top of page

The Problem with Security Keys


In movies, whenever someone is trapped in a jail cell, the storyline often then turns to an elaborate plot to steal the keys. Sure, the inmate could try to saw away at the bars using some excessively inventive prison-made file made from dried toothpaste and staples. Or maybe the crew that's still "on the outside" could attempt to blow up the exterior wall of your exact cell using military-level expertise in ordinance execution. But, everyone knows - even in a place as elaborate as Hollywood - the easiest path to whatever is locked away will always be to use the keys.


Your enterprise-level information is no different. The simplest way to access secure data is to steal the keys - even if it is encrypted.


The current most effective method of "locking" away sensitive customer information is through encryption. And, the most secure form of encryption is AES 256. This is the type of encryption the US Government uses to store its most critical data. The reason is that it is virtually unbreakable. For a hacker to gain access to your data, they would have to try 2^256 combinations using a pool of the worlds smartest computers. That number is so large, it is more than the number of atoms in the observable universe. Plus, hacking your information would be the second-most impressive thing they'd accomplish at that point because it is estimated to take approximately 1 billion years to directly access the data by breaking the encryption code.



Curious how it works? Here's the simplest explanation of AES 256 encryption we can provide:

  1. Divide Information Into Blocks: The first step of AES 256 encryption is dividing the information into blocks. Because AES has a 128- bits block size, it divides the information into 4x4 columns of 16 bytes.

  2. Key Expansion: The next step of AES 256 encryption involves the AES algorithm recreating multiple round keys from the first key using Rijndael’s key schedule.

  3. Adding the Round Key: In round key addition, the AES algorithm adds the initial round key to the data that has been subdivided into 4x4 blocks.

  4. Bite Substitution: In this step, each byte of data is substituted with another byte of data.

  5. Shifting Rows: The AES algorithm then proceeds to shift rows of the 4x4 arrays. Bytes on the 2nd row are shifted one space to the left, those on the third are shifted two spaces, and so on.

  6. Mixing Columns: You’re still there. The AES algorithm uses a pre-established matrix to mix the 4x4 columns of the data array.

  7. Another Round Key Addition: The AES algorithm then repeats the second step, adding a round key once again, then repeats this process all over again.


That's a lot of steps taken to protect your data. But, here's where the weakness lies. AES 256 systems use symmetric security keys. These are most often 32-character codes that are stored to encrypt and unencrypt the data. In other words, once someone has the key, it is as simple as entering the correct code and all that work done to encrypt the data is undone. The estimated time it would take for a hacker using that same pool of super computers to crack a 32-character code is estimated to be between 12-18 years (working 24 hours a day, 7 days a week). So, even then, the payout isn't likely worth their time when they can set their sights on data that remains unencrypted.



However, large cybercrime firms have begun offering sizeable payouts for corporate security information, including encryption security keys. Disgruntled employees or even those facing financial challenges could be tempted with large payout sums. And, with 32 characters of easily-shareable information being difficult to track across organizations, access control becomes quite a challenge. Early this year, Taiwanese computer-maker MSI reported having critical security keys leaked onto the dark web.



Celerit Technologies is proud to partner with ShieldIO, an innovative cybersecurity company that deploys AES 256 encryption to protect your data, with no stored security keys. This creative solution to one of the largest threats facing AES 256 encryption (key theft) prompted the 37 year-old technology firm to label ShieldIO as a recommended best-practice in cybersecurity. Learn more about ShieldIO and other best-practice solutions on their website at:


 

Celerit Technologies is an established service provider in technology to the banking and financial services industry for over 30 years. Today, they work with enterprises of all sizes, across multiple industries, deploying agile technology designed to address cybersecurity, compliance, communication and customer experience.

Learn more about Celerit Technologies here.



(c) 2023 Celerit Technologies



Comments


bottom of page