Part 3: Protecting the whole organisation
Find a way to decrypt a bit of protected information and the whole organisation is exposed. Well, only if all information is encrypted the same way with the same cryptographic key. The answer could be to just encrypt small blocks of data with different cryptographic keys, but this would involve management of an increasingly large set of cryptographic keys and just far too much overhead resulting in much too slow access to encrypted data.
The (recommended for stored data) AES Encryption algorithm has been developed with many cipher-mode variations, allowing a single cryptographic key to encrypt a large set of information into smaller blocks independently encrypted from other small blocks. The first block of data is encrypted (with a specific cryptographic key) using a seed block of data (known as an Initialisation Vector or IV) and each subsequent block of data is encrypted using the output of the previous block of data and/or its location within the overall data. If a well-chosen cipher-mode is implemented, finding the details to decrypt one small block of data will only allow that block to be compromised. The rest of an organisation’s information is still safe and sound.
For the purpose of protecting stored data, one recommendation is to use AES algorithm with cipher-mode of XTS for random data access or CBC for other access.
Implementing an encryption algorithm alone is simply not good enough to protect an entire organisation’s sensitive information. Its not just information that needs to be protected, the details of how the protection is implemented must also be protected. The choice of which encryption algorithm (and which cipher-mode) to use and how well it uniquely encrypts separate blocks of data must be considered. The protection of who has access to sensitive information and ensuring those who do not have the privilege are given lots of noisy data so they are unable to make their own noise. And all of this protection must be implemented without hindrance to the operation of the mobile handset, so it continues to provide Business As Usual.
Look out for our next blog – “Part 4: Who should access protected data.”