Many security (commercial) professionals and sales girls & boys will tell you we protect your data with military grade encryption and your transactions are encrypted with the same technology banking sites use. Often the scope of these comments is small and refers to SSL (TLS) encrypting names, email addresses, passwords or credit cards when flying through the unknown, between your device and the shopping carts server. A great one is “someone stole our data but passwords were encrypted (hashed in reality). How nice the website owners bothered to one-way hash passwords stored but who cares about email address, secret question/answer, data of birth or your address?
Take a standard website for instance, you create a free account, enter your chosen password, the passwords flies over HTTPs (SSL/TLS) and the password is transformed into a hash (MD5, SHA1/2/3 etc.) and stored as that. “000ca7b75084509a58de17c003c5” is what a hash looks like if you are wondering. The password is not usually stored in clear text (readable English). Hack the websites database and you get a load of odd looking strings which people think are “one-way”. Mathematically yes but if you have one million passwords you can generate one million hashes and compare them. Also known as: rainbow tables.
Encrypting the one-way hash is a nice option though nowhere near bullet proof. Take the one-way hash and encrypt it, thus if you steal the encrypted hash you need to decrypt it before using rainbow tables. Imagine this, you break into a house and find a safe but the six digit pin to the safe is hidden in a drawer in the next room. This is an analogy to how a lot of websites work. Joomla and other website CMS’s like Drupal and Wordpress do something similar. Encrypted password hashes are stored in a MySQL database and the decryption secret key sits in a PHP config file in the root directory. Thus if you are smarter enough to hack into the site you can browse the files, nab the config file, decrypt the encrypted hashed passwords and run rainbow tables.
Let’s switch topic for a minute. APTs which are intrusions often using malware by organised crime or state actors. Malware is installed on a laptop which silently uploads company documents and potentially keystrokes of usernames and passwords. Imagine you are smart and encrypt all files. The intruder remotely gets your fantastically strong AES 256 bit FIPS 197 encrypted files which without the key are pretty much impossible to crack. What is the flaw? With a key logger running they the bad girls or guys nab the password, the password to the key vault or just upload the private key. Fantastic security often has a loophole if you think hard enough. The problem is the key or user operates on the same device or network.
Solution? Move beyond just a password or software encryption key and move to hardware. Take a debit card, it has a four-digit PIN which someone could find out by various methods. It unlocks access to money but if you pinch the bank details and the PIN you still need the hardware (debit/credit card). Plus it has a lockout of three attempts. Say you want to properly encrypt a file. Take the file, software driver, hardware encryption token protected by a PIN and auto lockout and encrypt it. Steal the PIN and file, and it is useless since the encryption key is in the hardware device. Yes, maybe you could scrap the memory if you were on the laptop or desktop but generally this is a big improvement. Why are they not used much? Mainly because there are not many out there, they are fiddly to use and manage, and cost of course!