Memo to OPM: Encryption is only strong if you set it up right

Federal security people never had dinner at my childhood family table. My one abiding memory:  my dad exhorting us to “look it up!” Whatever the question, he’d send my sister or me to the den to pull down a volume of the World Book Encyclopedia. We had the 1959, red-bound edition. It came to mind today in my interview with encryption expert Bob Bigman. He says most agencies do encryption wrong, and they overlook a great publication in which to … look it up!

Bigman says yes, the stolen-by-China OPM data should have been encrypted. But the nature of the attack and the way most agencies set up their encryption means if may not have helped. Encryption technology has two major parts: the encryption algorithm itself and the keys necessary to decrypt locked-up data.

“The way most corporations and government agencies use encryption, is once you’re logged on, or once you’ve stolen an account, and using someone else’s credentials, the data is going to be decrypted for you just as easily as it will be decrypted for an authorized user. They don’t use it as an access control mechanism.”

That’s like locking the vault and leaving the combination on a slip of paper under the doormat. The right technology but the wrong architecture. Bigman argues data encryption should be done in such a way as to make it separate from the operating system or the application doing the encryption.

Even better, what the intelligence community calls the black-box approach, “in which your encryption technology and keys are stored separately and accessed separately from the data you’re trying to decrypt.” That approach, Bigman says, provides an extra level of access control in case credentials are taken. Even if a thief can get to the application and data, he can’t decrypt it.

He says many people hold the misconception that encryption is difficult and key management is simple, when in fact the opposite is true.

Fine, but why don’t more people get it? The idea of data locks and keys didn’t spring into existence last week. The Sans Institute says it goes back to, oh, about 1900 B.C.E.

Federal security people could look it up.  Specifically, Special Publication 800-21 from the National Institute of Standards and Technology details exactly how to implement encryption. But there’s more. 800-21 leads you to 800-57. Parts 1, 2 & 3 give you 328 pages of detail just about encryption key management. In fact, as of this month, 800-57 is undergoing a revision, and you can get in on it.

Like a hidden leak in the ceiling, the extent of the Office of Personnel Management data breaches keeps expanding. Now it looks like 5.6 million federal employees had their fingerprint data ripped off. So yeah, the right encryption architecture might have helped. Look it up.


Sign up for breaking news alerts