How to Choose the Best Encryption Methods for Databases
Encryption is the universal process for keeping data safe. In this post, we explore different encryption methods so you can store info in databases securely.
Join the DZone community and get the full member experience.
Join For FreeIntroduction
Encryption is the process of encoding messages or information so that only authorized parties can see it. Encryption has been going on for centuries. For example, in World War II Allied forces were sending out encrypted codes using the unwritten Navajo language, which was impossible for the Japanese to decode.
Today encryption is even more important because we live in an era where privacy and security are constantly under attack from hackers who want access into our personal lives. Thanks to modern technology like AES encryption, there's no reason why hackers should read sensitive information.
Encryption is the universal process for keeping data safe. In this post, we will explore different encryption methods so that you can store information in databases securely.
Which Encryption Algorithm Should You Choose?
Understanding the advantages and disadvantages of each approach is important before selecting one. The three encryption algorithms in use today are:
- Symmetric-key encryption
- Asymmetric-key encryption
- Hybrid encryption
Symmetric-Key Encryption
Symmetric-key encryption is well suited for situations where data needs to be encrypted quickly or when there may not be a secure channel available for sending keys out over time (e.g., communication with someone located halfway across the world).
The advantages include faster decryption time than asymmetric-key encryption, smaller key size, which is easier to store or transmit securely, and no need to distribute keys or certificates because it uses the concept of a shared secret.
A shared secret is a set of characters known only to the people involved in secure communication. The shared secret can be any "password-type" string of characters that only the parties to the secure transaction know.
The shared secret can be in the form of a pre-shared key, shared beforehand. Or it is created at the time of the communication session by using a key-agreement protocol, for instance, public-key cryptography such as Diffie–Hellman, or by using symmetric-key cryptography such as Kerberos.
The disadvantages are that it requires a secure distribution/transportation of the key or a pre-shared secret to work properly. It is also more difficult to search through encrypted messages since one would have to decrypt each message individually before searching through it, which is a performance disadvantage.
Asymmetric-Key Encryption
Asymmetric encryption (also called public-key cryptography) encrypts and decrypts the data using two separate keys. They are known as a "public key" and a "private key." Together, they’re called a "public and private key pair."
The primary benefit of asymmetric cryptography is increased data security. Users don’t need to reveal their private keys, thus decreasing the chances of a cybercriminal discovering a user's key during transmission and gaining access to the data.
The disadvantage is that key pairs are generated at usage, so extra care may be needed to ensure they are generated safely and securely. Often the keys are communicated as "out of band," such as calling the recipient on the phone or splitting the keys between channels like email and IRC to prevent eavesdropping on one channel.
Asymmetric encryption uses longer keys than symmetric encryption to provide better security than symmetric key encryption. However, while the longer key length is not a disadvantage, it contributes to slower encryption speed.
Hybrid Encryption
All practical implementations of public-key cryptography today employ some form of hybrid encryption. Popular examples include the TLS and SSH protocols, which use a public-key mechanism for key exchange (such as Diffie-Hellman) and a symmetric-key mechanism for data encapsulation (such as AES).
Hybrid encryption is useful when data encryption needs to happen quickly but also have a lower impact on system performance. The encryption process works by using symmetric encryption to encrypt just the symmetric key, then asymmetric encryption to encrypt the whole message with this symmetric key, which allows for a faster decryption time than traditional encryption.
Common Data Encryption Methodologies
PGP
This is an algorithm that was created by Phil Zimmerman in 1991 using the RSA encryption algorithm. PGP encryption is different than other encryption algorithms because it doesn't require a server, certificates, or any other type of pre-shared secrets between senders and recipients to use encryption.
Someone with access to the public key can encrypt data without sharing secret keys with other users before sending them information. This makes it less secure but more flexible when compared to other encryption methods because anyone can send encrypted data without setting up complicated security options ahead of time.
PGP is easier to implement than many other forms of encryption because no third-party servers are required. But it’s not as secure as other encryption methods that require certificates or encryption keys because anyone can encrypt data using PGP encryption.
HTTPS
HTTPS is more of a protocol than encryption itself. The protocol for encryption in HTTPS uses the Transport Layer Security (TLS), which was formly known as the Secure Sockets Layer (SSL). It's sometimes also referred to as HTTP over TLS or HTTP over SSL.
Virtually all browsers support HTTPS. No user intervention is needed to get the benefits of the hybrid encryption provided by HTTPS. This protocol is important because it prevents people from monitoring database traffic sent and received between a user and a website. This prevents thieves from discovering what web pages users are visiting or the information put into forms or other personal data shared through unencrypted online connections.
MD5
MD5 has a variety of use cases. But the biggest is the storage of passwords. Because data in databases can be insecure and passwords must be secure, many passwords were MD5 encrypted. For example, many Linux systems use MD5 to store passwords.
Checksums for files often use MD5. Websites contain many vulnerabilities that may allow hackers to change download links and trick users into downloading a compromised file.
This is mitigated through checksums. They work by creating a unique hash that works with the file. This hash is compared against the downloaded file to make sure it's a match. If they match, the file is the same and has not been tampered with. For a compromised file, the opposite would be true.
The keys used to md5 encrypt vary continually so even if the MD5 key was compromised, it only affects one session's worth of traffic instead of all sessions going forward. This makes MD5 encryptions a popular choice for banks, government sites, and other information-sensitive enterprises where privacy and security are critical.
AES
AES stands for Advanced Encryption Standard. It's a type of symmetric-key algorithm. It was adopted by the US government as a federal standard in 2002 after a five-year process to replace the aging Data Encryption Standard (DES).
AES is a symmetric key encryption algorithm. A computer program takes the unencrypted text, processes it through an encryption key, and returns the ciphertext. When the data needs to be decrypted, AES processes it again with the same key to produce decoded data. This method requires less computational resources to complete its decryption process, resulting in a lower performance impact for databases. Therefore, AES is a good way to protect sensitive data stored in large databases.
AES encryption safeguards sensitive information like credit card numbers or other personal information on unsecured networks. This type of encryption uses a key with 128 bits, which makes it very difficult to crack. AES can also be used with asymmetric key algorithms such as RSA, meaning that some data may be encrypted via AES and then a different key is used for decryption. This makes attacks challenging to pull off because it requires a hacker to intercept a piece of data and decrypt it using a key generally not available to them.
RC4
The popularity of RC4 is related to its simplicity and its speed. AES is not as fast as RC4, but it’s more secure. RC4 is a stream cipher that was created by Ron Rivest for the network security company RSA Security back in 1987. A stream cipher is an encryption technology that works byte by byte to transform plain text into unreadable code to anyone without the proper key.
Stream ciphers are linear, so the same key encrypts and decrypts messages. And while cracking them can be difficult, hackers have managed to do it. For that reason, experts feel stream ciphers aren't safe for widespread use. Many databases still lean on technology to pass data across the internet.
RC4 is widely supported across many applications and can be used with either private or public keys. Because private keys are typically longer than those used for public-key cryptography, RC4 encryption is used extensively on wireless networks because of limited bandwidth.
To decrypt RC4, it's necessary to know both the RC4 key and the RC4 algorithm, which is how RC4 encryption works. For an attacker to access encrypted data using RC4, they need to know both components of RC4 encryption and any keys to do so.
The RC4 algorithm varies between implementations, even when used with the same key, but is normally close enough that a decryption program can be written once and then used on every implementation. It has good speed when implemented correctly. Several different actions may take place during its execution, such as swapping keys or substitution tables depending on the information provided by the offset key byte stream. This makes RC4 encryption hard to predict for an attacker even if they have access to RC4 keys.
Conclusion
The Ponemon Institute recently found that nearly 70% of companies had at least one data breach in the last year. This is not surprising given how many databases are stored on company networks. As a result, it’s important to know your options for database encryption and choose wisely before you start installing databases in the cloud. Fortunately, there are plenty of different methods available, so we recommend researching and finding out which security level best suits your needs — from MD5 protection to military-grade 256-bit AES encryption algorithms.
Opinions expressed by DZone contributors are their own.
Comments