In the wake of what might be the biggest breach ever, Heartland founder and CEO said that if there was end-to-end encryption (E2EE), the breach would not have occurred.
End-to-end encryption (E2EE) encrypts clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).
Since January of '07 every transaction HomeATM has processed was encrypted from the beginning to the end, thus preventing any data from ever being in the clear.
So, whereas Heartland is calling for E2EE after the fact, HomeATM has done it that way for well over a year now. What exactly is encryption and what exactly is E2EE? Here's a basic primer:
First, lets define encryption, which is the method of encoding information using a password, in order to hide the real information from others. The technique is used for transferring data between computers and wireless networks.
Encryption occurs through mathematical algorithms, which interpret the information to be hidden and create the encrypted data. Encryption is very common in both the computer security field and some everyday technologies. It plays an important role in assuring that data remains confidential.
Numerous methods of encryption exist for different purposes, and some of the more common algorithms include RSA, DES (HomeATM uses Triple DES) and AES. The strength of encryption is based on the size of the key used in the algorithm. Most algorithms rely on a 128-bit key, which is the standard for most algorithms approved by the Government. The use of longer keys, such as a 256-bit key, creates a stronger security level for encryption.
Virtual Private Network (VPN)
VPNs are used to create secure connections between a remote host and a network. These are typically used when telecommuters working from home connect to an office network to do work. VPNs use secure channels to transfer data, which is encrypted between the remote computer and network to protect private information.
Secure Socket Layer (SSL)
SSL is an encryption method used for secure Internet communication. SSL is used for shopping websites, online banking, and any other secure login or credit card processing websites. The use of SSL on websites ensures that the transferred information cannot be captured by packet sniffers. Or at least it used to.
Sensitive data that travels over a network are securely encrypted from the point of data entry to the point where the data is processed. Sensitive data may be user name, password, credit card number, etc. The network can be the Internet, wireless, WAN and local LAN. Data are normally entered via the browser or a client application and the data will need to reach the application server to be processed or stored in the database.
So, doesn't HTTPS performs data encryption from one point to another? Well, in most cases, only partially.
In a multi-tier architecture, it is usually the dedicated Web Server that is handling the HTTPS. The link from the Web Server to the Application server or the Database server is most likely in the clear. If the Web Server is compromised, a simple net-sniffing will reveal all the data that is posted.
In closing, Dark Reading has an article regarding encryption today. Here's a snippet:
End-to-end encryption (E2EE) encrypts clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).
Since January of '07 every transaction HomeATM has processed was encrypted from the beginning to the end, thus preventing any data from ever being in the clear.
So, whereas Heartland is calling for E2EE after the fact, HomeATM has done it that way for well over a year now. What exactly is encryption and what exactly is E2EE? Here's a basic primer:
First, lets define encryption, which is the method of encoding information using a password, in order to hide the real information from others. The technique is used for transferring data between computers and wireless networks.
Encryption occurs through mathematical algorithms, which interpret the information to be hidden and create the encrypted data. Encryption is very common in both the computer security field and some everyday technologies. It plays an important role in assuring that data remains confidential.
Numerous methods of encryption exist for different purposes, and some of the more common algorithms include RSA, DES (HomeATM uses Triple DES) and AES. The strength of encryption is based on the size of the key used in the algorithm. Most algorithms rely on a 128-bit key, which is the standard for most algorithms approved by the Government. The use of longer keys, such as a 256-bit key, creates a stronger security level for encryption.
Virtual Private Network (VPN)
VPNs are used to create secure connections between a remote host and a network. These are typically used when telecommuters working from home connect to an office network to do work. VPNs use secure channels to transfer data, which is encrypted between the remote computer and network to protect private information.
Secure Socket Layer (SSL)
SSL is an encryption method used for secure Internet communication. SSL is used for shopping websites, online banking, and any other secure login or credit card processing websites. The use of SSL on websites ensures that the transferred information cannot be captured by packet sniffers. Or at least it used to.
Sensitive data that travels over a network are securely encrypted from the point of data entry to the point where the data is processed. Sensitive data may be user name, password, credit card number, etc. The network can be the Internet, wireless, WAN and local LAN. Data are normally entered via the browser or a client application and the data will need to reach the application server to be processed or stored in the database.
So, doesn't HTTPS performs data encryption from one point to another? Well, in most cases, only partially.
In a multi-tier architecture, it is usually the dedicated Web Server that is handling the HTTPS. The link from the Web Server to the Application server or the Database server is most likely in the clear. If the Web Server is compromised, a simple net-sniffing will reveal all the data that is posted.
In closing, Dark Reading has an article regarding encryption today. Here's a snippet:
A group of vendors have proposed a new industry standard designed to simplify the implementation and management of encryption technology across large enterprises.
Brocade, HP, IBM, LSI, RSA, Seagate, and Thales (formerly nCipher) today announced the creation of the Key Management Interoperability Protocol (KMIP), a jointly developed specification for enterprise key management. KMIP is designed to provide a single protocol for communication between enterprise key management services and encryption systems, the companies say.
The seven vendors plan to submit the specification to the Organization for the Advancement of Structured Information Standards (OASIS) as an industry standard.
The seven vendors plan to submit the specification to the Organization for the Advancement of Structured Information Standards (OASIS) as an industry standard.
The problem with encryption, particularly in large enterprises, is that there are so many products and methods of doing it, observers say. Companies often deploy separate encryption systems for different business uses, such as laptops, storage, databases, and applications. And each encryption product typically has a different method of generating, distributing, storing, expiring, and rotating encryption "keys" -- the technologies that code and decode the data.
The concept of "key management" -- the practices associated with generating and storing encryption keys across an enterprise -- has been debated for decades. But vendors and cryptographers have never been able to agree on the best way to do it, leaving enterprise security managers stuck with the largely manual process of managing keys separately for each vendor or product. This administrative issue has made enterprises slow to roll out encryption on a broad scale.
continue "darkreading"