Security+ SY0-501 Domain 6 Cryptography and PKI: A look into AES and Encryption

By Guy Nguyen-Phuoc on October 15, 2020

(By: Guy Nguyen-Phuoc on October 16, 2020)

Introduction

April 20, 2020. The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform) [1]. This is in response to the security issues plaguing the app [zoom] with concerns for privacy and end-to-end encryption [2]. Zoom quickly gained notoriety following the onset of the global pandemic of COVID-19 [2]. The mounting problems forced Zoom to set a 90-day security plan to upgrade its end-to-end encryption keys to AES (Advanced Encryption Standard) GCM (Galois/Counter Mode) 256-bits and add additional security measures [3]. In addition to Zoom, many programs such as VPNs (Virtual Private Networks) use AES for encryption [6], often as a marketing point to attract users. Apple also used similar statements to protect user data during Facebook’s Cambridge Analytica scandal [7] fulling the ongoing legal actions against encryption and the ethics of private user data vs safety [4] [5]. AES is quickly becoming a household name for the average consumer, making it important for users and security experts to understand what AES and encryption is, how it works, and what it does for privacy.

Why Encryption is Important

The SY0-501 states, “Encryption provides confidentiality and prevents unauthorized disclosure of data”. Data that is encrypted makes it near impossible for outside viewers to understand the data, this opposed to clear text data that anyone can read. Confidentiality is one of the three components of the CIA Triad, the others being Integrity and Availability. People, companies and governments have secrets, these could be the amount of money, SSN, credit, troop location, proprietary business information, business secrets, etc. Any one of these secrets could prove disastrous if it can not be maintained as a secret, which is why encryption is so important to the confidentiality of data. Encryption allows for the above mentioned data to be shared to selected people with the safety of knowing malicious actors can’t read said data. It allows your phone from being accessed when lost, it keeps your emails from prying eyes, your credit from being used by someone else and hospitals from sharing your records (HIPAA). This is just a small subset of what encryption can do for privacy and maintaining secrets.

Types of Encryption

The two main types of encryption are: Symmetric and Asymmetric encryption. Symmetric encryption, also known as secret-key encryption, “uses the same key to encrypt and decrypt data”.

symmetric encryption

Asymmetric encryption however, “uses two keys in a matched pair to encrypt and decrypt data — a public key and private key”. If the public key encrypts information, only the matching private key can decrypt the same information. Likewise, if the private key encrypts information, only the matching public key can decrypt the same information.

AES falls under the former type of encryption.

What Is AES

AES, a popular encryption scheme succeeding DES (Data Encryption Standard) as the standard set by NIST (National Institute of Standards and Technology) in 2001, protects everything from classified data and bank transactions to online shopping and social media apps. Defined by the SY0-501 as, “a strong symmetric block cipher that encrypts data in 128-bit  blocks”. AES has three defined key sizes:

  • AES-128-bit
  • AES-192-bit
  • AES-256-bit

Higher values indicate a bigger keyspace, thus providing a stronger protection than the lower values, i.e. AES-256 is stronger than AES-128.

aes table

Three areas define AES’ strengths: Fast, Efficient and Strong.

  • Fast. Using elegant mathematical formulas that only require one pass to encrypt and decrypt data. Other algorithms require multiple passes for encryption and decryption.
  • Efficient. Requires less resources than other intensive encryption algorithms such as 3DES. AES encrypts and decrypts quickly even on smaller devices such as USB flash drives.
  • Strong. AES provides strong encryption of data, providing a high level of confidentiality.

Conclusion

Encryption is important to the modern world for a variety of reasons, mainly the confidentiality of user data, be it medical, financial or personal information. With technologies such as AES we can be confident that the data is secure and private, unaffected by unauthorized users. With data becoming more integrated with the 21st century lifestyle, knowledge of encryption is no longer just the responsibility of security experts but all individuals who value privacy. Education on these matters [encryption] is the only way for users to understand laws and incidents like, “The Earn it Act”, Apple v FBI and Cambridge Analytica.

References

[1] https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom
[2] https://www.bbc.com/news/technology-52133349
[3] https://blog.zoom.us/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/
[4] https://www.nytimes.com/2020/01/07/technology/apple-fbi-iphone-encryption.html
[5] https://cyberlaw.stanford.edu/blog/2020/01/earn-it-act-how-ban-end-end-encryption-without-actually-banning-it
[6] https://www.expressvpn.com/what-is-vpn/vpn-encryption
[7] https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook