most of the world’s widely used cryptographic methods.
To stay ahead of this problem, the race to find a form of post-quantum encryption is already on. Before quantum computers can break out of the laboratory environments where they are currently being used, a standard of encryption must be found that can stand up against quantum processing power. The National Institute of Standards and Technology (NIST) is already taking submissions for algorithms to replace the current encryption standards.
While NIST works on finding a new standard for encryption, organizations can already start preparing. Take inventory of all applications in your environment that rely on cryptography. That way, you will be able to take action quickly once a standard for quantum-resistant cryptography has been found and approved.
Track Your BitLocker Encryption with Lansweeper
To counteract the threat of data theft, Windows systems have their own built-in encryption feature, BitLocker. It encrypts entire disk volumes in order to protect data from unauthorized access especially on lost, stolen, or inappropriately decommissioned devices. It encrypts the entire contents of a disk volume, including the operating system, system files, and user data.
Since Lansweeper hooks directly into your Windows Active Directory to retrieve asset data from AD computers, it can also retrieve your BitLocker status and recovery keys. That way you don’t need to go rooting through your AD next time you them. Pre-made reports will help you find your keys quickly and let you check up on the status of your encryptable volumes, so you can be sure that your data is properly secured.
Navigating NIS2 with Lansweeper
Learn how to prepare and navigate the complex terrain of NIS2 compliance.
GET STARTED
