Ramon Krikken

A member of the Gartner Blog Network

Ramon Krikken
BG Analyst
2 years at Gartner
15 years IT industry

Ramon Krikken is a Research VP the Gartner for Technical Professionals Security and Risk Management Strategies team. He covers software/application security; service-oriented architecture (SOA) security; structured and unstructured data security management, including data masking, redaction and tokenization...Read Full Bio

Coverage Areas:

Contrary to Popular Opinion, Encryption IS the Hard Part

by Ramon Krikken  |  May 17, 2012  |  2 Comments

A well-known security meme is that “encryption is easy, it’s key management that’s hard.” But while this may be true for certain encryption use cases, it’s most definitely not true across the board. It’s a convenient meme for vendors, of course, who’ll simply point at a “we use AES” or “we’re FIPS 140-2 validated” statement and call it good. But for the end user this nothing short of unhelpful.

Understanding cryptography is hard, and validating a system where the core crypto is only one small part of a large, critical system is even harder. One of the largest problems in my opinion is the scope of FIPS 140-2. First off, the lowest level (1) doesn’t mean much in terms of how well the crypto system is implemented. But furthermore, it creates validation only for part of the entire solution. As an example, see a 2010 incident where FIPS 140-2 level 2 validated USB flash drives were compromised completely.

To get a better handle on crypto, current customers might review the just-updated “Understanding and Evaluating Cryptographic Systems: An Information Security Foundation” [subscription required] for a more complete picture. The evaluation includes algorithms, protocols, key generation, but also – very important – the overall system itself:

Proper design and implementation of cryptography are challenging, even when secure algorithms and protocols are used. Misapplied or incorrect hardware, software and architecture can all reduce or negate cryptographic security.

in the end, the strength of the system is just one piece of the puzzle. A more fundamental problem, and one that needs to be addressed before the crypto system evaluation starts is that the power of encryption is grossly overestimated. And I will address that in a series future posts.

2 Comments »

Category: Uncategorized     Tags: , , , ,

2 responses so far ↓

  • 1 Anton Chuvakin   May 18, 2012 at 8:01 pm

    So, would you settle for “encryption is hard, but key management i much harder” [to get right]?

  • 2 Ramon Krikken   May 21, 2012 at 12:42 pm

    Anton – yes and no. To some extent the discussion splits hairs, and depends on how you split several things can end up on the encryption or key management sides equally easily. One does not live without the other and need equal attention – we can’t pretend that \encryption has been solved.\ That’s why I’m not a big fan of the meme.

    However, I will say that key management is actually all for the organization itself to get right. It appears that some still do not sufficiently plan and test for recovery, for example.