Encrypting Sensitive Documents

Paladion
By Paladion

December 15, 2004

I want to encrypt sensitive documents in my application. What is the best approach to take while designing a cryptographic solution?

  1. Develop a proprietary encryption algorithm that only I know about
  2. Learn how to implement a standard algorithm like AES or 3DES
  3. Use my platform's Crypto API classes that implement well-known algorithms
  4. Learn how to manage keys used in the encryption

The best answers to the quiz are 3) Use my platform's Crypto API classes that implement well-known algorithms and 4) Learn how to manage keys used in the encryption.

The security of a cryptographic solution does not depend on the secrecy of the encryption algorithm; instead, it depends on the secrecy of the key and the strength of the algorithm. Standard algorithms like AES have been analyzed thoroughly and found to be strong. Though their logic is public knowledge, data encrypted with those algorithms cannot be decrypted without the secret key. A proprietary encryption algorithm that one might develop (choice a) might be secret; however, that is no assurance of its security. Most proprietary algorithms can be broken by different cryptanalysis techniques quickly, so it's inadvisable to use an unproven proprietary algorithm.

A second approach (choice b) has been for developers to implement their own version of a standard algorithm. Most of these algorithms are quite complex to implement; not only does it take significant time to learn the subtleties of the implementation, it is also quite error-prone.

Most platforms today provide underlying APIs and classes to perform cryptographic operations (choice c). A cost-effective approach is to invoke the services of these APIs to encrypt your data. You can thus use a standard, proven encryption algorithm whose implementation has also been tested by the platform vendor.As mentioned earlier, the security of your crypto implementation depends also on how securely you manage the key; so its important you learn how best to manage the keys once you are using the Crypto API services of the platform. Weaknesses in key management have been a common problem in many applications we tested.


Tags: Quiz

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset