Cloud Cryptography
INTRODUCTION
Over the past few years, online data privacy has been a huge topic of discussion in the field of information technology given the rise of companies migrating most of their IT infrastructures into the cloud.
Such shift has caused our data to become more susceptible to risks and vulnerabilities. A recent example that showcases such vulnerability is the data breach that occurred on 21 April 21 st 2020, where more than 267 million Facebook profiles were listed for sale on the Dark-Web — all for $600.
In this article, we will be tackling one of the most effective tools to protect our data — cloud cryptography.
What is Cloud Cryptography?
Simply put, cloud cryptography is the process of encoding or transforming data before it's transferred to cloud storage and decoding it as soon as it reaches the correct destination.
The encoding process involves using mathematical algorithms to transform data(plaintext), may it be a text, file, code, or image, to an unreadable form (ciphertext) that can conceal it from unauthorized and malicious users. It is the simplest and most vital way to make sure that cloud data can’t be breached, stolen, and read by someone with an ulterior motive.
How does cryptography work in the cloud?
The data which we use can be either in one of these states: at rest or in transit.
Data-in-transit. This is the state at which data is being transmitted from one place to another. Examples of these are transactions between you and a server, data transfer between two parties whether it's cloud or a third party, etc.
Data-at-rest. This is a state of data that is saved somewhere without being used or transferred to anyone or anywhere, which includes human beings, thirds-parties, software, among others.
Examples of such storage spaces include database servers, system folders, mobile devices, USB pen drives, Network Attached Storage, local Hard Drives, and any physical or logical storage system.
Depending on the state at which the data is encountered, it can be encrypted in the following
ways:
1. Pre-encryption: Before the data is actually is stored in the cloud, software can be used to encrypt the information so that no one is capable of hacking the data.
2. End-to-end encryption: This is used when the data is in transit as it encrypts the data during the data transfer between two parties so that they are the only ones capable of reading it.
3. File Encryption: It is a form of encryption, which is used when the data is at rest, where the individual files are encrypted by the file system.
4. Disk Encryption: Similar to file encryption, the difference that the encryption extends to not only the file system but to the whole external drive where the files are stored.
Cryptography is based on three algorithms:
1. Symmetric-key
2. Asymmetric-key
3. Hashing
Symmetric algorithms are also known as secret key algorithms because users use only one key for both encryption and data decryption. It does not require more computational power and works very high in encryption. The symmetrical systems provide a two-way system for users to detect authentication and authorization. user has the key, the encrypted data is stored in the Cloud, and cannot be decoded.
Asymmetric algorithms use different keys for encryption and decryption. Here, each recipient requires a decryption key. This key is referred to as the recipient’s private key. The encryption key belongs to a specific person or entity. This type of algorithm is considered the safest because it requires both keys to access a piece of specific information.
Hashing is one of the most important aspects of blockchain security. In the blockchain, information is stored in blocks and interconnected with cryptographic principles such as string or chain. When a data block is added to a chain, a unique code or hash is assigned to the specific block. Hashing is used for indexing and retrieving items in a database. It uses two different keys for encrypting and decrypting a message. It can provide faster data retrieval.
Encryption and Apple
Encryption is used by almost all Apple products and services today. This ensures that everything you do on your iPhone is safe, from interacting with friends to storing your health information. Apple encrypts this information and saves it in such a way that only you can access the device with your passcode or biometrics. Governments and agencies all across the world have raised concerns.
When properly configured, your Mac or iPhone will keep all but the worst bad actors out of your data. This also implies that the good guys won’t be able to see your information, something government agencies aren’t thrilled about.
Let’s start with encryption and what your gadgets are doing to protect you, then move on to the encryption discussion and where it’s all going.
Explaining Encryption:
Data encryption is a cryptographic procedure that renders data incomprehensible to anyone who lacks the necessary keys. This ensures that data can only be viewed and read by those who have the necessary passwords; otherwise, the data is merely a jumble of characters.
Except for the occasional password or biometric, all of this security happens without user input and is designed to keep you safe.
Encryption, like data, can exist in transit or at rest. In most cases, data in transit is or should be encrypted, which means that anyone watching your traffic won’t be able to see what’s going on.
Data at rest is generally only encrypted if necessary, but if your device is running iOS or iPod-OS, Apple encrypts the entire device when it is locked. Users of macOS may encrypt their PCs with FileVault, and those who use Windows can do so as well.
Total device encryption can be a CPU-intensive procedure. Users were frequently forced to choose between comprehensive device encryption and speed.
This hasn’t been the case since the iPhone 4. Apple’s iOS devices have had hardware encryption for nearly a decade, and Apple utilizes AES-256, which is the same encryption that banks use for transactions.
● End-to-end encryption occurs when data is encrypted in any condition and the key is created and held on the device. This means that unless the decryption key is given, the data is secure. This type of information is normally protected by the user’s Apple ID and password.
● On iOS, end-to-end encrypted data includes:
● QuickType for iMessage and FaceTime vocabulary for the keyboard
● Screening for Health and Home Data
Cloud-based encryption
While some communications, including iMessage and FaceTime, are encrypted end-to-end, other data is not. End-to-end encryption, like device encryption, requires that only the party who owns the information has access to the keys.
However, after storing data in iCloud, things alter dramatically. Apple encrypts data in transit and on its servers, but not when it’s in use.
iMessages, photographs, health data, and app data are all saved in an encrypted bundle on iCloud when a user has iCloud Backup switched on for a device. To prevent a user from mistakenly losing their secret key, and consequently all of their backed up data, Apple keeps the key to unlock this bundle.
However, when done correctly, Apple does have adequate access to data.
When Apple responds to a government data request, it is frequently the iCloud backup data that proves to be the most beneficial. Apple, on the other hand, does not always provide overall its data, but only bits of it that are relevant to the warrant.
Only a few circumstances necessitate entire data access, and Apple will refuse such requests if the material requested is judged unrelated to the case.
For synchronizing, Apple began storing iMessage data in the cloud. When on-device and in transit between users, this data is generally end-to-end encrypted, but if a user chooses to sync their messages between devices, their history is saved to the cloud.
While the history is fully secured on the cloud, the iCloud backup contains an encryption key to avoid data loss.
The user is in charge of all iCloud data. You can disable certain iCloud syncing and backup capabilities if you think they’re unnecessary or dangerous. Local backup via Finder is also an option, allowing the user to encrypt the backup on the fly.
Users will be aware of their own situations and will have to decide where they want their data to be stored.
Keep in mind that there is no such thing as a completely secure system. Because convenience usually compromises overall security, employing iCloud features can make your life easier while also introducing scenarios in which your data can be accessed under specific circumstances.
T2 and the Secure Enclave: Hardware Encryption
The Secure Enclave, which was introduced with the iPhone 5s, changed things yet again. Not only were devices encrypted, but the keys were also kept apart from the device OS in a microchip.
This made remote attacks nearly unfeasible, and anyone attempting to obtain information would almost certainly need physical access to the device before even starting a brute force attack.
The Secure Enclave manages all produced encryption keys for devices with Touch ID that are newer than the iPhone 5s, as well as smartphones with Face ID. The iPhone 5c, which was released after the iPhone 5s and did not include the Secure Enclave, is a significant exception.
The San Bernardino shooter used this phone, which began the entire encryption debate with the US authorities.
All of your critical information passes via the Secure Enclave, which works as a gatekeeper. It keeps encryption keys, such as those used in iMessage, until it receives valid authorization, such as a passcode or biometric.
Even the biometric data used for Face ID and Touch ID is encrypted, so the system has no trace of your face or fingerprint.
Touch ID is built into MacBooks with a TouchBar, which also means a dedicated Secure Enclave. The Secure Enclave was housed in the first-generation T1 chipset, which handled key generation similarly to its iOS equivalent. For enhanced protection, the T1 chipset runs totally independent of macOS and boots separately.
Apple later released T2, which eliminates the necessity for Touch ID as a requirement and allows customers to use it on other devices. The T2 not only houses the Secure Enclave, but it also handles FileVault encrypted storage and Secure Boot.
Secure Boot is a critical security feature that prevents unauthorized software or operating systems from launching during startup. It also inhibits booting from external media, preventing hackers from employing other booting methods to steal information.