Encryption concepts

Encryption is the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process.

Data that is encrypted is referred to as ciphertext. Data that is not encrypted is referred to as plaintext. The data that is encrypted into ciphertext is considered securely secret from anyone who does not have the decryption key.

The following encryption algorithms exist:

Symmetric encryption algorithm: A common key is used to both encrypt and decrypt data. Therefore, the encryption key can be calculated from the decryption key and the decryption key can be calculated from the encryption key.
Asymmetric encryption algorithm: Two keys are used to encrypt and decrypt data. A public key that is known to everyone and a private key that is known only to the receiver or sender of the message. The public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them.

The following characteristics of encryption create special considerations:

Security exposures: Occurs when an unauthorized person has access to the plain text encryption key and the cipher text.
Data loss: Occurs if all copies of the decryption key are lost. If you lose the decryption key, you cannot decrypt the associated ciphertext. The data that is contained in the ciphertext is considered cryptographically erased. If the only copies of data are cryptographically erased ciphertext, access to that data is permanently lost.

To preserve the security of encryption keys, many implementation techniques can be used to ensure the following conditions:

No one individual has access to all the information that is necessary to determine an encryption key.
- If only the symmetric encryption algorithm is used, manage encryption keys so that the data key that is used to encrypt and decrypt data is encrypted or wrapped with a wrapping key that is used to encrypt and decrypt data keys. To decrypt the ciphertext in this case, the wrapping key is first used to decrypt the ciphertext data key and obtain the plaintext data key, which is then used to decrypt the ciphertext and obtain the plaintext. If one unit stores the wrapping keys and a second unit stores the encrypted data key, then neither unit alone has sufficient information to determine the plaintext data key. Similarly, if a person obtains access to the information that is stored on either unit but not both units, there is not sufficient information to determine the plaintext data key. The unit that stores the wrapping keys is referred to as a key server and the unit that stores or has access to the encrypted data keys is referred to as a storage device. A key server is a product that works with the encrypting storage device to resolve most of the security and usability issues that are associated with the key management of encrypted storage. However, even with a key server, there is at least one encryption key that must be maintained manually. For example, the overall key that manages access to all other encryption keys.
More than one individual has access to any single piece of information that is required to determine an encryption key. For redundancy, you can do the following actions:
- Use multiple independent key servers that have multiple independent communication paths to the encrypting storage devices.
- Maintain backups of the data on each key server. If you maintain backups, the failure of any one key server or any one network does not prevent storage devices from obtaining access to data keys that are required to provide access to data.
- Keep multiple copies of the encrypted data key.